tag:blogger.com,1999:blog-82669411252143870012024-02-08T09:22:02.540-08:00Hack in it . comJust Rock n Rollvineethv2http://www.blogger.com/profile/10203333517491088500noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-8266941125214387001.post-57180956596883682452008-09-30T08:55:00.000-07:002008-09-30T12:06:33.229-07:00Reverse path forwarding (RPF)<p><b>Reverse path forwarding (RPF)</b> is a technique used in modern <a href="http://en.wikipedia.org/wiki/Router" title="Router">routers</a> for the purposes of ensuring loop-free forwarding of multicast packets in <a href="http://en.wikipedia.org/wiki/Multicast" title="Multicast">multicast</a> <a href="http://en.wikipedia.org/wiki/Routing" title="Routing">routing</a> and to help prevent <a href="http://en.wikipedia.org/wiki/IP_address_spoofing" title="IP address spoofing">IP address spoofing</a> in <a href="http://en.wikipedia.org/wiki/Unicast" title="Unicast">unicast</a> routing.</p> <table id="toc" class="toc" summary="Contents"> <tbody><tr> <td> <div id="toctitle"> <h2>Contents</h2> <span class="toctoggle"><br /></span></div> <ul><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Reverse_path_forwarding#Multicast_RPF"><span class="tocnumber">1</span> <span class="toctext">Multicast RPF</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Reverse_path_forwarding#Unicast_RPF_.28uRPF.29"><span class="tocnumber">2</span> <span class="toctext">Unicast RPF (uRPF)</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Reverse_path_forwarding#Unicast_RPF_confusion"><span class="tocnumber">3</span> <span class="toctext">Unicast RPF confusion</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Reverse_path_forwarding#External_links"><span class="tocnumber">4</span> <span class="toctext">External links</span></a></li></ul> </td> </tr> </tbody></table> <script type="text/javascript"> //<![CDATA[ if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); } //]]> </script> <p><a name="Multicast_RPF" id="Multicast_RPF"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Multicast RPF</span></h2> <p>Multicast RPF, typically denoted simply as RPF, is used in conjunction with multicast routing protocols such as <a href="http://en.wikipedia.org/wiki/Multicast_Source_Discovery_Protocol" title="Multicast Source Discovery Protocol">MSDP</a> and <a href="http://en.wikipedia.org/wiki/Sparse_multicast" title="Sparse multicast" class="mw-redirect">PIM-SM</a> to ensure loop-free forwarding of multicast packets. In multicast routing the decision to forward traffic is based upon source address and not on destination address as is the case with unicast routing. It does this by utilizing either a dedicated multicast routing table or alternatively the router's native unicast routing table.</p> <p>When a multicast packet enters a router's interface it will lookup the list of networks that are reachable via that input interface i.e., it checks the reverse path of the packet. If the router finds a matching routing entry for the source IP of the multicast packet, the RPF check passes and the packet is forwarded to all other interfaces that are participating in multicast for this multicast group. If the RPF check fails the packet will be dropped. As a result the forwarding of the packet is decided based upon the reverse path of the packet rather than the forward path. RPF routers only forward packets that come into the interface that also hold the routing entry for the source of the packet, thus breaking any loop.</p> <p>This is critically important in redundant multicast topologies. Because the same multicast packet could reach the same router via multiple interfaces, RPF checking must be integral in the decision to forward packets or not. If the router forwarded all packets that come in interface A to interface B and it also forwarded all packets coming in interface B to interface A and both interfaces receive the same packet, this will create a classic <a href="http://en.wikipedia.org/wiki/Routing_loop" title="Routing loop" class="mw-redirect">routing loop</a> where packets will be forwarded in both directions until their IP <a href="http://en.wikipedia.org/wiki/Time_to_live" title="Time to live">TTLs</a> expire. Even considering TTL expiry, all types of routing loops are best avoided as they involve at least temporary network degradation.</p> <p><a name="Unicast_RPF_.28uRPF.29" id="Unicast_RPF_.28uRPF.29"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Unicast RPF (uRPF)</span></h2> <p>uRPF as defined in <a href="http://tools.ietf.org/html/rfc3704" class="external" title="http://tools.ietf.org/html/rfc3704">RFC 3704</a> is an evolution of the concept that traffic from known invalid networks should not be accepted on interfaces from which they should never have originated. The original idea as seen in <a href="http://tools.ietf.org/html/rfc2827" class="external" title="http://tools.ietf.org/html/rfc2827">RFC 2827</a> was to block traffic on an interface if it is sourced from <a href="http://tools.ietf.org/html/rfc1918" class="external" title="http://tools.ietf.org/html/rfc1918">RFC 1918</a> private addresses. It is a reasonable assumption for many organizations to simply disallow propagation of private addresses on their networks unless they are explicitly in use. This is a great benefit to the internet backbone as blocking packets from obviously bogus source addresses helps to cut down on IP address spoofing which is commonly used in <a href="http://en.wikipedia.org/wiki/DoS" title="DoS" class="mw-redirect">DoS</a>, <a href="http://en.wikipedia.org/wiki/DDoS" title="DDoS" class="mw-redirect">DDoS</a>, and network scanning to obfuscate the source of the scan.</p> <p>uRPF dramatically extends this idea by utilizing the knowledge all routers must have to do their jobs, their <a href="http://en.wikipedia.org/wiki/Routing_table" title="Routing table">routing table</a>, to help further restrict the possible sources addresses that should be seen on an interface. Packets are only forwarded if they come from router's best route to the source of a packet, ensuring that:-</p> <ol><li>Packets coming into an interface come from (potentially) valid hosts, as indicated by the corresponding entry in the routing table.</li><li>Packets with source addresses that could <i>not</i> be reached via the input interface can be dropped without disruption to normal use, as they are probably from a misconfigured or malicious source.</li></ol> <p>In cases of symmetric routing, routing where packets flow forward and reverse down the same path, and terminal networks with only one link this is a safe assumption and uRPF can be implemented without much fear of problems. It is particularly useful to implement RPF on routers interfaces that are connected to singly homed networks and terminal subnets as symmetric routing is guaranteed. Using uRPF as close as possible to the real source of traffic also stops spoofed traffic before it has any chance of using internet bandwidth or reaching a router which is not configured for RPF and thus inappropriately forwarded.</p> <p>Unfortunately, it is often the case on the larger internet backbone that routing is asymmetric and you cannot count on the routing table to point to the best route for a source to get to a router. Routing tables specify best forward path and only in the symmetric case does that equate to the best reverse path. Because of this common asymmetry it is important when implementing uRPF to be aware of the potential for asymmetry to exist to prevent accidental filtering of legitimate traffic.</p> <p><a href="http://tools.ietf.org/html/rfc3704" class="external" title="http://tools.ietf.org/html/rfc3704">RFC 3704</a> gives more details on how to extend the most basic "this source address must be seen in the routing table for the input interface" concept known as Strict Reverse Path Forwarding to include some more relaxed cases that can still be of benefit while allowing for at least some asymmetry.</p> <p>As one final note, any device using a default route cannot use uRPF on the interface that the default route points to because all sources would be allowed to come from that interface and uRPF would not accomplish even as much as <a href="http://tools.ietf.org/html/rfc2827" class="external" title="http://tools.ietf.org/html/rfc2827">RFC 2827</a>.</p> <p><a name="Unicast_RPF_confusion" id="Unicast_RPF_confusion"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Unicast RPF confusion</span></h2> <p>RPF is often incorrectly defined as Reverse Path Filtering, particularly when it comes to unicast routing. This is an understandable misinterpretation of the acronym in that when RPF is used with unicast routing as in <a href="http://tools.ietf.org/html/rfc3704" class="external" title="http://tools.ietf.org/html/rfc3704">RFC 3704</a> traffic is either permitted or denied based upon the RPF check passing or failing. The thought being that traffic is denied if it fails the RPF check and is therefore filtered, however as per <a href="http://tools.ietf.org/html/rfc3704" class="external" title="http://tools.ietf.org/html/rfc3704">RFC 3704</a> the correct interpretation is that traffic is <b>forwarded</b> if it passes the RPF check. Several examples of the proper usage can be seen in documents by <a href="http://www.juniper.net/techpubs/software/junos/junos56/swconfig56-interfaces/html/interfaces-family-config15.html" class="external text" title="http://www.juniper.net/techpubs/software/junos/junos56/swconfig56-interfaces/html/interfaces-family-config15.html" rel="nofollow">Juniper</a>, <a href="http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html" class="external text" title="http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html" rel="nofollow">Cisco</a>, <a href="http://www.openbsd.org/faq/pf/filter.html#urpf" class="external text" title="http://www.openbsd.org/faq/pf/filter.html#urpf" rel="nofollow">OpenBSD</a>, and most importantly <a href="http://tools.ietf.org/html/rfc3704" class="external" title="http://tools.ietf.org/html/rfc3704">RFC 3704</a> which defines the use of RPF with unicast.</p> <p>While uRPF is used as in ingress <b>filtering</b> mechanism, it is affected by reverse path <b>forwarding</b>.</p> <p><a name="External_links" id="External_links"></a></p> <h2><span class="editsection"></span><span class="mw-headline">External links</span></h2> <ul><li><a href="http://tools.ietf.org/html/rfc2827" class="external" title="http://tools.ietf.org/html/rfc2827">RFC 2827</a></li><li><a href="http://tools.ietf.org/html/rfc3704" class="external" title="http://tools.ietf.org/html/rfc3704">RFC 3704</a></li><li><a href="http://www.juniper.net/techpubs/software/junos/junos56/swconfig56-interfaces/html/interfaces-family-config15.html" class="external text" title="http://www.juniper.net/techpubs/software/junos/junos56/swconfig56-interfaces/html/interfaces-family-config15.html" rel="nofollow">Juniper - Configuring uRPF</a></li><li><a href="http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html" class="external text" title="http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html" rel="nofollow">Cisco - Understanding uRPF</a></li><li><a href="http://www.openbsd.org/faq/pf/filter.html#urpf" class="external text" title="http://www.openbsd.org/faq/pf/filter.html#urpf" rel="nofollow">OpenBSD - Enabling uRPF in pf</a></li><li><a href="http://www.juniper.net/techpubs/software/erx/erx50x/swconfig-routing-vol1/html/ip-multicast-config7.html#120398" class="external text" title="http://www.juniper.net/techpubs/software/erx/erx50x/swconfig-routing-vol1/html/ip-multicast-config7.html#120398" rel="nofollow">Juniper Networks on multicast RPF</a></li></ul> <!-- NewPP limit report Preprocessor node count: 5/1000000 Post-expand include size: 0/2048000 bytes Template argument size: 0/2048000 bytes Expensive parser function count: 0/500 --> <!-- Saved in parser cache with key enwiki:pcache:idhash:2448958-0!1!0!default!!en!2 and timestamp 20080919222710 --> <div class="printfooter"> Retrieved from "<a href="http://en.wikipedia.org/wiki/Reverse_path_forwarding">http://en.wikipedia.org/wiki/Reverse_path_forwarding</a>"</div> <div id="catlinks" class="catlinks"><div id="mw-normal-catlinks"><a href="http://en.wikipedia.org/wiki/Special:Categories" title="Special:Categories">Categories</a>: <span dir="ltr"><a href="http://en.wikipedia.org/wiki/Category:Routing" title="Category:Routing">Routing</a></span></div></div>vineethv2http://www.blogger.com/profile/10203333517491088500noreply@blogger.com1tag:blogger.com,1999:blog-8266941125214387001.post-73429021929747723722008-09-30T08:52:00.001-07:002008-09-30T08:53:58.892-07:00Cryptographic hash function<a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#searchInput"><br /></a> <!-- start content --> <p>A <b><a href="http://en.wikipedia.org/wiki/Cryptography" title="Cryptography">cryptographic</a> <a href="http://en.wikipedia.org/wiki/Hash_function" title="Hash function">hash function</a></b> is a transformation that takes an input (or 'message') and returns a fixed-size string, which is called the <b>hash value</b> (sometimes termed a <b>message digest</b>, a <b>digital fingerprint</b>, a <b>digest</b> or a <b>checksum</b>). The ideal hash function has three main properties - it is extremely easy to calculate a hash for any given data, it is <a href="http://en.wikipedia.org/wiki/Computational_complexity_theory#Intractability" title="Computational complexity theory">extremely difficult or almost impossible in a practical sense</a> to calculate a text that has a given hash, and it is extremely unlikely that two different messages, however close, will have the same hash.</p> <p>Functions with these properties are used as hash functions for a variety of purposes, both within and outside cryptography. Practical applications include <a href="http://en.wikipedia.org/wiki/Message_integrity" title="Message integrity" class="mw-redirect">message integrity</a> checks, <a href="http://en.wikipedia.org/wiki/Digital_signature" title="Digital signature">digital signatures</a>, <a href="http://en.wikipedia.org/wiki/Authentication" title="Authentication">authentication</a>, and various <a href="http://en.wikipedia.org/wiki/Information_security" title="Information security">information security</a> applications. A hash can also act as a concise representation of the message or document from which it was computed, and allows easy indexing of duplicate or unique data files.</p> <p>In various standards and applications, the two most commonly used hash functions are <a href="http://en.wikipedia.org/wiki/MD5" title="MD5">MD5</a> and <a href="http://en.wikipedia.org/wiki/SHA-1" title="SHA-1" class="mw-redirect">SHA-1</a> (other well known hash functions are <a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#List_of_cryptographic_hash_functions" title="">listed below</a>). In 2005, security flaws were identified in both of these, namely that a possible mathematical weakness might exist, indicating that a stronger hash function would be desirable. In 2007 the <a href="http://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology" title="National Institute of Standards and Technology">National Institute of Standards and Technology</a> announced a contest to design a hash function which will be given the name <a href="http://en.wikipedia.org/wiki/SHA_hash_functions#SHA-3" title="SHA hash functions">SHA-3</a> and be the subject of a <a href="http://en.wikipedia.org/wiki/Federal_Information_Processing_Standard" title="Federal Information Processing Standard">FIPS</a> standard.<sup id="cite_ref-0" class="reference"><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#cite_note-0" title="">[1]</a></sup></p> <table id="toc" class="toc" summary="Contents"> <tbody><tr> <td> <div id="toctitle"> <h2>Contents</h2> <span class="toctoggle"><br /></span></div> <ul><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#Overview"><span class="tocnumber">1</span> <span class="toctext">Overview</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#Related_algorithms"><span class="tocnumber">2</span> <span class="toctext">Related algorithms</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#Cryptographic_properties"><span class="tocnumber">3</span> <span class="toctext">Cryptographic properties</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#Applications"><span class="tocnumber">4</span> <span class="toctext">Applications</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#Merkle-Damg.C3.A5rd_construction"><span class="tocnumber">5</span> <span class="toctext">Merkle-Damgård construction</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#Hash_functions_based_on_block_ciphers"><span class="tocnumber">6</span> <span class="toctext">Hash functions based on block ciphers</span></a> <ul><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#Methods_to_make_hash_functions_from_block_ciphers"><span class="tocnumber">6.1</span> <span class="toctext">Methods to make hash functions from block ciphers</span></a></li></ul> </li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#Use_in_building_other_cryptographic_primitives"><span class="tocnumber">7</span> <span class="toctext">Use in building other cryptographic primitives</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#Concatenation_of_cryptographic_hash_functions"><span class="tocnumber">8</span> <span class="toctext">Concatenation of cryptographic hash functions</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#List_of_cryptographic_hash_functions"><span class="tocnumber">9</span> <span class="toctext">List of cryptographic hash functions</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#See_also"><span class="tocnumber">10</span> <span class="toctext">See also</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#References"><span class="tocnumber">11</span> <span class="toctext">References</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#Further_reading"><span class="tocnumber">12</span> <span class="toctext">Further reading</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#External_links"><span class="tocnumber">13</span> <span class="toctext">External links</span></a></li></ul> </td> </tr> </tbody></table> <script type="text/javascript"> //<![CDATA[ if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); } //]]> </script> <p><a name="Overview" id="Overview"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Overview</span></h2> <div class="thumb tright"> <div class="thumbinner" style="width: 332px;"><a href="http://en.wikipedia.org/wiki/Image:Hash_function_long.svg" class="image" title="Even small changes in the source input drastically change the resulting output, also known as Avalanche effect."><img alt="Even small changes in the source input drastically change the resulting output, also known as Avalanche effect." src="http://upload.wikimedia.org/wikipedia/commons/thumb/6/6b/Hash_function_long.svg/330px-Hash_function_long.svg.png" class="thumbimage" width="330" border="0" height="211" /></a> <div class="thumbcaption"> <div class="magnify"><a href="http://en.wikipedia.org/wiki/Image:Hash_function_long.svg" class="internal" title="Enlarge"><img src="http://en.wikipedia.org/skins-1.5/common/images/magnify-clip.png" alt="" width="15" height="11" /></a></div> Even small changes in the source input drastically change the resulting output, also known as <a href="http://en.wikipedia.org/wiki/Avalanche_effect" title="Avalanche effect">Avalanche effect</a>.</div> </div> </div> <p>A hash function takes a <a href="http://en.wikipedia.org/wiki/String_%28computer_science%29" title="String (computer science)">string</a> of any length as input and produces a fixed length string which acts as a kind of "signature" for the data provided. In this way, a person knowing the hash is unable to work out the original message, but someone knowing the original message can prove the hash is created from that message, and none other. A cryptographic hash function should behave as much as possible like a <a href="http://en.wikipedia.org/wiki/Random_function" title="Random function">random function</a> while still being <a href="http://en.wikipedia.org/wiki/Deterministic_algorithm" title="Deterministic algorithm">deterministic</a> and efficiently computable.</p> <p>A cryptographic hash function is considered "insecure" from a cryptographic point of view, if either of the following is computationally feasible:</p> <ul><li>finding a (previously unseen) message that matches a given digest</li><li>finding "<a href="http://en.wikipedia.org/wiki/Hash_collision" title="Hash collision">collisions</a>", wherein two different messages have the same message digest.</li></ul> <p>An attacker who can do either of these things might, for example, use them to substitute an authorized message with an unauthorized one.</p> <p>Ideally, it should not even be feasible to find two messages whose digests are substantially similar; nor would one want an <a href="http://en.wikipedia.org/wiki/Adversary_%28cryptography%29" title="Adversary (cryptography)">attacker</a> to be able to learn anything useful about a message given only its digest. Of course the attacker learns at least one piece of information, the digest itself, which for instance gives the attacker the ability to recognise the same message should it occur again.</p> <p><a name="Related_algorithms" id="Related_algorithms"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Related algorithms</span></h2> <p><a href="http://en.wikipedia.org/wiki/Checksum" title="Checksum">Checksums</a> and <a href="http://en.wikipedia.org/wiki/Cyclic_redundancy_check" title="Cyclic redundancy check">cyclic redundancy checks</a> (CRCs) are quite distinct from cryptographic hash functions, and are used for different applications. If used for security, they are vulnerable to attack; for example, a CRC was used for message integrity in the <a href="http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy" title="Wired Equivalent Privacy">WEP</a> encryption standard, but an attack was readily discovered which exploited the linearity of the checksum specified.</p> <p>A <a href="http://en.wikipedia.org/wiki/Message_authentication_code" title="Message authentication code">message authentication code</a> (MAC) takes a message and a secret key and generates a "MAC tag", such that it is difficult for an attacker to generate a valid pair (message, tag) that doesn't match one they've already seen; they are used to prevent attackers forging messages, among other uses. Though it is sometimes referred to as a "keyed hash function", a MAC serves a very different purpose and has very different security properties than a cryptographic hash function; for example, it is not considered a flaw if it is easy for someone who knows the MAC key to generate two messages that have the same MAC. Hash functions can be used to create MAC functions; see for example <a href="http://en.wikipedia.org/wiki/HMAC" title="HMAC">HMAC</a>.</p> <p><a name="Cryptographic_properties" id="Cryptographic_properties"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Cryptographic properties</span></h2> <p>There is no formal definition which captures all of the properties considered desirable for a cryptographic hash function. These properties below are generally considered prerequisites:</p> <ul><li><i><a href="http://en.wikipedia.org/wiki/Preimage_attack" title="Preimage attack">Preimage resistant</a></i> (See <i><a href="http://en.wikipedia.org/wiki/One_way_function" title="One way function" class="mw-redirect">one way function</a></i> for a related but slightly different property): given <i>h</i> it should be hard to find any <i>m</i> such that <i>h</i> = hash(<i>m</i>).</li><li><i><a href="http://en.wikipedia.org/wiki/Preimage_attack" title="Preimage attack">Second preimage resistant</a></i>: given an input <i>m</i><sub>1</sub>, it should be hard to find another input, <i>m</i><sub>2</sub> (not equal to <i>m</i><sub>1</sub>) such that</li></ul> <dl><dd><span class="texhtml"><i>h</i><i>a</i><i>s</i><i>h</i>(<i>m</i><sub>1</sub>) = <i>h</i><i>a</i><i>s</i><i>h</i>(<i>m</i><sub>2</sub>).</span></dd></dl> <p>This property is implied by collision-resistance. Second preimage resistance is sometimes referred to as <a href="http://en.wikipedia.org/wiki/Hash_collision" title="Hash collision">weak collision resistance</a>.</p> <ul><li><i><a href="http://en.wikipedia.org/wiki/Collision_attack" title="Collision attack" class="mw-redirect">Collision-resistant</a></i>: it should be hard to find two different messages <i>m</i><sub>1</sub> and <i>m</i><sub>2</sub> such that hash(<i>m</i><sub>1</sub>) = hash(<i>m</i><sub>2</sub>). Due to a possible <a href="http://en.wikipedia.org/wiki/Birthday_attack" title="Birthday attack">birthday attack</a>, this means the hash function output must be at least twice as large as what is required for preimage-resistance. This property is sometimes referred to as <a href="http://en.wikipedia.org/wiki/Hash_collision" title="Hash collision">strong collision resistance</a>.</li></ul> <p>A hash function meeting these criteria may still have undesirable properties. For instance, many popular hash functions are vulnerable to <i>length-extension</i> attacks: given <i>h(m)</i> and <i>len(m)</i> but not <i>m</i>, by choosing a suitable <i>m'</i> an attacker can calculate <i>h (m || m')</i>, where <i>||</i> denotes <a href="http://en.wikipedia.org/wiki/Concatenation" title="Concatenation">concatenation</a>. This property can be used to break naive authentication schemes based on hash functions. The <a href="http://en.wikipedia.org/wiki/HMAC" title="HMAC">HMAC</a> construction works around these problems.</p> <p>It is however, a common misconception that "one-wayness" of a cryptographic hash function means irreversibility of processing of the hash state, and that it somehow contradicts the principles used to construct block ciphers. Such "irreversibility" in fact means presence of local collisions that could facilitate attacks. The hash function must be a permutation processing its state bijectively to be cryptographically secure. It must be irreversible regarding the data block just like any block cipher must be irreversible regarding the key (it should be impossible to find the key that can encrypt a block A into a block B faster than the brute-force). This makes iterated block ciphers and hash functions processing blocks of the same size as secret keys of those block ciphers virtually identical, except the roles of key and data blocks are swapped. All the attacks against the MDx and SHA families of hash functions exploit local collisions in the processing of the data block. The local collisions caused by the final addition operation can also be exploited by these attacks.</p> <p><a name="Applications" id="Applications"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Applications</span></h2> <p>A typical use of a cryptographic hash would be as follows: <a href="http://en.wikipedia.org/wiki/Alice_and_Bob" title="Alice and Bob">Alice</a> poses a tough math problem to <a href="http://en.wikipedia.org/wiki/Alice_and_Bob" title="Alice and Bob">Bob</a>, and claims she has solved it. Bob would like to try it himself, but would yet like to be sure that Alice is not bluffing. Therefore, Alice writes down her solution, appends a random <a href="http://en.wikipedia.org/wiki/Cryptographic_nonce" title="Cryptographic nonce">nonce</a>, computes its hash and tells Bob the hash value (whilst keeping the solution and nonce secret). This way, when Bob comes up with the solution himself a few days later, Alice can prove that she had the solution earlier by revealing the nonce to Bob. (This is an example of a simple <a href="http://en.wikipedia.org/wiki/Commitment_scheme" title="Commitment scheme">commitment scheme</a>; in actual practice, Alice and Bob will often be computer programs, and the secret would be something less easily spoofed than a claimed puzzle solution).</p> <p>Another important application of secure hashes is verification of <a href="http://en.wikipedia.org/wiki/Message_integrity" title="Message integrity" class="mw-redirect">message integrity</a>. Determining whether any changes have been made to a message (or a <a href="http://en.wikipedia.org/wiki/Computer_file" title="Computer file">file</a>), for example, can be accomplished by comparing message digests calculated before, and after, transmission (or any other event).</p> <p>A message digest can also serve as a means of reliably identifying a file; several <a href="http://en.wikipedia.org/wiki/Source_Code_Management" title="Source Code Management" class="mw-redirect">source code management</a> systems, including <a href="http://en.wikipedia.org/wiki/Git_%28software%29" title="Git (software)">Git</a>, <a href="http://en.wikipedia.org/wiki/Mercurial_%28software%29" title="Mercurial (software)">Mercurial</a> and <a href="http://en.wikipedia.org/wiki/Monotone_%28software%29" title="Monotone (software)">Monotone</a>, use the <a href="http://en.wikipedia.org/wiki/Sha1sum" title="Sha1sum">sha1sum</a> of various types of content (file content, directory trees, ancestry information, etc) to uniquely identify them.</p> <p>A related application is <a href="http://en.wikipedia.org/wiki/Password" title="Password">password</a> verification. Passwords are usually not stored in <a href="http://en.wikipedia.org/wiki/Cleartext" title="Cleartext">cleartext</a>, for obvious reasons, but instead in digest form. To authenticate a user, the password presented by the user is hashed and compared with the stored hash. This is sometimes referred to as <a href="http://en.wikipedia.org/wiki/One-way_encryption" title="One-way encryption">one-way encryption</a>.</p> <p>For both security and performance reasons, most <a href="http://en.wikipedia.org/wiki/Digital_signature" title="Digital signature">digital signature</a> algorithms specify that only the digest of the message be "signed", not the entire message. Hash functions can also be used in the generation of <a href="http://en.wikipedia.org/wiki/Pseudorandom" title="Pseudorandom" class="mw-redirect">pseudorandom</a> bits.</p> <p><a href="http://en.wikipedia.org/wiki/SHA-1" title="SHA-1" class="mw-redirect">SHA-1</a>, <a href="http://en.wikipedia.org/wiki/MD5" title="MD5">MD5</a>, and <a href="http://en.wikipedia.org/wiki/RIPEMD-160" title="RIPEMD-160" class="mw-redirect">RIPEMD-160</a> are among the most commonly-used message digest algorithms as of 2005. In August 2004, researchers found weaknesses in a number of hash functions, including MD5, SHA-0 and RIPEMD. This has called into question the long-term security of later algorithms which are derived from these hash functions — in particular, SHA-1 (a strengthened version of SHA-0), RIPEMD-128, and RIPEMD-160 (both strengthened versions of RIPEMD). Neither SHA-0 nor RIPEMD are widely used since they were replaced by their strengthened versions. In February 2005, an attack on SHA-1 was reported, finding collisions in about 2<sup>69</sup> hashing operations, rather than the 2<sup>80</sup> expected for a 160-bit hash function. In August 2005, another attack on SHA-1 was reported, finding collisions in 2<sup>63</sup> operations.</p> <p>Hashes are used to identify files on <a href="http://en.wikipedia.org/wiki/Peer-to-peer" title="Peer-to-peer">peer-to-peer</a> <a href="http://en.wikipedia.org/wiki/Filesharing" title="Filesharing" class="mw-redirect">filesharing</a> networks. For example, in an <a href="http://en.wikipedia.org/wiki/Ed2k_link" title="Ed2k link" class="mw-redirect">ed2k link</a>, an <a href="http://en.wikipedia.org/wiki/MD4" title="MD4">MD4</a>-variant hash is combined with the file size, providing sufficient information for locating file sources, downloading the file and verifying its contents. <a href="http://en.wikipedia.org/wiki/Magnet_URI_scheme" title="Magnet URI scheme">Magnet links</a> are another example. Such file hashes are often the top hash of a <a href="http://en.wikipedia.org/wiki/Hash_list" title="Hash list">hash list</a> or a <a href="http://en.wikipedia.org/wiki/Hash_tree" title="Hash tree">hash tree</a> which allows for additional benefits.</p> <p><a name="Merkle-Damg.C3.A5rd_construction" id="Merkle-Damg.C3.A5rd_construction"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Merkle-Damgård construction</span></h2> <dl><dd> <div class="noprint relarticle mainarticle"><i>Main article: <a href="http://en.wikipedia.org/wiki/Merkle-Damg%C3%A5rd_construction" title="Merkle-Damgård construction">Merkle-Damgård construction</a></i></div> </dd></dl> <div class="thumb tright"> <div class="thumbinner" style="width: 402px;"><a href="http://en.wikipedia.org/wiki/Image:Merkle-Damgard_hash_big.svg" class="image" title="The Merkle-Damgård hash construction."><img alt="The Merkle-Damgård hash construction." src="http://upload.wikimedia.org/wikipedia/commons/thumb/e/ed/Merkle-Damgard_hash_big.svg/400px-Merkle-Damgard_hash_big.svg.png" class="thumbimage" width="400" border="0" height="187" /></a> <div class="thumbcaption"> <div class="magnify"><a href="http://en.wikipedia.org/wiki/Image:Merkle-Damgard_hash_big.svg" class="internal" title="Enlarge"><img src="http://en.wikipedia.org/skins-1.5/common/images/magnify-clip.png" alt="" width="15" height="11" /></a></div> The Merkle-Damgård hash construction.</div> </div> </div> <p>A hash function must be able to process an arbitrary-length message into a fixed-length output. This can be achieved by breaking the input up into a series of equal-sized blocks, and operating on them in sequence using a <a href="http://en.wikipedia.org/wiki/One-way_compression_function" title="One-way compression function">one-way compression function</a>. The compression function can either be specially designed for hashing or be built from a block cipher. A hash function built with the Merkle-Damgård construction is as resistant to collisions as is its compression function; any collision for the full hash function can be traced back to a collision in the compression function.</p> <p>The last block processed should also be unambiguously <a href="http://en.wikipedia.org/wiki/Padding_%28cryptography%29" title="Padding (cryptography)">length padded</a>; this is crucial to the security of this construction. This construction is called the <a href="http://en.wikipedia.org/wiki/Merkle-Damg%C3%A5rd_construction" title="Merkle-Damgård construction">Merkle-Damgård construction</a>. Most widely used hash functions, including <a href="http://en.wikipedia.org/wiki/SHA-1" title="SHA-1" class="mw-redirect">SHA-1</a> and <a href="http://en.wikipedia.org/wiki/MD5" title="MD5">MD5</a>, take this form.</p> <p><a name="Hash_functions_based_on_block_ciphers" id="Hash_functions_based_on_block_ciphers"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Hash functions based on block ciphers</span></h2> <dl><dd> <div class="noprint relarticle mainarticle"><i>Main article: <a href="http://en.wikipedia.org/wiki/One-way_compression_function" title="One-way compression function">One-way compression function</a></i></div> </dd></dl> <p>There are several methods to use a <a href="http://en.wikipedia.org/wiki/Block_cipher" title="Block cipher">block cipher</a> to build a cryptographic hash function. The methods resemble the <a href="http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation" title="Block cipher modes of operation">block cipher modes of operation</a> usually used for encryption. All well-known hash functions, including MD4, MD5, SHA-1 and SHA-2 are built from block-cipher-like components designed for the purpose, with feedback to ensure that the resulting function is not <a href="http://en.wikipedia.org/wiki/Bijective" title="Bijective" class="mw-redirect">bijective</a>.</p> <p>A standard block cipher such as <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard" title="Advanced Encryption Standard">AES</a> can be used in place of these custom block ciphers; this generally carries a cost in performance, but can be advantageous where a system needs to perform hashing and another cryptographic function such as encryption that might use a block cipher, but is constrained in the code size or hardware area it must fit into, such as in some <a href="http://en.wikipedia.org/wiki/Embedded_system" title="Embedded system">embedded systems</a> like <a href="http://en.wikipedia.org/wiki/Smart_card" title="Smart card">smart cards</a>.</p> <p><a name="Methods_to_make_hash_functions_from_block_ciphers" id="Methods_to_make_hash_functions_from_block_ciphers"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Methods to make hash functions from block ciphers</span></h3> <p>See <a href="http://en.wikipedia.org/wiki/One-way_compression_function" title="One-way compression function">one-way compression function</a> for details.</p> <ul><li>Davies-Meyer</li><li>Matyas-Meyer-Oseas</li><li>Miyaguchi-<a href="http://en.wikipedia.org/wiki/Bart_Preneel" title="Bart Preneel">Preneel</a></li><li>MDC-2</li><li>MDC-4</li></ul> <p><a name="Use_in_building_other_cryptographic_primitives" id="Use_in_building_other_cryptographic_primitives"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Use in building other cryptographic primitives</span></h2> <p>Hash functions can be used to build other cryptographic primitives. For these other primitives to be cryptographically secure care has to be taken to build them the right way.</p> <p><a href="http://en.wikipedia.org/wiki/Message_authentication_code" title="Message authentication code">Message authentication codes</a> (MACs) are often built from hash functions. <a href="http://en.wikipedia.org/wiki/HMAC" title="HMAC">HMAC</a> is such a MAC.</p> <p>Just as <a href="http://en.wikipedia.org/wiki/Block_cipher" title="Block cipher">block ciphers</a> can be used to build hash functions, hash functions can be used to build block ciphers. Examples of such block ciphers are <a href="http://en.wikipedia.org/wiki/SHACAL" title="SHACAL">SHACAL</a>, <a href="http://en.wikipedia.org/wiki/BEAR_%28cipher%29" title="BEAR (cipher)" class="mw-redirect">BEAR</a> and <a href="http://en.wikipedia.org/wiki/LION_%28cipher%29" title="LION (cipher)" class="mw-redirect">LION</a>.</p> <p><a href="http://en.wikipedia.org/wiki/Pseudorandom_number_generator" title="Pseudorandom number generator">Pseudorandom number generators</a> (PRNGs) can be built using hash functions. This is done by combining a (secret) random seed with a counter and hashing it. If the counter is a <a href="http://en.wikipedia.org/wiki/Bignum" title="Bignum" class="mw-redirect">bignum</a> (allowed to count to any size) then the PRNG can have an infinite period.</p> <p><a href="http://en.wikipedia.org/wiki/Stream_cipher" title="Stream cipher">Stream ciphers</a> can be built using hash functions. Often this is done by first building a <a href="http://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator" title="Cryptographically secure pseudorandom number generator">cryptographically secure pseudorandom number generator</a> and then using its stream of random bytes as <a href="http://en.wikipedia.org/wiki/Keystream" title="Keystream">keystream</a> and <a href="http://en.wikipedia.org/wiki/Exclusive-or" title="Exclusive-or" class="mw-redirect">XOR</a> that onto the cleartext to get the ciphertext. <a href="http://en.wikipedia.org/wiki/SEAL_%28cipher%29" title="SEAL (cipher)">SEAL</a> is such a stream cipher which is based on <a href="http://en.wikipedia.org/wiki/SHA-1" title="SHA-1" class="mw-redirect">SHA-1</a>.</p> <p><a name="Concatenation_of_cryptographic_hash_functions" id="Concatenation_of_cryptographic_hash_functions"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Concatenation of cryptographic hash functions</span></h2> <p>Concatening multiple hash functions could produce a new hash function that is more secure than its component parts.<sup id="cite_ref-1" class="reference"><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#cite_note-1" title="">[2]</a></sup> For example, one might concatenate the output of <a href="http://en.wikipedia.org/wiki/SHA_hash_functions" title="SHA hash functions">SHA-1</a> and <a href="http://en.wikipedia.org/wiki/RIPEMD" title="RIPEMD">RIPEMD-160</a> to produce a new function H(x) = SHA-1(x) || RIPEMD-160(x).</p> <p>However, the new function is still no more secure than each of its component parts in isolation. Joux <sup id="cite_ref-2" class="reference"><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#cite_note-2" title="">[3]</a></sup> noted that the iterative nature of cryptographic hash functions introduces a weakness. n-collisions (n different messages that hash to the same value) are effectively no more difficult to find than 2-collisions. If an n-collision can be found for RIPEMD, it is likely that amongst the n different messages there will be a collision in SHA-1. The time needed to find the SHA-1 collision is <a href="http://en.wikipedia.org/wiki/Polynomial_time" title="Polynomial time">polynomial</a>. This argument is summarized by <a href="http://www.mail-archive.com/cryptography@metzdowd.com/msg02611.html" class="external text" title="http://www.mail-archive.com/cryptography@metzdowd.com/msg02611.html" rel="nofollow">Finney</a>.</p> <p>Concatenated hash functions are used within <a href="http://en.wikipedia.org/wiki/Transport_Layer_Security" title="Transport Layer Security">SSL</a> and the <a href="http://en.wikipedia.org/wiki/Debian" title="Debian">Debian</a> <a href="http://en.wikipedia.org/wiki/Advanced_Packaging_Tool" title="Advanced Packaging Tool">Advanced Packaging Tool</a> system, both of which currently use concatenated MD5 and SHA-1 sums. This does not increase security, but provides redundancy in case one is broken: a valid reason for using multiple hash functions.</p> <p><a name="List_of_cryptographic_hash_functions" id="List_of_cryptographic_hash_functions"></a></p> <h2><span class="editsection"></span><span class="mw-headline">List of cryptographic hash functions</span></h2> <table class="metadata plainlinks ambox ambox-content" style=""> <tbody><tr> <td class="ambox-image"> <div style="width: 52px;"><a href="http://en.wikipedia.org/wiki/Image:Question_book-new.svg" class="image" title="Question book-new.svg"><img alt="" src="http://upload.wikimedia.org/wikipedia/en/thumb/9/99/Question_book-new.svg/50px-Question_book-new.svg.png" width="50" border="0" height="39" /></a></div> </td> <td class="ambox-text" style=""><b>This section does not <a href="http://en.wikipedia.org/wiki/Wikipedia:Citing_sources" title="Wikipedia:Citing sources">cite</a> any <a href="http://en.wikipedia.org/wiki/Wikipedia:Verifiability" title="Wikipedia:Verifiability">references or sources</a>.</b><br /><small class="plainlinks">Please help <a href="http://en.wikipedia.org/w/index.php?title=Cryptographic_hash_function&action=edit" class="external text" title="http://en.wikipedia.org/w/index.php?title=Cryptographic_hash_function&action=edit" rel="nofollow">improve this section</a> by adding citations to <a href="http://en.wikipedia.org/wiki/Wikipedia:Reliable_sources" title="Wikipedia:Reliable sources">reliable sources</a>. <a href="http://en.wikipedia.org/wiki/Wikipedia:Verifiability" title="Wikipedia:Verifiability">Unverifiable</a> material may be challenged and removed. <i>(May 2008)</i></small></td> </tr> </tbody></table> <p>Some of the following algorithms are known to be insecure; consult the article for each specific algorithm for more information on the status of each algorithm. For even more hash functions see the box at the bottom of the page.</p> <table class="wikitable"> <tbody><tr> <th>Algorithm</th> <th>Output size (bits)</th> <th>Internal state size</th> <th>Block size</th> <th>Length size</th> <th>Word size</th> <th>Collision</th> </tr> <tr align="center"> <td><b><a href="http://en.wikipedia.org/wiki/HAVAL" title="HAVAL">HAVAL</a></b></td> <td>256/224/192/160/128</td> <td>256</td> <td>1024</td> <td>64</td> <td>32</td> <td>Yes</td> </tr> <tr align="center"> <td><b><a href="http://en.wikipedia.org/wiki/MD2_%28cryptography%29" title="MD2 (cryptography)">MD2</a></b></td> <td>128</td> <td>384</td> <td>128</td> <td>No</td> <td>8</td> <td>Almost</td> </tr> <tr align="center"> <td><b><a href="http://en.wikipedia.org/wiki/MD4" title="MD4">MD4</a></b></td> <td>128</td> <td>128</td> <td>512</td> <td>64</td> <td>32</td> <td>Yes</td> </tr> <tr align="center"> <td><b><a href="http://en.wikipedia.org/wiki/MD5" title="MD5">MD5</a></b></td> <td>128</td> <td>128</td> <td>512</td> <td>64</td> <td>32</td> <td>Yes</td> </tr> <tr align="center"> <td><b><a href="http://en.wikipedia.org/wiki/PANAMA" title="PANAMA" class="mw-redirect">PANAMA</a></b></td> <td>256</td> <td>8736</td> <td>256</td> <td>No</td> <td>32</td> <td>Yes</td> </tr> <tr align="center"> <td><b><a href="http://en.wikipedia.org/wiki/RadioGat%C3%BAn" title="RadioGatún" class="mw-redirect">RadioGatún</a></b></td> <td>Arbitrarily long</td> <td>58 words</td> <td>3 words</td> <td>No</td> <td>1-64</td> <td>No</td> </tr> <tr align="center"> <td><b><a href="http://en.wikipedia.org/wiki/RIPEMD" title="RIPEMD">RIPEMD</a></b></td> <td>128</td> <td>128</td> <td>512</td> <td>64</td> <td>32</td> <td>Yes</td> </tr> <tr align="center"> <td><b><a href="http://en.wikipedia.org/wiki/RIPEMD" title="RIPEMD">RIPEMD-128/256</a></b></td> <td>128/256</td> <td>128/256</td> <td>512</td> <td>64</td> <td>32</td> <td>No</td> </tr> <tr align="center"> <td><b><a href="http://en.wikipedia.org/wiki/RIPEMD" title="RIPEMD">RIPEMD-160/320</a></b></td> <td>160/320</td> <td>160/320</td> <td>512</td> <td>64</td> <td>32</td> <td>No</td> </tr> <tr align="center"> <td><b><a href="http://en.wikipedia.org/wiki/SHA_hash_functions" title="SHA hash functions">SHA-0</a></b></td> <td>160</td> <td>160</td> <td>512</td> <td>64</td> <td>32</td> <td>Yes</td> </tr> <tr align="center"> <td><b><a href="http://en.wikipedia.org/wiki/SHA_hash_functions" title="SHA hash functions">SHA-1</a></b></td> <td>160</td> <td>160</td> <td>512</td> <td>64</td> <td>32</td> <td>With flaws</td> </tr> <tr align="center"> <td><b><a href="http://en.wikipedia.org/wiki/SHA_hash_functions" title="SHA hash functions">SHA-256/224</a></b></td> <td>256/224</td> <td>256</td> <td>512</td> <td>64</td> <td>32</td> <td>No</td> </tr> <tr align="center"> <td><b><a href="http://en.wikipedia.org/wiki/SHA_hash_functions" title="SHA hash functions">SHA-512/384</a></b></td> <td>512/384</td> <td>512</td> <td>1024</td> <td>128</td> <td>64</td> <td>No</td> </tr> <tr align="center"> <td><b><a href="http://en.wikipedia.org/wiki/Tiger_%28cryptography%29" title="Tiger (cryptography)">Tiger(2)-192/160/128</a></b></td> <td>192/160/128</td> <td>192</td> <td>512</td> <td>64</td> <td>64</td> <td>No</td> </tr> <tr align="center"> <td><b><a href="http://en.wikipedia.org/wiki/WHIRLPOOL" title="WHIRLPOOL" class="mw-redirect">WHIRLPOOL</a></b></td> <td>512</td> <td>512</td> <td>512</td> <td>256</td> <td>8</td> <td>No</td> </tr> </tbody></table> <p>The <a href="http://en.wikipedia.org/wiki/SHA_hash_functions" title="SHA hash functions">SHA hash functions</a> are a series of functions developed by the <a href="http://en.wikipedia.org/wiki/NSA" title="NSA" class="mw-redirect">NSA</a>: <i>SHA</i>, also known as <i>SHA-0</i>, <i>SHA-1</i> and four flavours of a function known as <i>SHA-2</i>.</p> <p><i><b>Note:</b></i> The <i>internal state</i> here means the "internal hash sum" after each compression of a data block. Most hash algorithms also internally use some additional variables such as length of the data compressed so far since that is needed for the length padding in the end. See the <a href="http://en.wikipedia.org/wiki/Merkle-Damg%C3%A5rd_construction" title="Merkle-Damgård construction">Merkle-Damgård construction</a> for details.</p> <p><a name="See_also" id="See_also"></a></p> <h2><span class="editsection"></span><span class="mw-headline">See also</span></h2> <div style="-moz-column-count: 2;"> <ul><li><a href="http://en.wikipedia.org/wiki/Avalanche_effect" title="Avalanche effect">Avalanche effect</a></li><li><a href="http://en.wikipedia.org/wiki/MD5CRK" title="MD5CRK">MD5CRK</a></li><li><a href="http://en.wikipedia.org/wiki/Message_authentication_code" title="Message authentication code">Message authentication code</a></li><li><a href="http://en.wikipedia.org/wiki/Keyed-hash_message_authentication_code" title="Keyed-hash message authentication code" class="mw-redirect">Keyed-hash message authentication code</a></li><li><a href="http://en.wikipedia.org/wiki/CRHF" title="CRHF">CRHF</a> - Collision Resistant Hash Functions.</li><li><a href="http://en.wikipedia.org/wiki/UOWHF" title="UOWHF">UOWHF</a> - Universal One Way Hash Functions.</li><li><a href="http://en.wikipedia.org/wiki/CRYPTREC" title="CRYPTREC">CRYPTREC</a> and <a href="http://en.wikipedia.org/wiki/NESSIE" title="NESSIE">NESSIE</a> - Projects which recommend hash functions.</li><li><a href="http://en.wikipedia.org/wiki/PGP_word_list" title="PGP word list">PGP word list</a></li></ul> </div> <p><a name="References" id="References"></a></p> <h2><span class="editsection"></span><span class="mw-headline">References</span></h2> <ol class="references"><li id="cite_note-0"><b><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#cite_ref-0" title="">^</a></b> <a href="http://csrc.nist.gov/groups/ST/hash/sha-3/index.html" class="external text" title="http://csrc.nist.gov/groups/ST/hash/sha-3/index.html" rel="nofollow">NIST.gov - Computer Security Division - Computer Security Resource Center</a></li><li id="cite_note-1"><b><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#cite_ref-1" title="">^</a></b> <a href="http://developers.slashdot.org/comments.pl?sid=120193&cid=10130642" class="external autonumber" title="http://developers.slashdot.org/comments.pl?sid=120193&cid=10130642" rel="nofollow">[1]</a> <a href="http://it.slashdot.org/comments.pl?sid=217942&threshold=0&commentsort=0&mode=thread&cid=17697038" class="external text" title="http://it.slashdot.org/comments.pl?sid=217942&threshold=0&commentsort=0&mode=thread&cid=17697038" rel="nofollow">suggested</a></li><li id="cite_note-2"><b><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#cite_ref-2" title="">^</a></b> Joux, Antoine. <i>Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions</i>. LNCS 3152/2004, pages 306-316 <a href="http://www.springerlink.com/index/DWWVMQJU0N0A3UGJ.pdf" class="external text" title="http://www.springerlink.com/index/DWWVMQJU0N0A3UGJ.pdf" rel="nofollow">Full text</a>.</li></ol> <p><a name="Further_reading" id="Further_reading"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Further reading</span></h2> <ul><li><a href="http://en.wikipedia.org/wiki/Bruce_Schneier" title="Bruce Schneier">Bruce Schneier</a>. <i>Applied Cryptography</i>. John Wiley & Sons, 1996. <a href="http://en.wikipedia.org/wiki/Special:BookSources/0471117099" class="internal">ISBN 0-471-11709-9</a>.</li></ul> <p><a name="External_links" id="External_links"></a></p> <h2><span class="editsection"></span><span class="mw-headline">External links</span></h2> <ul><li><a href="http://www.hashemall.com/" class="external text" title="http://www.hashemall.com" rel="nofollow">Hash'em all!</a> — free online text and file hashing with different algorithms</li><li><a href="http://planeta.terra.com.br/informatica/paulobarreto/hflounge.html" class="external text" title="http://planeta.terra.com.br/informatica/paulobarreto/hflounge.html" rel="nofollow">The Hash function lounge</a> — a list of hash functions and known attacks</li><li><a href="http://research.microsoft.com/users/mironov/papers/hash_survey.pdf" class="external text" title="http://research.microsoft.com/users/mironov/papers/hash_survey.pdf" rel="nofollow">Hash functions: Theory, attacks, and applications</a> — a survey by Ilya Mironov (Microsoft Research)</li><li><a href="http://research.cyber.ee/%7Elipmaa/crypto/" class="external text" title="http://research.cyber.ee/~lipmaa/crypto/" rel="nofollow">Helger Lipmaa's links on hash functions</a></li><li><a href="http://www.cs.rit.edu/%7Eark/lectures/onewayhash/onewayhash.shtml" class="external text" title="http://www.cs.rit.edu/~ark/lectures/onewayhash/onewayhash.shtml" rel="nofollow">Diagrams explaining cryptographic hash functions</a></li><li><a href="http://www.unixwiz.net/techtips/iguide-crypto-hashes.html" class="external text" title="http://www.unixwiz.net/techtips/iguide-crypto-hashes.html" rel="nofollow"><i>An Illustrated Guide to Cryptographic Hashes</i></a> by Steve Friedl</li><li><a href="http://schneier.com/essay-074.html" class="external text" title="http://schneier.com/essay-074.html" rel="nofollow"><i>Cryptanalysis of MD5 and SHA: Time for a New Standard</i></a> by <a href="http://en.wikipedia.org/wiki/Bruce_Schneier" title="Bruce Schneier">Bruce Schneier</a></li><li><a href="http://www.cryptography.com/cnews/hash.html" class="external text" title="http://www.cryptography.com/cnews/hash.html" rel="nofollow">Hash collision Q&A</a></li><li><a href="http://www.cits.rub.de/MD5Collisions/" class="external text" title="http://www.cits.rub.de/MD5Collisions/" rel="nofollow">Attacking hash functions by poisoned messages (construction of multiple sensible Postscript messages with the same hash function)</a></li><li><a href="http://www.rsasecurity.com/rsalabs/node.asp?id=2176" class="external text" title="http://www.rsasecurity.com/rsalabs/node.asp?id=2176" rel="nofollow">What is a hash function?</a> from RSA Laboratories</li><li><a href="http://phpsec.org/articles/2005/password-hashing.html" class="external text" title="http://phpsec.org/articles/2005/password-hashing.html" rel="nofollow">Password Hashing in PHP</a> by James McGlinn at the PHP Security Consortium</li><li><a href="http://www.linuxworld.com/cgi-bin/mailto/x_linux.cgi?pagetosend=/export/home/httpd/linuxworld/news/2007/111207-hash.html" class="external text" title="http://www.linuxworld.com/cgi-bin/mailto/x_linux.cgi?pagetosend=/export/home/httpd/linuxworld/news/2007/111207-hash.html" rel="nofollow">The code monkey's guide to cryptographic hashes</a> by Val Henson, "in language that any programmer (and even some managers) can understand."</li><li><a href="http://digitallabs.net/winhash" class="external text" title="http://digitallabs.net/winhash" rel="nofollow">File Hash for Windows</a> with various algorithms</li></ul> <table class="navbox" style="" cellspacing="0"> <tbody><tr> <td style="padding: 2px;"> <table class="nowraplinks" style="background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; color: inherit;" cellspacing="0"> <tbody><tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <th style="background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" colspan="2" class="navbox-title"> <div style="float: left; width: 6em; text-align: left;"> <div class="noprint plainlinksneverexpand" style="border: medium none ; padding: 0pt; background: rgb(204, 204, 255) none repeat scroll 0% 0%; white-space: nowrap; font-weight: normal; font-size: xx-small; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"><a href="http://en.wikipedia.org/wiki/Template:Crypto_hash" title="Template:Crypto hash"><span title="View this template" style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">v</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template_talk:Crypto_hash&action=edit&redlink=1" class="new" title="Template talk:Crypto hash (page does not exist)"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="Discussion about this template">d</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template:Crypto_hash&action=edit" class="external text" title="http://en.wikipedia.org/w/index.php?title=Template:Crypto_hash&action=edit" rel="nofollow"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="You can edit this template. Please use the preview button before saving.">e</span></a></div> </div> <div style="float: right; width: 6em;"> </div> <span style="font-size: 100%;"><strong class="selflink">Cryptographic hash functions</strong> and <a href="http://en.wikipedia.org/wiki/Message_authentication_code" title="Message authentication code">Message authentication codes (MACs)</a></span></th> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Hash algorithms:</b> <a href="http://en.wikipedia.org/wiki/GOST_%28hash_function%29" title="GOST (hash function)">GOST</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/HAS-160" title="HAS-160">HAS-160</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/HAVAL" title="HAVAL">HAVAL</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MDC-2" title="MDC-2">MDC-2</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MD2_%28cryptography%29" title="MD2 (cryptography)">MD2</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MD4" title="MD4">MD4</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MD5" title="MD5">MD5</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/N-Hash" title="N-Hash">N-Hash</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/RadioGat%C3%BAn" title="RadioGatún" class="mw-redirect">RadioGatún</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/RIPEMD" title="RIPEMD">RIPEMD</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SHA_hash_functions" title="SHA hash functions">SHA family</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Snefru" title="Snefru">Snefru</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Tiger_%28cryptography%29" title="Tiger (cryptography)">Tiger</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Whirlpool_%28cryptography%29" title="Whirlpool (cryptography)">WHIRLPOOL</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Crypt_%28Unix%29#Library_Function" title="Crypt (Unix)">crypt(3) DES</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>MAC algorithms:</b> <a href="http://en.wikipedia.org/wiki/Data_Authentication_Algorithm" title="Data Authentication Algorithm">DAA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CBC-MAC" title="CBC-MAC">CBC-MAC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/HMAC" title="HMAC">HMAC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/One-key_MAC" title="One-key MAC">OMAC/CMAC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/PMAC_%28cryptography%29" title="PMAC (cryptography)">PMAC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/UMAC" title="UMAC">UMAC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Poly1305-AES" title="Poly1305-AES">Poly1305-AES</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b><a href="http://en.wikipedia.org/wiki/Authenticated_encryption" title="Authenticated encryption">Authenticated encryption</a> modes:</b> <a href="http://en.wikipedia.org/wiki/CCM_mode" title="CCM mode">CCM</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CWC_mode" title="CWC mode">CWC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/EAX_mode" title="EAX mode">EAX</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Galois/Counter_Mode" title="Galois/Counter Mode">GCM</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/OCB_mode" title="OCB mode">OCB</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Attacks:</b> <a href="http://en.wikipedia.org/wiki/Hash_collision" title="Hash collision">Hash collision</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Birthday_attack" title="Birthday attack">Birthday attack</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Preimage_attack" title="Preimage attack">Preimage attack</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Rainbow_table" title="Rainbow table">Rainbow table</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Side_channel_attack" title="Side channel attack" class="mw-redirect">Side channel attack</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Brute_force_attack" title="Brute force attack">Brute force attack</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Misc:</b> <a href="http://en.wikipedia.org/wiki/Avalanche_effect" title="Avalanche effect">Avalanche effect</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Hash_collision" title="Hash collision">Hash collision</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Merkle-Damg%C3%A5rd_construction" title="Merkle-Damgård construction">Merkle-Damgård construction</a> <b>Standardization:</b> <a href="http://en.wikipedia.org/wiki/CRYPTREC" title="CRYPTREC">CRYPTREC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NESSIE" title="NESSIE">NESSIE</a></span></p> </div> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <th style="background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" colspan="2" class="navbox-title"> <div style="float: left; width: 6em; text-align: left;"> <div class="noprint plainlinksneverexpand" style="border: medium none ; padding: 0pt; background: rgb(204, 204, 255) none repeat scroll 0% 0%; white-space: nowrap; font-weight: normal; font-size: xx-small; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"><a href="http://en.wikipedia.org/wiki/Template:Crypto_navbox" title="Template:Crypto navbox"><span title="View this template" style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">v</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/wiki/Template_talk:Crypto_navbox" title="Template talk:Crypto navbox"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="Discussion about this template">d</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template:Crypto_navbox&action=edit" class="external text" title="http://en.wikipedia.org/w/index.php?title=Template:Crypto_navbox&action=edit" rel="nofollow"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="You can edit this template. Please use the preview button before saving.">e</span></a></div> </div> <div style="float: right; width: 6em;"> </div> <span style="font-size: 100%;"><a href="http://en.wikipedia.org/wiki/Cryptography" title="Cryptography">Cryptography</a></span></th> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"><a href="http://en.wikipedia.org/wiki/History_of_cryptography" title="History of cryptography">History of cryptography</a> | <a href="http://en.wikipedia.org/wiki/Cryptanalysis" title="Cryptanalysis">Cryptanalysis</a> | <a href="http://en.wikipedia.org/wiki/Portal:Cryptography" title="Portal:Cryptography">Cryptography portal</a> | <a href="http://en.wikipedia.org/wiki/Topics_in_cryptography" title="Topics in cryptography">Topics in cryptography</a></div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"><a href="http://en.wikipedia.org/wiki/Symmetric-key_algorithm" title="Symmetric-key algorithm">Symmetric-key algorithm</a> | <a href="http://en.wikipedia.org/wiki/Block_cipher" title="Block cipher">Block cipher</a> | <a href="http://en.wikipedia.org/wiki/Stream_cipher" title="Stream cipher">Stream cipher</a> | <a href="http://en.wikipedia.org/wiki/Public-key_cryptography" title="Public-key cryptography">Public-key cryptography</a> | <strong class="selflink">Cryptographic hash function</strong> | <a href="http://en.wikipedia.org/wiki/Message_authentication_code" title="Message authentication code">Message authentication code</a> | <a href="http://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator" title="Cryptographically secure pseudorandom number generator">Random numbers</a> | <a href="http://en.wikipedia.org/wiki/Steganography" title="Steganography">Steganography</a></div> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </td> </tr> </tbody></table> <!-- NewPP limit report Preprocessor node count: 1341/1000000 Post-expand include size: 54852/2048000 bytes Template argument size: 54756/2048000 bytes Expensive parser function count: 1/500 --> <!-- Saved in parser cache with key enwiki:pcache:idhash:439526-0!1!0!default!!en!2 and timestamp 20080926193303 --> <div class="printfooter"> Retrieved from "<a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function">http://en.wikipedia.org/wiki/Cryptographic_hash_function</a>"<br /><br /></div> <div id="mw-normal-catlinks"><a href="http://en.wikipedia.org/wiki/Special:Categories" title="Special:Categories">Categories</a>: <span dir="ltr"><a href="http://en.wikipedia.org/wiki/Category:Cryptography" title="Category:Cryptography">Cryptography</a></span> | <span dir="ltr"><a href="http://en.wikipedia.org/wiki/Category:Cryptographic_primitives" title="Category:Cryptographic primitives">Cryptographic primitives</a></span> | <span dir="ltr"><a href="http://en.wikipedia.org/wiki/Category:Cryptographic_hash_functions" title="Category:Cryptographic hash functions">Cryptographic hash functions</a></span> | <span dir="ltr"><a href="http://en.wikipedia.org/wiki/Category:Hashing" title="Category:Hashing">Hashing</a></span> | <span dir="ltr"><a href="http://en.wikipedia.org/wiki/Category:CISSP" title="Category:CISSP">CISSP</a></span></div>vineethv2http://www.blogger.com/profile/10203333517491088500noreply@blogger.com1tag:blogger.com,1999:blog-8266941125214387001.post-14888134326960461042008-09-30T08:45:00.001-07:002008-09-30T08:50:59.245-07:00MD5 Algorithm<a href="http://en.wikipedia.org/wiki/MD5#searchInput">
<br /></a> <!-- start content --> <table class="infobox" style="text-align: left; line-height: 1.5em; width: 23em; font-size: 90%;" cellspacing="5"> <tbody><tr> <td colspan="2" class="" style="background: transparent none repeat scroll 0% 0%; text-align: center; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; font-size: larger; font-weight: bold;">MD5</td> </tr> <tr> <th colspan="2" style="background: lightsteelblue none repeat scroll 0% 0%; text-align: center; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">General</th> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">Designers</th> <td class="" style="line-height: 1.2em; vertical-align: middle;"><a href="http://en.wikipedia.org/wiki/Ron_Rivest" title="Ron Rivest">Ron Rivest</a></td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">First published</th> <td class="" style="line-height: 1.2em; vertical-align: middle;">April 1992</td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">Series</th> <td class="" style="line-height: 1.2em; vertical-align: middle;">MD, <a href="http://en.wikipedia.org/wiki/MD2_%28cryptography%29" title="MD2 (cryptography)">MD2</a>, MD3, <a href="http://en.wikipedia.org/wiki/MD4" title="MD4">MD4</a>, <strong class="selflink">MD5</strong></td> </tr> <tr> <th colspan="2" style="background: lightsteelblue none repeat scroll 0% 0%; text-align: center; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">Detail</th> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;"><a href="http://en.wikipedia.org/wiki/Digest_size" title="Digest size">Digest sizes</a></th> <td class="" style="line-height: 1.2em; vertical-align: middle;">128 bits</td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">Rounds</th> <td class="" style="line-height: 1.2em; vertical-align: middle;">4</td> </tr> <tr> <td colspan="2" class="" style="text-align: center; line-height: 1.2em; vertical-align: middle;">
<br /></td> </tr> </tbody></table> <p>In <a href="http://en.wikipedia.org/wiki/Cryptography" title="Cryptography">cryptography</a>, <b>MD5</b> (<b>Message-Digest algorithm 5</b>) is a widely used, partially insecure<sup id="cite_ref-0" class="reference"><a href="http://en.wikipedia.org/wiki/MD5#cite_note-0" title="">[1]</a></sup> <a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function" title="Cryptographic hash function">cryptographic hash function</a> with a 128-<a href="http://en.wikipedia.org/wiki/Bit" title="Bit">bit</a> hash value. As an <a href="http://en.wikipedia.org/wiki/Internet" title="Internet">Internet</a> standard (<a href="http://tools.ietf.org/html/rfc1321" class="external" title="http://tools.ietf.org/html/rfc1321">RFC 1321</a>), MD5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of <a href="http://en.wikipedia.org/wiki/Computer_file" title="Computer file">files</a>. An MD5 hash is typically expressed as a 32 digit <a href="http://en.wikipedia.org/wiki/Hexadecimal" title="Hexadecimal">hexadecimal</a> number.</p> <p>MD5 was designed by <a href="http://en.wikipedia.org/wiki/Ron_Rivest" title="Ron Rivest">Ron Rivest</a> in <a href="http://en.wikipedia.org/wiki/1991" title="1991">1991</a> to replace an earlier hash function, <a href="http://en.wikipedia.org/wiki/MD4" title="MD4">MD4</a>. In <a href="http://en.wikipedia.org/wiki/1996" title="1996">1996</a>, a flaw was found with the design of MD5. While it was not a clearly fatal weakness, cryptographers began recommending the use of other algorithms, such as <a href="http://en.wikipedia.org/wiki/SHA_hash_functions" title="SHA hash functions">SHA-1</a> (which has since been found vulnerable itself). In <a href="http://en.wikipedia.org/wiki/2004" title="2004">2004</a>, more serious flaws were discovered making further use of the algorithm for security purposes questionable.<sup id="cite_ref-autogenerated1_1-0" class="reference"><a href="http://en.wikipedia.org/wiki/MD5#cite_note-autogenerated1-1" title="">[2]</a></sup><sup id="cite_ref-autogenerated2_2-0" class="reference"><a href="http://en.wikipedia.org/wiki/MD5#cite_note-autogenerated2-2" title="">[3]</a></sup> In <a href="http://en.wikipedia.org/wiki/2007" title="2007">2007</a> a group of researchers including <a href="http://en.wikipedia.org/wiki/Arjen_Lenstra" title="Arjen Lenstra">Arjen Lenstra</a> described how to create a pair of files that share the same MD5 <a href="http://en.wikipedia.org/wiki/Checksum" title="Checksum">checksum</a>.<sup id="cite_ref-3" class="reference"><a href="http://en.wikipedia.org/wiki/MD5#cite_note-3" title="">[4]</a></sup></p> <table id="toc" class="toc" summary="Contents"> <tbody><tr> <td> <div id="toctitle"> <h2>Contents</h2> <span class="toctoggle">
<br /></span></div> <ul><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/MD5#History_and_cryptanalysis"><span class="tocnumber">1</span> <span class="toctext">History and cryptanalysis</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/MD5#Vulnerability"><span class="tocnumber">2</span> <span class="toctext">Vulnerability</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/MD5#Applications"><span class="tocnumber">3</span> <span class="toctext">Applications</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/MD5#Algorithm"><span class="tocnumber">4</span> <span class="toctext">Algorithm</span></a> <ul><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/MD5#Pseudocode"><span class="tocnumber">4.1</span> <span class="toctext">Pseudocode</span></a></li></ul> </li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/MD5#MD5_hashes"><span class="tocnumber">5</span> <span class="toctext">MD5 hashes</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/MD5#Notes"><span class="tocnumber">6</span> <span class="toctext">Notes</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/MD5#References"><span class="tocnumber">7</span> <span class="toctext">References</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/MD5#See_also"><span class="tocnumber">8</span> <span class="toctext">See also</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/MD5#External_links"><span class="tocnumber">9</span> <span class="toctext">External links</span></a> <ul><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/MD5#Test_Vectors"><span class="tocnumber">9.1</span> <span class="toctext">Test Vectors</span></a></li></ul> </li></ul> </td> </tr> </tbody></table> <script type="text/javascript"> //<![CDATA[ if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); } //]]> </script> <p><a name="History_and_cryptanalysis" id="History_and_cryptanalysis"></a></p> <h2><span class="editsection"></span><span class="mw-headline">History and cryptanalysis</span></h2> <p>Message Digest is a series of <a href="http://en.wikipedia.org/wiki/Message_digest" title="Message digest" class="mw-redirect">message digest</a> algorithms designed by Professor <a href="http://en.wikipedia.org/wiki/Ronald_Rivest" title="Ronald Rivest" class="mw-redirect">Ronald Rivest</a> of <a href="http://en.wikipedia.org/wiki/Massachusetts_Institute_of_Technology" title="Massachusetts Institute of Technology">MIT</a> (Rivest, 1994). When analytic work indicated that MD5's predecessor—<a href="http://en.wikipedia.org/wiki/MD4" title="MD4">MD4</a>—was likely to be insecure, MD5 was designed in 1991 to be a secure replacement. (Weaknesses were indeed later found in MD4 by <a href="http://en.wikipedia.org/wiki/Hans_Dobbertin" title="Hans Dobbertin">Hans Dobbertin</a>.)</p> <p>In 1993, Den Boer and Bosselaers gave an early, although limited, result of finding a "<a href="http://en.wikipedia.org/wiki/Hash_collision" title="Hash collision">pseudo-collision</a>" of the MD5 <a href="http://en.wikipedia.org/wiki/One-way_compression_function" title="One-way compression function">compression function</a>; that is, two different <a href="http://en.wikipedia.org/wiki/Initialization_vector" title="Initialization vector">initialization vectors</a> which produce an identical digest.</p> <p>In 1996, Dobbertin announced a <a href="http://en.wikipedia.org/wiki/Hash_collision" title="Hash collision">collision</a> of the compression function of MD5 (Dobbertin, 1996). While this was not an attack on the full MD5 hash function, it was close enough for cryptographers to recommend switching to a replacement, such as <a href="http://en.wikipedia.org/wiki/WHIRLPOOL" title="WHIRLPOOL" class="mw-redirect">WHIRLPOOL</a>, <a href="http://en.wikipedia.org/wiki/SHA_hash_functions" title="SHA hash functions">SHA-1</a> or <a href="http://en.wikipedia.org/wiki/RIPEMD-160" title="RIPEMD-160" class="mw-redirect">RIPEMD-160</a>.</p> <p>The size of the hash—128 bits—is small enough to contemplate a <a href="http://en.wikipedia.org/wiki/Birthday_attack" title="Birthday attack">birthday attack</a>. <a href="http://en.wikipedia.org/wiki/MD5CRK" title="MD5CRK">MD5CRK</a> was a <a href="http://en.wikipedia.org/wiki/Distributed_computing" title="Distributed computing">distributed project</a> started in March 2004 with the aim of demonstrating that MD5 is practically insecure by finding a collision using a birthday attack.</p> <p>MD5CRK ended shortly after 17 August, 2004, when <a href="http://en.wikipedia.org/wiki/Hash_collision" title="Hash collision">collisions</a> for the full MD5 were announced by <a href="http://en.wikipedia.org/wiki/Xiaoyun_Wang" title="Xiaoyun Wang" class="mw-redirect">Xiaoyun Wang</a>, Dengguo Feng, <a href="http://en.wikipedia.org/wiki/Xuejia_Lai" title="Xuejia Lai" class="mw-redirect">Xuejia Lai</a>, and Hongbo Yu.<sup id="cite_ref-autogenerated1_1-1" class="reference"><a href="http://en.wikipedia.org/wiki/MD5#cite_note-autogenerated1-1" title="">[2]</a></sup><sup id="cite_ref-4" class="reference"><a href="http://en.wikipedia.org/wiki/MD5#cite_note-4" title="">[5]</a></sup><sup id="cite_ref-autogenerated2_2-1" class="reference"><a href="http://en.wikipedia.org/wiki/MD5#cite_note-autogenerated2-2" title="">[3]</a></sup> Their analytical attack was reported to take only one hour on an <a href="http://en.wikipedia.org/wiki/IBM_p690" title="IBM p690">IBM p690</a> cluster.</p> <p>On 1 March 2005, <a href="http://en.wikipedia.org/wiki/Arjen_Lenstra" title="Arjen Lenstra">Arjen Lenstra</a>, <a href="http://en.wikipedia.org/wiki/Xiaoyun_Wang" title="Xiaoyun Wang" class="mw-redirect">Xiaoyun Wang</a>, and Benne de Weger demonstrated<sup id="cite_ref-5" class="reference"><a href="http://en.wikipedia.org/wiki/MD5#cite_note-5" title="">[6]</a></sup> construction of two <a href="http://en.wikipedia.org/wiki/X.509" title="X.509">X.509</a> certificates with different public keys and the same MD5 hash, a demonstrably practical collision. The construction included private keys for both public keys. A few days later, Vlastimil Klima described<sup id="cite_ref-6" class="reference"><a href="http://en.wikipedia.org/wiki/MD5#cite_note-6" title="">[7]</a></sup> an improved algorithm, able to construct MD5 collisions in a few hours on a single notebook computer. On 18 March 2006, Klima published an algorithm<sup id="cite_ref-7" class="reference"><a href="http://en.wikipedia.org/wiki/MD5#cite_note-7" title="">[8]</a></sup> that can find a collision within one minute on a single notebook computer, using a method he calls tunneling.</p> <p><a name="Vulnerability" id="Vulnerability"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Vulnerability</span></h2> <p>Because MD5 makes only one pass over the data, if two prefixes with the same hash can be constructed, a common suffix can be added to both to make the collision more reasonable.</p> <p>Because the current collision-finding techniques allow the preceding hash state to be specified arbitrarily, a collision can be found for any desired prefix; that is, for any given string of characters X, two colliding files can be determined which both begin with X.</p> <p>All that is required to generate two colliding files is a template file, with a 128-byte block of data aligned on a 64-byte boundary, that can be changed freely by the collision-finding algorithm.</p> <p>Recently, a number of projects have created MD5 "<a href="http://en.wikipedia.org/wiki/Rainbow_table" title="Rainbow table">rainbow tables</a>" which are easily accessible online, and can be used to reverse many MD5 hashes into strings that collide with the original input, usually for the purposes of <a href="http://en.wikipedia.org/wiki/Password" title="Password">password</a> cracking. However, if passwords are combined with a <a href="http://en.wikipedia.org/wiki/Salt_%28cryptography%29" title="Salt (cryptography)">salt</a> before the MD5 digest is generated, rainbow tables become much less useful.</p> <p>The use of MD5 in some websites' <a href="http://en.wikipedia.org/wiki/Uniform_Resource_Locator" title="Uniform Resource Locator">URLs</a> means that <a href="http://en.wikipedia.org/wiki/Google" title="Google">Google</a> can also sometimes function as a limited tool for reverse lookup of MD5 hashes.<sup id="cite_ref-8" class="reference"><a href="http://en.wikipedia.org/wiki/MD5#cite_note-8" title="">[9]</a></sup> This technique is rendered ineffective by the use of a <a href="http://en.wikipedia.org/wiki/Salt_%28cryptography%29" title="Salt (cryptography)">salt</a>.</p> <p><a name="Applications" id="Applications"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Applications</span></h2> <table class="metadata plainlinks ambox ambox-content" style=""> <tbody><tr> <td class="mbox-image"> <div style="width: 52px;"><a href="http://en.wikipedia.org/wiki/Image:Question_book-new.svg" class="image" title="Question book-new.svg"><img alt="" src="http://upload.wikimedia.org/wikipedia/en/thumb/9/99/Question_book-new.svg/50px-Question_book-new.svg.png" width="50" border="0" height="39" /></a></div> </td> <td class="mbox-text" style=""><span class="plainlinks"><b>This section does not <a href="http://en.wikipedia.org/wiki/Wikipedia:Citing_sources" title="Wikipedia:Citing sources">cite</a> any <a href="http://en.wikipedia.org/wiki/Wikipedia:Verifiability" title="Wikipedia:Verifiability">references or sources</a>.</b>
<br /><small>Please help <a href="http://en.wikipedia.org/w/index.php?title=MD5&action=edit" class="external text" title="http://en.wikipedia.org/w/index.php?title=MD5&action=edit" rel="nofollow">improve this article</a> by adding citations to <a href="http://en.wikipedia.org/wiki/Wikipedia:Reliable_sources" title="Wikipedia:Reliable sources">reliable sources</a>. <a href="http://en.wikipedia.org/wiki/Wikipedia:Verifiability" title="Wikipedia:Verifiability">Unverifiable</a> material may be challenged and removed. <i>(August 2008)</i></small></span></td> </tr> </tbody></table> <p>MD5 digests have been widely used in the <a href="http://en.wikipedia.org/wiki/Software" title="Software" class="mw-redirect">software</a> world to provide some assurance that a transferred file has arrived intact. For example, file servers often provide a pre-computed MD5 <a href="http://en.wikipedia.org/wiki/Checksum" title="Checksum">checksum</a> for the files, so that a user can compare the checksum of the downloaded file to it. <a href="http://en.wikipedia.org/wiki/Unix" title="Unix">Unix</a>-based operating systems include MD5 sum utilities in their distribution packages, whereas Windows users use third-party applications.</p> <p>However, now that it is easy to generate MD5 collisions, it is possible for the person who created the file to create a second file with the same checksum, so this technique cannot protect against some forms of malicious tampering. Also, in some cases the checksum cannot be trusted (for example, if it was obtained over the same channel as the downloaded file), in which case MD5 can only provide error-checking functionality: it will recognize a corrupt or incomplete download, which becomes more likely when downloading larger files.</p> <p>MD5 is widely used to store <a href="http://en.wikipedia.org/wiki/Password#Form_of_stored_passwords" title="Password">passwords</a>. To mitigate against the vulnerabilities mentioned above, one can add a <a href="http://en.wikipedia.org/wiki/Salt_%28cryptography%29" title="Salt (cryptography)">salt</a> to the passwords before hashing them. Some implementations may apply the hashing function more than once—see <a href="http://en.wikipedia.org/wiki/Key_strengthening" title="Key strengthening">key strengthening</a>.</p> <p><a name="Algorithm" id="Algorithm"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Algorithm</span></h2> <div class="thumb tright"> <div class="thumbinner" style="width: 302px;"><a href="http://en.wikipedia.org/wiki/Image:MD5.svg" class="image" title="Figure 1. One MD5 operation-MD5 consists of 64 of these operations, grouped in four rounds of 16 operations. F is a nonlinear function; one function is used in each round. Mi denotes a 32-bit block of the message input, and Ki denotes a 32-bit constant, different for each operation."><img alt="Figure 1. One MD5 operation-MD5 consists of 64 of these operations, grouped in four rounds of 16 operations. F is a nonlinear function; one function is used in each round. Mi denotes a 32-bit block of the message input, and Ki denotes a 32-bit constant, different for each operation." src="http://upload.wikimedia.org/wikipedia/commons/thumb/d/d8/MD5.svg/300px-MD5.svg.png" class="thumbimage" width="300" border="0" height="330" /></a> <div class="thumbcaption"> <div class="magnify"><a href="http://en.wikipedia.org/wiki/Image:MD5.svg" class="internal" title="Enlarge"><img src="http://en.wikipedia.org/skins-1.5/common/images/magnify-clip.png" alt="" width="15" height="11" /></a></div> Figure 1. One MD5 operation-MD5 consists of 64 of these operations, grouped in four rounds of 16 operations. <i>F</i> is a nonlinear function; one function is used in each round. <i>M<sub>i</sub></i> denotes a 32-bit block of the message input, and <i>K<sub>i</sub></i> denotes a 32-bit constant, different for each operation.</div> </div> </div> <p><a href="http://en.wikipedia.org/wiki/Image:Lll.png" class="image" title="left shift"><img alt="left shift" src="http://upload.wikimedia.org/wikipedia/commons/e/e1/Lll.png" width="19" border="0" height="10" /></a><sub><i>s</i></sub> denotes a left bit rotation by <i>s</i> places; <i>s</i> varies for each operation. <a href="http://en.wikipedia.org/wiki/Image:Boxplus.png" class="image" title="Addition"><img alt="Addition" src="http://upload.wikimedia.org/wikipedia/commons/7/75/Boxplus.png" width="11" border="0" height="11" /></a> denotes addition modulo 2<sup>32</sup>.</p> <p>MD5 processes a variable-length message into a fixed-length output of 128 bits. The input message is broken up into chunks of 512-bit blocks (sixteen 32-bit <a href="http://en.wikipedia.org/wiki/Little_endian" title="Little endian" class="mw-redirect">little endian</a> integers); the message is <a href="http://en.wikipedia.org/wiki/Padding_%28cryptography%29" title="Padding (cryptography)">padded</a> so that its length is divisible by 512. The padding works as follows: first a single bit, 1, is appended to the end of the message. This is followed by as many zeros as are required to bring the length of the message up to 64 bits fewer than a multiple of 512. The remaining bits are filled up with a 64-bit integer representing the length of the original message, in bits.</p> <p>The main MD5 algorithm operates on a 128-bit state, divided into four 32-bit words, denoted <i>A</i>, <i>B</i>, <i>C</i> and <i>D</i>. These are initialized to certain fixed constants. The main algorithm then operates on each 512-bit message block in turn, each block modifying the state. The processing of a message block consists of four similar stages, termed <i>rounds</i>; each round is composed of 16 similar operations based on a non-linear function <i>F</i>, <a href="http://en.wikipedia.org/wiki/Modular_addition" title="Modular addition" class="mw-redirect">modular addition</a>, and left rotation. Figure 1 illustrates one operation within a round. There are four possible functions <i>F</i>; a different one is used in each round:</p> <dl><dd><img class="tex" alt="F(X,Y,Z) = (X\wedge{Y}) \vee (\neg{X} \wedge{Z})" src="http://upload.wikimedia.org/math/d/1/1/d111c792b26013f92b35f32b11a68e93.png" /></dd><dd><img class="tex" alt="G(X,Y,Z) = (X\wedge{Z}) \vee (Y \wedge \neg{Z})" src="http://upload.wikimedia.org/math/e/f/9/ef971bcd2ed5aeb59d6de12bcec32491.png" /></dd><dd><img class="tex" alt="H(X,Y,Z) = X \oplus Y \oplus Z" src="http://upload.wikimedia.org/math/6/b/2/6b2e2f185f30889f1e37afe9ce29a096.png" /></dd><dd><img class="tex" alt="I(X,Y,Z) = Y \oplus (X \vee \neg{Z})" src="http://upload.wikimedia.org/math/c/8/8/c887dfd80049b04ba54abfed7a04bda2.png" /></dd></dl> <p><img class="tex" alt="\oplus, \wedge, \vee, \neg" src="http://upload.wikimedia.org/math/d/9/6/d96277da48b2e8f86c7268f480a9e87c.png" /> denote the <a href="http://en.wikipedia.org/wiki/XOR" title="XOR" class="mw-redirect">XOR</a>, <a href="http://en.wikipedia.org/wiki/Logical_conjunction" title="Logical conjunction">AND</a>, <a href="http://en.wikipedia.org/wiki/Logical_disjunction" title="Logical disjunction">OR</a> and <a href="http://en.wikipedia.org/wiki/Negation" title="Negation">NOT</a> operations respectively.</p> <p><a name="Pseudocode" id="Pseudocode"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Pseudocode</span></h3> <p><a href="http://en.wikipedia.org/wiki/Pseudocode" title="Pseudocode">Pseudocode</a> for the MD5 algorithm follows.</p> <pre><span style="color:green;">//<i>Note: All variables are unsigned 32 bits and wrap modulo 2^32 when calculating</i></span>
<br /><b>var</b> <i>int</i>[64] r, k
<br />
<br /><span style="color:green;">//<i>r specifies the per-round shift amounts</i></span>
<br />r[ 0..15] := {7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22}
<br />r[16..31] := {5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20}
<br />r[32..47] := {4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23}
<br />r[48..63] := {6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21}
<br />
<br /><span style="color:green;">//<i>Use binary integer part of the sines of integers (Radians) as constants:</i></span>
<br /><b>for</b> i <b>from</b> 0 <b>to</b> 63
<br /> k[i] := floor(abs(sin(i + 1)) × (2 <b>pow</b> 32))
<br />
<br /><span style="color:green;">//<i>Initialize variables:</i></span>
<br /><b>var</b> <i>int</i> h0 := 0x01234567
<br /><b>var</b> <i>int</i> h1 := 0x89ABCDEF
<br /><b>var</b> <i>int</i> h2 := 0xFEDCBA98
<br /><b>var</b> <i>int</i> h3 := 0x76543210
<br />
<br /><span style="color:green;">//<i>Pre-processing:</i></span>
<br /><b>append</b> "1" bit <b>to</b> message
<br /><b>append</b> "0" bits <b>until</b> message length in bits ≡ 448 (mod 512)
<br /><b>append</b> bit <span style="color:green;">/* bit, not byte */</span> length of unpadded message <b>as</b> <i>64-bit little-endian integer</i> <b>to</b> message
<br />
<br /><span style="color:green;">//<i>Process the message in successive 512-bit chunks:</i></span>
<br /><b>for each</b> <i>512-bit</i> chunk <b>of</b> message
<br /> break chunk into sixteen 32-bit little-endian words w[i], 0 ≤ i ≤ 15
<br />
<br /> <span style="color:green;">//<i>Initialize hash value for this chunk:</i></span>
<br /> <b>var</b> <i>int</i> a := h0
<br /> <b>var</b> <i>int</i> b := h1
<br />
<br /> <b>var</b> <i>int</i> c := h2
<br /> <b>var</b> <i>int</i> d := h3
<br />
<br /> <span style="color:green;">//<i>Main loop:</i></span>
<br /> <b>for</b> i <b>from</b> 0 <b>to</b> 63
<br /> <b>if</b> 0 ≤ i ≤ 15 <b>then</b>
<br /> f := (b <b>and</b> c) <b>or</b> ((<b>not</b> b) <b>and</b> d)
<br /> g := i
<br /> <b>else if</b> 16 ≤ i ≤ 31
<br /> f := (d <b>and</b> b) <b>or</b> ((<b>not</b> d) <b>and</b> c)
<br /> g := (5×i + 1) <b>mod</b> 16
<br /> <b>else if</b> 32 ≤ i ≤ 47
<br /> f := b <b>xor</b> c <b>xor</b> d
<br /> g := (3×i + 5) <b>mod</b> 16
<br /> <b>else if</b> 48 ≤ i ≤ 63
<br /> f := c <b>xor</b> (b <b>or</b> (<b>not</b> d))
<br /> g := (7×i) <b>mod</b> 16
<br />
<br /> temp := d
<br /> d := c
<br /> c := b
<br /> b := b + <b>leftrotate</b>((a + f + k[i] + w[g]) , r[i])
<br /> a := temp
<br />
<br /> <span style="color:green;">//<i>Add this chunk's hash to result so far:</i></span>
<br /> h0 := h0 + a
<br /> h1 := h1 + b
<br /> h2 := h2 + c
<br /> h3 := h3 + d
<br />
<br /><b>var</b> <i>int</i> digest := h0 <b>append</b> h1 <b>append</b> h2 <b>append</b> h3 <span style="color:green;">//<i>(expressed as little-endian)</i></span>
<br /></pre> <pre> <span style="color:green;">//<i>leftrotate function definition</i></span>
<br /><b>leftrotate</b> (x, c)
<br /> return (x <<>or (x >> (32-c));
<br /></pre> <p>
<br /><i>Note: Instead of the formulation from the original <a href="http://tools.ietf.org/html/rfc1321" class="external" title="http://tools.ietf.org/html/rfc1321">RFC 1321</a> shown, the following may be used for improved efficiency (useful if assembly language is being used - otherwise, the compiler will generally optimize the above code. Since each computation is dependent on another in these formulations, this is often slower than the above method where the nand/and can be parallelised):</i></p> <pre>(0 ≤ i ≤ 15): f := d <b>xor</b> (b <b>and</b> (c <b>xor</b> d))
<br />(16 ≤ i ≤ 31): f := c <b>xor</b> (d <b>and</b> (b <b>xor</b> c))
<br /></pre> <p><a name="MD5_hashes" id="MD5_hashes"></a></p> <h2><span class="editsection"></span><span class="mw-headline">MD5 hashes</span></h2> <p>The 128-bit (16-byte) MD5 hashes (also termed <i>message digests</i>) are typically represented as a sequence of 32 <a href="http://en.wikipedia.org/wiki/Hexadecimal" title="Hexadecimal">hexadecimal</a> digits. The following demonstrates a 43-byte <a href="http://en.wikipedia.org/wiki/ASCII" title="ASCII">ASCII</a> input and the corresponding MD5 hash:</p> <pre> MD5("<a href="http://en.wikipedia.org/wiki/The_quick_brown_fox_jumps_over_the_lazy_dog" title="The quick brown fox jumps over the lazy dog">The quick brown fox jumps over the lazy dog</a>")
<br />= 9e107d9d372bb6826bd81d3542a419d6
<br /></pre> <p>Even a small change in the message will (with overwhelming probability) result in a completely different hash, due to the <a href="http://en.wikipedia.org/wiki/Avalanche_effect" title="Avalanche effect">avalanche effect</a>. For example, adding a period to the end of the sentence:</p> <pre> MD5("The quick brown fox jumps over the lazy dog<b>.</b>")
<br />= e4d909c290d0fb1ca068ffaddf22cbd0
<br /></pre> <p>The hash of the zero-length string is:</p> <pre> MD5("")
<br />= d41d8cd98f00b204e9800998ecf8427e
<br /></pre> <p><a name="Notes" id="Notes"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Notes</span></h2> <div class="references-small"> <ol class="references"><li id="cite_note-0"><b><a href="http://en.wikipedia.org/wiki/MD5#cite_ref-0" title="">^</a></b> Xiaoyun Wang and Hongbo Yu: <a href="http://web.archive.org/web/20070604205756/http://www.infosec.sdu.edu.cn/paper/md5-attack.pdf" class="external text" title="http://web.archive.org/web/20070604205756/http://www.infosec.sdu.edu.cn/paper/md5-attack.pdf" rel="nofollow">How to Break MD5 and Other Hash Functions</a>. Retrieved July 27, 2008</li><li id="cite_note-autogenerated1-1">^ <a href="http://en.wikipedia.org/wiki/MD5#cite_ref-autogenerated1_1-0" title=""><sup><i><b>a</b></i></sup></a> <a href="http://en.wikipedia.org/wiki/MD5#cite_ref-autogenerated1_1-1" title=""><sup><i><b>b</b></i></sup></a> Xiaoyun Wang, Dengguo Feng, Xuejia Lai, Hongbo Yu: <a href="http://eprint.iacr.org/2004/199" class="external text" title="http://eprint.iacr.org/2004/199" rel="nofollow">Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD</a>, Cryptology ePrint Archive Report 2004/199, 16 Aug 2004, revised 17 Aug 2004. Retrieved July 27, 2008.</li><li id="cite_note-autogenerated2-2">^ <a href="http://en.wikipedia.org/wiki/MD5#cite_ref-autogenerated2_2-0" title=""><sup><i><b>a</b></i></sup></a> <a href="http://en.wikipedia.org/wiki/MD5#cite_ref-autogenerated2_2-1" title=""><sup><i><b>b</b></i></sup></a> J. Black, M. Cochran, T. Highland: <a href="http://www.cs.colorado.edu/%7Ejrblack/papers/md5e-full.pdf" class="external text" title="http://www.cs.colorado.edu/~jrblack/papers/md5e-full.pdf" rel="nofollow">A Study of the MD5 Attacks: Insights and Improvements</a>, March 3, 2006. Retrieved July 27, 2008.</li><li id="cite_note-3"><b><a href="http://en.wikipedia.org/wiki/MD5#cite_ref-3" title="">^</a></b> Marc Stevens, Arjen Lenstra, Benne de Weger: <a href="http://www.win.tue.nl/hashclash/SoftIntCodeSign/" class="external text" title="http://www.win.tue.nl/hashclash/SoftIntCodeSign/" rel="nofollow">Vulnerability of software integrity and code signing applications to chosen-prefix collisions for MD5</a>, Nov 30, 2007. Retrived Jul 27, 2008.</li><li id="cite_note-4"><b><a href="http://en.wikipedia.org/wiki/MD5#cite_ref-4" title="">^</a></b> Philip Hawkes and Michael Paddon and Gregory G. Rose: <a href="http://eprint.iacr.org/2004/264" class="external text" title="http://eprint.iacr.org/2004/264" rel="nofollow">Musings on the Wang et al. MD5 Collision</a>, 13 Oct 2004. Retrieved July 27, 2008.</li><li id="cite_note-5"><b><a href="http://en.wikipedia.org/wiki/MD5#cite_ref-5" title="">^</a></b> Arjen Lenstra, Xiaoyun Wang, Benne de Weger: <a href="http://eprint.iacr.org/2005/067" class="external text" title="http://eprint.iacr.org/2005/067" rel="nofollow">Colliding X.509 Certificates</a>, Cryptology ePrint Archive Report 2005/067, 1 Mar 2005, revised 6 May 2005. Retrieved July 27, 2008.</li><li id="cite_note-6"><b><a href="http://en.wikipedia.org/wiki/MD5#cite_ref-6" title="">^</a></b> Vlastimil Klima: <a href="http://eprint.iacr.org/2005/075" class="external text" title="http://eprint.iacr.org/2005/075" rel="nofollow">Finding MD5 Collisions – a Toy For a Notebook</a>, Cryptology ePrint Archive Report 2005/075, 5 Mar 2005, revised 8 Mar 2005. Retrieved July 27, 2008.</li><li id="cite_note-7"><b><a href="http://en.wikipedia.org/wiki/MD5#cite_ref-7" title="">^</a></b> Vlastimil Klima: <a href="http://eprint.iacr.org/2006/105" class="external text" title="http://eprint.iacr.org/2006/105" rel="nofollow">Tunnels in Hash Functions: MD5 Collisions Within a Minute</a>, Cryptology ePrint Archive Report 2006/105, 18 Mar 2006, revised 17 Apr 2006. Retrueved July 27, 2008.</li><li id="cite_note-8"><b><a href="http://en.wikipedia.org/wiki/MD5#cite_ref-8" title="">^</a></b> Steven J. Murdoch: <a href="http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/" class="external text" title="http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/" rel="nofollow">Google as a password cracker</a>, Light Blue Touchpaper Blog Archive, Nov 16, 2007. Retrieved July 27, 2008.]</li></ol> </div> <p><a name="References" id="References"></a></p> <h2><span class="editsection"></span><span class="mw-headline">References</span></h2> <ul><li><cite style="font-style: normal;">Berson, Thomas A. (1992). "Differential Cryptanalysis Mod 2<sup>32</sup> with Applications to MD5". <i>EUROCRYPT</i>: 71–80. <a href="http://en.wikipedia.org/wiki/Special:BookSources/3540564136" class="internal">ISBN 3-540-56413-6</a>.</cite><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.btitle=EUROCRYPT&rft.atitle=Differential+Cryptanalysis+Mod+2%3Csup%3E32%3C%2Fsup%3E+with+Applications+to+MD5&rft.aulast=Berson&rft.aufirst=Thomas+A.&rft.date=1992&rft.pages=71%26ndash%3B80"><span style="display: none;"> </span></span></li><li><cite class="book" style="font-style: normal;">Bert den Boer; Antoon Bosselaers (1993). <i>Collisions for the Compression Function of MD5</i>, 293–304. <a href="http://en.wikipedia.org/wiki/Special:BookSources/3540576002" class="internal">ISBN 3-540-57600-2</a>.</cite><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Collisions+for+the+Compression+Function+of+MD5&rft.au=Bert+den+Boer%3B+Antoon+Bosselaers&rft.date=1993&rft.pages=293%26ndash%3B304"><span style="display: none;"> </span></span></li><li>Hans Dobbertin, Cryptanalysis of MD5 compress. Announcement on Internet, May 1996 <a href="http://citeseer.ist.psu.edu/dobbertin96cryptanalysis.html" class="external autonumber" title="http://citeseer.ist.psu.edu/dobbertin96cryptanalysis.html" rel="nofollow">[1]</a>.</li><li><cite style="font-style: normal;">Dobbertin, Hans (1996). "<a href="ftp://ftp.rsasecurity.com/pub/cryptobytes/crypto2n2.pdf" class="external text" title="ftp://ftp.rsasecurity.com/pub/cryptobytes/crypto2n2.pdf" rel="nofollow">The Status of MD5 After a Recent Attack</a>". <i>CryptoBytes</i> <b>2</b> (2).</cite><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=The+Status+of+MD5+After+a+Recent+Attack&rft.jtitle=CryptoBytes&rft.date=1996&rft.volume=2&rft.issue=2&rft.aulast=Dobbertin&rft.aufirst=Hans&rft_id=ftp%3A%2F%2Fftp.rsasecurity.com%2Fpub%2Fcryptobytes%2Fcrypto2n2.pdf"><span style="display: none;"> </span></span></li><li><cite style="font-style: normal;">Xiaoyun Wang; Hongbo Yu (2005). "<a href="http://www.infosec.sdu.edu.cn/uploadfile/papers/How%20to%20Break%20MD5%20and%20Other%20Hash%20Functions.pdf" class="external text" title="http://www.infosec.sdu.edu.cn/uploadfile/papers/How%20to%20Break%20MD5%20and%20Other%20Hash%20Functions.pdf" rel="nofollow">How to Break MD5 and Other Hash Functions</a>". <i>EUROCRYPT</i>. <a href="http://en.wikipedia.org/wiki/Special:BookSources/3540259104" class="internal">ISBN 3-540-25910-4</a>.</cite><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.btitle=EUROCRYPT&rft.atitle=How+to+Break+MD5+and+Other+Hash+Functions&rft.au=Xiaoyun+Wang%3B+Hongbo+Yu&rft.date=2005&rft_id=http%3A%2F%2Fwww.infosec.sdu.edu.cn%2Fuploadfile%2Fpapers%2FHow%2520to%2520Break%2520MD5%2520and%2520Other%2520Hash%2520Functions.pdf"><span style="display: none;"> </span></span></li></ul> <p><a name="See_also" id="See_also"></a></p> <h2><span class="editsection"></span><span class="mw-headline">See also</span></h2> <ul><li><a href="http://en.wikipedia.org/wiki/Md5deep" title="Md5deep">md5deep</a></li></ul> <p><a name="External_links" id="External_links"></a></p> <h2><span class="editsection"></span><span class="mw-headline">External links</span></h2> <table class="metadata plainlinks ambox ambox-style" style=""> <tbody><tr> <td class="mbox-image"> <div style="width: 52px;"><a href="http://en.wikipedia.org/wiki/Image:Ambox_style.png" class="image" title="Ambox style.png"><img alt="" src="http://upload.wikimedia.org/wikipedia/en/d/d6/Ambox_style.png" width="40" border="0" height="40" /></a></div> </td> <td class="mbox-text" style=""><b>The external links in this article may not follow Wikipedia's <a href="http://en.wikipedia.org/wiki/Wikipedia:What_Wikipedia_is_not#Wikipedia_is_not_a_mirror_or_a_repository_of_links.2C_images.2C_or_media_files" title="Wikipedia:What Wikipedia is not">content policies</a> or <a href="http://en.wikipedia.org/wiki/Wikipedia:External_links" title="Wikipedia:External links">guidelines</a>.</b>
<br /><small>Please <a href="http://en.wikipedia.org/w/index.php?title=MD5&action=edit" class="external text" title="http://en.wikipedia.org/w/index.php?title=MD5&action=edit" rel="nofollow">improve this article</a> by removing excessive or inappropriate external links.</small></td> </tr> </tbody></table> <ul><li><a href="http://tools.ietf.org/html/rfc1321" class="external" title="http://tools.ietf.org/html/rfc1321">RFC 1321</a> <i>The MD5 Message-Digest Algorithm</i></li><li><a href="http://www.w3.org/TR/1998/REC-DSig-label/MD5-1_0" class="external text" title="http://www.w3.org/TR/1998/REC-DSig-label/MD5-1_0" rel="nofollow">W3C recommendation on MD5</a></li><li><a href="http://th.informatik.uni-mannheim.de/People/lucks/HashCollisions/" class="external text" title="http://th.informatik.uni-mannheim.de/People/lucks/HashCollisions/" rel="nofollow">Two colliding PostScript files with the same size</a></li><li><a href="http://www.mathstat.dal.ca/%7Eselinger/md5collision/" class="external text" title="http://www.mathstat.dal.ca/~selinger/md5collision/" rel="nofollow">Two colliding executable files</a></li><li><a href="http://e-cat.nm.ru/md5.html" class="external text" title="http://e-cat.nm.ru/md5.html" rel="nofollow">Delphi</a>, <a href="http://www.twmacinta.com/myjava/fast_md5.php" class="external text" title="http://www.twmacinta.com/myjava/fast_md5.php" rel="nofollow">Java</a>, <a href="http://pajhome.org.uk/crypt/md5/" class="external text" title="http://pajhome.org.uk/crypt/md5/" rel="nofollow">JavaScript</a>, <a href="http://www.cypherspace.org/adam/rsa/md5.html" class="external text" title="http://www.cypherspace.org/adam/rsa/md5.html" rel="nofollow">Perl</a>, <a href="http://www.php.net/manual/en/function.md5.php" class="external text" title="http://www.php.net/manual/en/function.md5.php" rel="nofollow">PHP</a>, and <a href="http://www.python.org/doc/current/lib/module-md5.html" class="external text" title="http://www.python.org/doc/current/lib/module-md5.html" rel="nofollow">Python</a> implementations of MD5</li><li><a href="http://hash-it.net/" class="external text" title="http://hash-it.net/" rel="nofollow">Online MD5 hash generator</a></li><li><a href="http://md5deep.sourceforge.net/" class="external text" title="http://md5deep.sourceforge.net/" rel="nofollow">Filesystem-based MD5 tool</a></li><li><a href="http://www.win.tue.nl/hashclash/" class="external text" title="http://www.win.tue.nl/hashclash/" rel="nofollow">MD5 Collision Generation</a></li></ul> <p><a name="Test_Vectors" id="Test_Vectors"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Test Vectors</span></h3> <p>The <a href="http://en.wikipedia.org/wiki/NESSIE" title="NESSIE">NESSIE</a> project <a href="https://www.cosic.esat.kuleuven.be/nessie/testvectors/index.html" class="external text" title="https://www.cosic.esat.kuleuven.be/nessie/testvectors/index.html" rel="nofollow">test vectors</a> for <a href="https://www.cosic.esat.kuleuven.be/nessie/testvectors/hash/md5/Md5-128.unverified.test-vectors" class="external text" title="https://www.cosic.esat.kuleuven.be/nessie/testvectors/hash/md5/Md5-128.unverified.test-vectors" rel="nofollow">MD5</a></p> <p>
<br /></p> <table class="navbox" style="" cellspacing="0"> <tbody><tr> <td style="padding: 2px;"> <table class="nowraplinks" style="background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; color: inherit;" cellspacing="0"> <tbody><tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <th style="background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" colspan="2" class="navbox-title"> <div style="float: left; width: 6em; text-align: left;"> <div class="noprint plainlinksneverexpand" style="border: medium none ; padding: 0pt; background: rgb(204, 204, 255) none repeat scroll 0% 0%; white-space: nowrap; font-weight: normal; font-size: xx-small; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"><a href="http://en.wikipedia.org/wiki/Template:Crypto_hash" title="Template:Crypto hash"><span title="View this template" style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">v</span></a> <span style="font-size:80;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template_talk:Crypto_hash&action=edit&redlink=1" class="new" title="Template talk:Crypto hash (page does not exist)"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="Discussion about this template">d</span></a> <span style="font-size:80;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template:Crypto_hash&action=edit" class="external text" title="http://en.wikipedia.org/w/index.php?title=Template:Crypto_hash&action=edit" rel="nofollow"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="You can edit this template. Please use the preview button before saving.">e</span></a></div> </div> <div style="float: right; width: 6em;"> </div> <span style="font-size:100%;"><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function" title="Cryptographic hash function">Cryptographic hash functions</a> and <a href="http://en.wikipedia.org/wiki/Message_authentication_code" title="Message authentication code">Message authentication codes (MACs)</a></span></th> </tr> <tr style="height: 2px;"> <td>
<br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Hash algorithms:</b> <a href="http://en.wikipedia.org/wiki/GOST_%28hash_function%29" title="GOST (hash function)">GOST</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/HAS-160" title="HAS-160">HAS-160</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/HAVAL" title="HAVAL">HAVAL</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MDC-2" title="MDC-2">MDC-2</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MD2_%28cryptography%29" title="MD2 (cryptography)">MD2</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MD4" title="MD4">MD4</a> |</span> <span style="white-space: nowrap;"><strong class="selflink">MD5</strong> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/N-Hash" title="N-Hash">N-Hash</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/RadioGat%C3%BAn" title="RadioGatún" class="mw-redirect">RadioGatún</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/RIPEMD" title="RIPEMD">RIPEMD</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SHA_hash_functions" title="SHA hash functions">SHA family</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Snefru" title="Snefru">Snefru</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Tiger_%28cryptography%29" title="Tiger (cryptography)">Tiger</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Whirlpool_%28cryptography%29" title="Whirlpool (cryptography)">WHIRLPOOL</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Crypt_%28Unix%29#Library_Function" title="Crypt (Unix)">crypt(3) DES</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td>
<br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>MAC algorithms:</b> <a href="http://en.wikipedia.org/wiki/Data_Authentication_Algorithm" title="Data Authentication Algorithm">DAA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CBC-MAC" title="CBC-MAC">CBC-MAC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/HMAC" title="HMAC">HMAC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/One-key_MAC" title="One-key MAC">OMAC/CMAC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/PMAC_%28cryptography%29" title="PMAC (cryptography)">PMAC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/UMAC" title="UMAC">UMAC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Poly1305-AES" title="Poly1305-AES">Poly1305-AES</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td>
<br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b><a href="http://en.wikipedia.org/wiki/Authenticated_encryption" title="Authenticated encryption">Authenticated encryption</a> modes:</b> <a href="http://en.wikipedia.org/wiki/CCM_mode" title="CCM mode">CCM</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CWC_mode" title="CWC mode">CWC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/EAX_mode" title="EAX mode">EAX</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Galois/Counter_Mode" title="Galois/Counter Mode">GCM</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/OCB_mode" title="OCB mode">OCB</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td>
<br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Attacks:</b> <a href="http://en.wikipedia.org/wiki/Hash_collision" title="Hash collision">Hash collision</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Birthday_attack" title="Birthday attack">Birthday attack</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Preimage_attack" title="Preimage attack">Preimage attack</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Rainbow_table" title="Rainbow table">Rainbow table</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Side_channel_attack" title="Side channel attack" class="mw-redirect">Side channel attack</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Brute_force_attack" title="Brute force attack">Brute force attack</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td>
<br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Misc:</b> <a href="http://en.wikipedia.org/wiki/Avalanche_effect" title="Avalanche effect">Avalanche effect</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Hash_collision" title="Hash collision">Hash collision</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Merkle-Damg%C3%A5rd_construction" title="Merkle-Damgård construction">Merkle-Damgård construction</a> <b>Standardization:</b> <a href="http://en.wikipedia.org/wiki/CRYPTREC" title="CRYPTREC">CRYPTREC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NESSIE" title="NESSIE">NESSIE</a></span></p> </div> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </td> </tr> <tr style="height: 2px;"> <td>
<br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <th style="background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" colspan="2" class="navbox-title"> <div style="float: left; width: 6em; text-align: left;"> <div class="noprint plainlinksneverexpand" style="border: medium none ; padding: 0pt; background: rgb(204, 204, 255) none repeat scroll 0% 0%; white-space: nowrap; font-weight: normal; font-size: xx-small; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"><a href="http://en.wikipedia.org/wiki/Template:Crypto_navbox" title="Template:Crypto navbox"><span title="View this template" style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">v</span></a> <span style="font-size:80;">•</span> <a href="http://en.wikipedia.org/wiki/Template_talk:Crypto_navbox" title="Template talk:Crypto navbox"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="Discussion about this template">d</span></a> <span style="font-size:80;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template:Crypto_navbox&action=edit" class="external text" title="http://en.wikipedia.org/w/index.php?title=Template:Crypto_navbox&action=edit" rel="nofollow"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="You can edit this template. Please use the preview button before saving.">e</span></a></div> </div> <div style="float: right; width: 6em;"> </div> <span style="font-size:100%;"><a href="http://en.wikipedia.org/wiki/Cryptography" title="Cryptography">Cryptography</a></span></th> </tr> <tr style="height: 2px;"> <td>
<br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"><a href="http://en.wikipedia.org/wiki/History_of_cryptography" title="History of cryptography">History of cryptography</a> | <a href="http://en.wikipedia.org/wiki/Cryptanalysis" title="Cryptanalysis">Cryptanalysis</a> | <a href="http://en.wikipedia.org/wiki/Portal:Cryptography" title="Portal:Cryptography">Cryptography portal</a> | <a href="http://en.wikipedia.org/wiki/Topics_in_cryptography" title="Topics in cryptography">Topics in cryptography</a></div> </td> </tr> <tr style="height: 2px;"> <td>
<br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"><a href="http://en.wikipedia.org/wiki/Symmetric-key_algorithm" title="Symmetric-key algorithm">Symmetric-key algorithm</a> | <a href="http://en.wikipedia.org/wiki/Block_cipher" title="Block cipher">Block cipher</a> | <a href="http://en.wikipedia.org/wiki/Stream_cipher" title="Stream cipher">Stream cipher</a> | <a href="http://en.wikipedia.org/wiki/Public-key_cryptography" title="Public-key cryptography">Public-key cryptography</a> | <a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function" title="Cryptographic hash function">Cryptographic hash function</a> | <a href="http://en.wikipedia.org/wiki/Message_authentication_code" title="Message authentication code">Message authentication code</a> | <a href="http://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator" title="Cryptographically secure pseudorandom number generator">Random numbers</a> | <a href="http://en.wikipedia.org/wiki/Steganography" title="Steganography">Steganography</a></div> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </td> </tr> </tbody></table> <!-- NewPP limit report Preprocessor node count: 3002/1000000 Post-expand include size: 67404/2048000 bytes Template argument size: 58502/2048000 bytes Expensive parser function count: 1/500 --> <!-- Saved in parser cache with key enwiki:pcache:idhash:18826-0!1!0!default!!en!2 and timestamp 20080930082610 --> <div class="printfooter"> Retrieved from "<a href="http://en.wikipedia.org/wiki/MD5">http://en.wikipedia.org/wiki/MD5</a>"
<br />
<br /></div> <div id="mw-normal-catlinks"><a href="http://en.wikipedia.org/wiki/Special:Categories" title="Special:Categories">Categories</a>: <span dir="ltr"><a href="http://en.wikipedia.org/wiki/Category:Cryptographic_hash_functions" title="Category:Cryptographic hash functions">Cryptographic hash functions</a></span> | <span dir="ltr"><a href="http://en.wikipedia.org/wiki/Category:Checksum_algorithms" title="Category:Checksum algorithms">Checksum algorithms</a></span> | <span dir="ltr"><a href="http://en.wikipedia.org/wiki/Category:Articles_with_example_pseudocode" title="Category:Articles with example pseudocode">Articles with example pseudocode</a></span></div>vineethv2http://www.blogger.com/profile/10203333517491088500noreply@blogger.com1tag:blogger.com,1999:blog-8266941125214387001.post-22096808800614714752008-09-30T08:36:00.000-07:002008-09-30T08:41:44.357-07:00RSA In <a href="http://en.wikipedia.org/wiki/Cryptography" title="Cryptography">cryptography</a>, <b>RSA</b> is an <a href="http://en.wikipedia.org/wiki/Algorithm" title="Algorithm">algorithm</a> for <a href="http://en.wikipedia.org/wiki/Public-key_cryptography" title="Public-key cryptography">public-key cryptography</a>. It is the first algorithm known to be suitable for <a href="http://en.wikipedia.org/wiki/Digital_signature" title="Digital signature">signing</a> as well as encryption, and one of the first great advances in public key cryptography. RSA is widely used in <a href="http://en.wikipedia.org/wiki/Electronic_commerce" title="Electronic commerce">electronic commerce</a> protocols, and is believed to be secure given sufficiently long keys and the use of up-to-date implementations. <table id="toc" class="toc" summary="Contents"> <tbody><tr> <td> <div id="toctitle"> <h2>Contents</h2> <span class="toctoggle">
<br /></span></div> <ul><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/RSA#History"><span class="tocnumber">1</span> <span class="toctext">History</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/RSA#Operation"><span class="tocnumber">2</span> <span class="toctext">Operation</span></a> <ul><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/RSA#Messages"><span class="tocnumber">2.1</span> <span class="toctext">Messages</span></a> <ul><li class="toclevel-3"><a href="http://en.wikipedia.org/wiki/RSA#Encryption:"><span class="tocnumber">2.1.1</span> <span class="toctext">Encryption:</span></a></li><li class="toclevel-3"><a href="http://en.wikipedia.org/wiki/RSA#Decryption:"><span class="tocnumber">2.1.2</span> <span class="toctext">Decryption:</span></a></li></ul> </li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/RSA#A_worked_example"><span class="tocnumber">2.2</span> <span class="toctext">A worked example</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/RSA#Padding_schemes"><span class="tocnumber">2.3</span> <span class="toctext">Padding schemes</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/RSA#Signing_messages"><span class="tocnumber">2.4</span> <span class="toctext">Signing messages</span></a></li></ul> </li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/RSA#Security"><span class="tocnumber">3</span> <span class="toctext">Security</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/RSA#Practical_considerations"><span class="tocnumber">4</span> <span class="toctext">Practical considerations</span></a> <ul><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/RSA#Key_generation"><span class="tocnumber">4.1</span> <span class="toctext">Key generation</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/RSA#Speed"><span class="tocnumber">4.2</span> <span class="toctext">Speed</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/RSA#Key_distribution"><span class="tocnumber">4.3</span> <span class="toctext">Key distribution</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/RSA#Timing_attacks"><span class="tocnumber">4.4</span> <span class="toctext">Timing attacks</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/RSA#Adaptive_chosen_ciphertext_attacks"><span class="tocnumber">4.5</span> <span class="toctext">Adaptive chosen ciphertext attacks</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/RSA#Branch_prediction_analysis_attacks"><span class="tocnumber">4.6</span> <span class="toctext">Branch prediction analysis attacks</span></a></li></ul> </li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/RSA#See_also"><span class="tocnumber">5</span> <span class="toctext">See also</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/RSA#Notes"><span class="tocnumber">6</span> <span class="toctext">Notes</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/RSA#References"><span class="tocnumber">7</span> <span class="toctext">References</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/RSA#External_links"><span class="tocnumber">8</span> <span class="toctext">External links</span></a></li></ul> </td> </tr> </tbody></table> <script type="text/javascript"> //<![CDATA[ if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); } //]]> </script> <p><a name="History" id="History"></a></p> <h2><span class="mw-headline">History</span></h2> <p>The algorithm was publicly described in 1977 by <a href="http://en.wikipedia.org/wiki/Ron_Rivest" title="Ron Rivest">Ron Rivest</a>, <a href="http://en.wikipedia.org/wiki/Adi_Shamir" title="Adi Shamir">Adi Shamir</a>, and <a href="http://en.wikipedia.org/wiki/Leonard_Adleman" title="Leonard Adleman">Leonard Adleman</a> at <a href="http://en.wikipedia.org/wiki/Massachusetts_Institute_of_Technology" title="Massachusetts Institute of Technology">MIT</a>; the letters <b>RSA</b> are the initials of their surnames, listed in the same order as on the paper.<sup id="cite_ref-SIAM_0-0" class="reference"><a href="http://en.wikipedia.org/wiki/RSA#cite_note-SIAM-0" title="">[1]</a></sup></p> <p><a href="http://en.wikipedia.org/wiki/Clifford_Cocks" title="Clifford Cocks">Clifford Cocks</a>, a British <a href="http://en.wikipedia.org/wiki/Mathematician" title="Mathematician">mathematician</a> working for the <a href="http://en.wikipedia.org/wiki/United_Kingdom" title="United Kingdom">UK</a> intelligence agency <a href="http://en.wikipedia.org/wiki/Government_Communications_Headquarters" title="Government Communications Headquarters">GCHQ</a>, described an equivalent system in an internal document in 1973, but given the relatively expensive computers needed to implement it at the time, it was mostly considered a curiosity and, as far as is publicly known, was never deployed. His discovery, however, was not revealed until 1997 due to its top-secret classification, and Rivest, Shamir, and Adleman devised RSA independently of Cocks's work.</p> <p><a href="http://en.wikipedia.org/wiki/Massachusetts_Institute_of_Technology" title="Massachusetts Institute of Technology">MIT</a> was granted <a href="http://v3.espacenet.com/textdoc?DB=EPODOC&IDX=US4405829" class="external text" title="http://v3.espacenet.com/textdoc?DB=EPODOC&IDX=US4405829" rel="nofollow">US patent 4405829</a> for a "Cryptographic communications system and method" that used the algorithm in 1983. The patent expired on <a href="http://en.wikipedia.org/wiki/September_21" title="September 21">21 September</a> <a href="http://en.wikipedia.org/wiki/2000" title="2000">2000</a>. Since a paper describing the algorithm had been published in August 1977,<sup id="cite_ref-SIAM_0-1" class="reference"><a href="http://en.wikipedia.org/wiki/RSA#cite_note-SIAM-0" title="">[1]</a></sup> prior to the December 1977 <a href="http://en.wikipedia.org/wiki/Filing_date" title="Filing date">filing date</a> of the <a href="http://en.wikipedia.org/wiki/Patent_application" title="Patent application">patent application</a>, regulations in much of the rest of the world precluded <a href="http://en.wikipedia.org/wiki/Patent" title="Patent">patents</a> elsewhere and only the <a href="http://en.wikipedia.org/wiki/United_States" title="United States">US</a> patent was granted. Had Cocks's work been publicly known, a patent in the US might not have been possible either.</p> <p><a name="Operation" id="Operation"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Operation</span></h2> <p>RSA involves a public <a href="http://en.wikipedia.org/wiki/Key_%28cryptography%29" title="Key (cryptography)">key</a> and a private key. The public key can be known to everyone and is used for encrypting messages. Messages encrypted with the public key can only be decrypted using the private key. The keys for the RSA algorithm are generated the following way:</p> <ol><li>Choose two distinct large random <a href="http://en.wikipedia.org/wiki/Prime_number" title="Prime number">prime numbers</a> <span class="texhtml"><i>p</i></span> and <span class="texhtml"><i>q</i></span></li><li>Compute <img class="tex" alt="n = pq\," src="http://upload.wikimedia.org/math/6/8/d/68d74ff176503095ac4d06c909b68b6b.png" /> <ul><li><img class="tex" alt="n\," src="http://upload.wikimedia.org/math/a/9/5/a957404c96e59f1746f97ab668c8e1f8.png" /> is used as the <a href="http://en.wikipedia.org/wiki/Modular_arithmetic" title="Modular arithmetic">modulus</a> for both the public and private keys</li></ul> </li><li>Compute the <a href="http://en.wikipedia.org/wiki/Totient" title="Totient" class="mw-redirect">totient</a>: <img class="tex" alt="\varphi(n) = (p-1)(q-1) \," src="http://upload.wikimedia.org/math/5/a/9/5a92cc4fb89ba9160def68ddf50205b2.png" />.</li><li>Choose an integer <span class="texhtml"><i>e</i></span> such that <img class="tex" alt="1 < e < \varphi(n)" src="http://upload.wikimedia.org/math/5/b/8/5b8e85fcd4e4122799d95918630b0264.png" />, and <span class="texhtml"><i>e</i></span> and <img class="tex" alt="\varphi (n)" src="http://upload.wikimedia.org/math/4/0/b/40ba55cd3c58225334c65204b80c6ca3.png" /> share no factors other than <span class="texhtml">1</span> (i.e. <span class="texhtml"><i>e</i></span> and <img class="tex" alt="\varphi (n)" src="http://upload.wikimedia.org/math/4/0/b/40ba55cd3c58225334c65204b80c6ca3.png" /> are <a href="http://en.wikipedia.org/wiki/Coprime" title="Coprime">coprime</a>) <ul><li><span class="texhtml"><i>e</i></span> is released as the public key exponent</li></ul> </li><li>Compute <span class="texhtml"><i>d</i></span> to satisfy the <a href="http://en.wikipedia.org/wiki/Modular_arithmetic#The_congruence_relation" title="Modular arithmetic">congruence relation</a> <img class="tex" alt="d e \equiv 1\pmod{\varphi(n)}" src="http://upload.wikimedia.org/math/2/2/c/22c325275f6ed7e39fe52ceb615b62fb.png" />; i.e. <img class="tex" alt="de = 1 + k\varphi(n)" src="http://upload.wikimedia.org/math/6/4/d/64dff250d421366e3e5cfde6fe945c00.png" /> for some integer <span class="texhtml"><i>k</i></span>. <ul><li><span class="texhtml"><i>d</i></span> is kept as the private key exponent</li></ul> </li></ol> <p>Notes on the above steps:</p> <ul><li>Step 1: Numbers can be <a href="http://en.wikipedia.org/wiki/Primality_test#Probabilistic_tests" title="Primality test">probabilistically tested</a> for primality.</li><li>Step 3: changed in <a href="http://en.wikipedia.org/wiki/PKCS1" title="PKCS1">PKCS#1 v2.0</a> to <img class="tex" alt="\lambda(n) = {\rm lcm}(p-1, q-1) \," src="http://upload.wikimedia.org/math/5/b/d/5bd4042cb2f3efdc9d8baeaaf25214f0.png" />, where lcm is the <a href="http://en.wikipedia.org/wiki/Least_common_multiple" title="Least common multiple">least common multiple</a>, instead of <img class="tex" alt="\varphi(n) = (p-1)(q-1) \," src="http://upload.wikimedia.org/math/5/a/9/5a92cc4fb89ba9160def68ddf50205b2.png" />.</li><li>Step 4: A popular choice for the public exponents is <img class="tex" alt="e\," src="http://upload.wikimedia.org/math/b/5/f/b5f7e60e340c9674ec2f7559eb9505d5.png" /> = 2<sup>16</sup> + 1 = <a href="http://en.wikipedia.org/wiki/65537#In_mathematics" title="65537" class="mw-redirect">65537</a>. Some applications choose smaller values such as <img class="tex" alt="e\," src="http://upload.wikimedia.org/math/b/5/f/b5f7e60e340c9674ec2f7559eb9505d5.png" /> = 3, 5, 17 or 257 instead. This is done to make encryption and signature verification faster on small devices like smart cards but small public exponents can lead to greater security risks.<sup id="cite_ref-Boneh_1-0" class="reference"><a href="http://en.wikipedia.org/wiki/RSA#cite_note-Boneh-1" title="">[2]</a></sup></li><li>Steps 4 and 5 can be performed with the <a href="http://en.wikipedia.org/wiki/Extended_Euclidean_algorithm" title="Extended Euclidean algorithm">extended Euclidean algorithm</a>; see <a href="http://en.wikipedia.org/wiki/Modular_arithmetic" title="Modular arithmetic">modular arithmetic</a>.</li></ul> <p>The <b>public key</b> consists of the modulus <img class="tex" alt="n\," src="http://upload.wikimedia.org/math/a/9/5/a957404c96e59f1746f97ab668c8e1f8.png" /> and the public (or encryption) exponent <img class="tex" alt="e\," src="http://upload.wikimedia.org/math/b/5/f/b5f7e60e340c9674ec2f7559eb9505d5.png" />. The <b>private key</b> consists of the modulus <img class="tex" alt="n\," src="http://upload.wikimedia.org/math/a/9/5/a957404c96e59f1746f97ab668c8e1f8.png" /> and the private (or decryption) exponent <img class="tex" alt="d\," src="http://upload.wikimedia.org/math/3/d/6/3d6de401d007ea0cffc99610ad623239.png" /> which must be kept secret.</p> <ul><li>For efficiency a different form of the <b>private key</b> can be stored: <ul><li><img class="tex" alt="p\," src="http://upload.wikimedia.org/math/5/a/3/5a34bb082daf037b3c4b14c13af6855b.png" /> and <img class="tex" alt="q\," src="http://upload.wikimedia.org/math/d/3/5/d35e628d4924b45b5200ab2b56b1efb8.png" />: the primes from the key generation,</li><li><img class="tex" alt="d\mod (p - 1)\," src="http://upload.wikimedia.org/math/f/c/3/fc31464e5670ea21dfef701d083363a5.png" /> and <img class="tex" alt="d\mod(q - 1)\," src="http://upload.wikimedia.org/math/f/0/4/f0495c185d3cc6ae499d07dfc97687ee.png" />,</li><li><img class="tex" alt="q^{-1} \mod(p)\," src="http://upload.wikimedia.org/math/c/2/5/c25e1475df44d0cb485ce742f6d6e0f8.png" />.</li></ul> </li><li>All parts of the private key must be kept secret in this form. <img class="tex" alt="p\," src="http://upload.wikimedia.org/math/5/a/3/5a34bb082daf037b3c4b14c13af6855b.png" /> and <img class="tex" alt="q\," src="http://upload.wikimedia.org/math/d/3/5/d35e628d4924b45b5200ab2b56b1efb8.png" /> are sensitive since they are the factors of <img class="tex" alt="n\," src="http://upload.wikimedia.org/math/a/9/5/a957404c96e59f1746f97ab668c8e1f8.png" />, and allow computation of <img class="tex" alt="d\," src="http://upload.wikimedia.org/math/3/d/6/3d6de401d007ea0cffc99610ad623239.png" /> given <img class="tex" alt="e\," src="http://upload.wikimedia.org/math/b/5/f/b5f7e60e340c9674ec2f7559eb9505d5.png" />. If <img class="tex" alt="p\," src="http://upload.wikimedia.org/math/5/a/3/5a34bb082daf037b3c4b14c13af6855b.png" /> and <img class="tex" alt="q\," src="http://upload.wikimedia.org/math/d/3/5/d35e628d4924b45b5200ab2b56b1efb8.png" /> are not stored in this form of the private key then they are securely deleted along with other intermediate values from key generation.</li><li>Although this form allows faster decryption and signing by using the <a href="http://en.wikipedia.org/wiki/Chinese_Remainder_Theorem" title="Chinese Remainder Theorem" class="mw-redirect">Chinese Remainder Theorem</a>, it is considerably less secure since it enables <a href="http://en.wikipedia.org/wiki/Side_channel_attack" title="Side channel attack" class="mw-redirect">side channel attacks</a>. This is a particular problem if implemented on <a href="http://en.wikipedia.org/wiki/Smart_cards" title="Smart cards" class="mw-redirect">smart cards</a>, which benefit most from the improved efficiency. (Start with <span class="texhtml"><i>y</i> = <i>x</i><sup><i>e</i></sup><i>m</i><i>o</i><i>d</i><i>n</i></span> and let the card decrypt that. So it computes <span class="texhtml"><i>y</i><sup><i>d</i></sup>(mod <i>p</i>)</span> or <span class="texhtml"><i>y</i><sup><i>d</i></sup>(mod <i>q</i>)</span> whose results give some value <span class="texhtml"><i>z</i></span>. Now, induce an error in one of the computations. Then <span class="texhtml">gcd(<i>z</i> − <i>x</i>,<i>n</i>)</span> will reveal <span class="texhtml"><i>p</i></span> or <span class="texhtml"><i>q</i></span>.)</li></ul> <p><a name="Messages" id="Messages"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Messages</span></h3> <p><a name="Encryption:" id="Encryption:"></a></p> <h4><span class="editsection"></span><span class="mw-headline">Encryption:</span></h4> <p><a href="http://en.wikipedia.org/wiki/Alice_and_Bob" title="Alice and Bob">Alice</a> transmits her public key <img class="tex" alt="(n,e)\," src="http://upload.wikimedia.org/math/b/d/2/bd2c43b02cdf8bc0a8b975ad620cdcc3.png" /> to <a href="http://en.wikipedia.org/wiki/Alice_and_Bob" title="Alice and Bob">Bob</a> and keeps the private key secret. Bob then wishes to send message <b>M</b> to Alice.</p> <p>He first turns <b>M</b> into a number <img class="tex" alt="m\," src="http://upload.wikimedia.org/math/7/9/d/79dd9720ffa5bbe026e23afc9ab4df3c.png" /> < <img class="tex" alt="n\," src="http://upload.wikimedia.org/math/a/9/5/a957404c96e59f1746f97ab668c8e1f8.png" /> by using an agreed-upon reversible protocol known as a <a href="http://en.wikipedia.org/wiki/RSA#Padding_schemes" title="">padding scheme</a>. He then computes the ciphertext <img class="tex" alt="c\," src="http://upload.wikimedia.org/math/0/8/1/08163b03d3a58471d7f88fc4e581a282.png" /> corresponding to:</p> <dl><dd><img class="tex" alt=" c = m^e \mod{n}" src="http://upload.wikimedia.org/math/9/d/5/9d5c76b09c32b39de8ffb8b470845479.png" /></dd></dl> <p>This can be done quickly using the method of <a href="http://en.wikipedia.org/wiki/Exponentiation_by_squaring" title="Exponentiation by squaring">exponentiation by squaring</a>. Bob then transmits <img class="tex" alt="c\," src="http://upload.wikimedia.org/math/0/8/1/08163b03d3a58471d7f88fc4e581a282.png" /> to Alice.</p> <p><a name="Decryption:" id="Decryption:"></a></p> <h4><span class="editsection"></span><span class="mw-headline">Decryption:</span></h4> <p>Alice can recover <img class="tex" alt="m\," src="http://upload.wikimedia.org/math/7/9/d/79dd9720ffa5bbe026e23afc9ab4df3c.png" /> from <img class="tex" alt="c\," src="http://upload.wikimedia.org/math/0/8/1/08163b03d3a58471d7f88fc4e581a282.png" /> by using her private key exponent <img class="tex" alt="d\," src="http://upload.wikimedia.org/math/3/d/6/3d6de401d007ea0cffc99610ad623239.png" /> by the following computation:</p> <dl><dd><img class="tex" alt="m = c^d \mod{n}." src="http://upload.wikimedia.org/math/7/9/e/79ed547b58b7d6385513ce2af975882e.png" /></dd></dl> <p>Given <img class="tex" alt="m\," src="http://upload.wikimedia.org/math/7/9/d/79dd9720ffa5bbe026e23afc9ab4df3c.png" />, she can recover the original message <b>M</b>.</p> <p>The above decryption procedure works because first</p> <dl><dd><img class="tex" alt="c^d \equiv (m^e)^d \equiv m^{ed}\pmod{n}" src="http://upload.wikimedia.org/math/2/d/1/2d111f9e4db279697a9ca902acf62c3a.png" />.</dd></dl> <p>Now, <img class="tex" alt="e d \equiv 1\pmod{(p - 1)(q - 1)}" src="http://upload.wikimedia.org/math/3/2/1/3213194effc8642f27fa5e621b6f8850.png" />, and hence</p> <dl><dd><img class="tex" alt="e d \equiv 1\pmod{p - 1}\," src="http://upload.wikimedia.org/math/8/1/9/819c8b695e1d04713a9dfd6a7b0de01e.png" /> and</dd><dd><img class="tex" alt="e d \equiv 1\pmod{q - 1}\," src="http://upload.wikimedia.org/math/4/c/2/4c224e3d2cd4e939770e15abad60db25.png" /></dd></dl> <p>which can also be written as</p> <dl><dd><img class="tex" alt="e d = k (p - 1) + 1\," src="http://upload.wikimedia.org/math/8/1/e/81eae562e215d252a4c93612eeb4a428.png" /> and</dd><dd><img class="tex" alt="e d = h (q - 1) + 1\," src="http://upload.wikimedia.org/math/6/9/e/69ee26f03715b28207a99e2ef7667a98.png" /></dd></dl> <p>for proper values of <img class="tex" alt="k\," src="http://upload.wikimedia.org/math/b/f/f/bff2e94865b44c361e46c4beb2b040fe.png" /> and <img class="tex" alt="h\," src="http://upload.wikimedia.org/math/7/c/4/7c4073ca34bcc95361750a3f1fddc7a8.png" />. If <img class="tex" alt="m\," src="http://upload.wikimedia.org/math/7/9/d/79dd9720ffa5bbe026e23afc9ab4df3c.png" /> is not a multiple of <img class="tex" alt="p\," src="http://upload.wikimedia.org/math/5/a/3/5a34bb082daf037b3c4b14c13af6855b.png" /> then <img class="tex" alt="m\," src="http://upload.wikimedia.org/math/7/9/d/79dd9720ffa5bbe026e23afc9ab4df3c.png" /> and <img class="tex" alt="p\," src="http://upload.wikimedia.org/math/5/a/3/5a34bb082daf037b3c4b14c13af6855b.png" /> are coprime because <img class="tex" alt="p\," src="http://upload.wikimedia.org/math/5/a/3/5a34bb082daf037b3c4b14c13af6855b.png" /> is prime; so by <a href="http://en.wikipedia.org/wiki/Fermat%27s_little_theorem" title="Fermat's little theorem">Fermat's little theorem</a></p> <dl><dd><img class="tex" alt="m^{(p-1)} \equiv 1 \pmod{p}" src="http://upload.wikimedia.org/math/f/8/b/f8b48743b068230d74203c7029429fb6.png" /></dd></dl> <p>and therefore, using the first expression for <img class="tex" alt="e d\," src="http://upload.wikimedia.org/math/2/0/9/209de00a7b73e72852bdd42e53bba0a6.png" />,</p> <dl><dd><img class="tex" alt="m^{ed} = m^{k (p-1) + 1} = (m^{p-1})^k m \equiv {1}^k m = m \pmod{p}\," src="http://upload.wikimedia.org/math/5/c/c/5cc03acc707db5da9ca2adc001e66de2.png" />.</dd></dl> <p>If instead <img class="tex" alt="m\," src="http://upload.wikimedia.org/math/7/9/d/79dd9720ffa5bbe026e23afc9ab4df3c.png" /> is a multiple of <img class="tex" alt="p\," src="http://upload.wikimedia.org/math/5/a/3/5a34bb082daf037b3c4b14c13af6855b.png" />, then</p> <dl><dd><img class="tex" alt="m^{ed} \equiv 0^{ed} = 0 \equiv m \pmod{p}" src="http://upload.wikimedia.org/math/5/c/f/5cfb5497787371716cdddb045e5051db.png" />.</dd></dl> <p>Using the second expression for <img class="tex" alt="e d\," src="http://upload.wikimedia.org/math/2/0/9/209de00a7b73e72852bdd42e53bba0a6.png" />, we similarly conclude that</p> <dl><dd><img class="tex" alt="m^{ed} \equiv m \pmod{q}\," src="http://upload.wikimedia.org/math/1/6/4/164c7ef21372562268ea64412c0aeb65.png" />.</dd></dl> <p>Since <img class="tex" alt="p\," src="http://upload.wikimedia.org/math/5/a/3/5a34bb082daf037b3c4b14c13af6855b.png" /> and <img class="tex" alt="q\," src="http://upload.wikimedia.org/math/d/3/5/d35e628d4924b45b5200ab2b56b1efb8.png" /> are distinct prime numbers, they are relatively prime to each other, so the fact that both primes divide <span class="texhtml"><i>m</i><sup><i>e</i><i>d</i></sup> − <i>m</i></span> implies their product <img class="tex" alt="pq\," src="http://upload.wikimedia.org/math/0/f/d/0fdf3db472bdbce9132271cefc0a7e58.png" /> divides <span class="texhtml"><i>m</i><sup><i>e</i><i>d</i></sup> − <i>m</i></span>, which means</p> <dl><dd><img class="tex" alt="m^{ed} \equiv m \pmod{pq}" src="http://upload.wikimedia.org/math/8/9/3/893547f87ba76f3055b02e1bad9c13f2.png" />.</dd></dl> <p>Thus,</p> <dl><dd><img class="tex" alt="c^d \equiv m \pmod{n}" src="http://upload.wikimedia.org/math/a/b/0/ab0d4106d074e1502a64f0c564af8aac.png" />.</dd></dl> <p><a name="A_worked_example" id="A_worked_example"></a></p> <h3><span class="editsection"></span><span class="mw-headline">A worked example</span></h3> <p>Here is an example of RSA encryption and decryption. The parameters used here are artificially small, but one can also <a href="http://en.wikibooks.org/wiki/Transwiki:Generate_a_keypair_using_OpenSSL" class="extiw" title="wikibooks:Transwiki:Generate a keypair using OpenSSL">use OpenSSL to generate and examine a real keypair</a>.</p> <ol><li>Choose two prime numbers <dl><dd><span class="texhtml"><i>p</i> = 61</span> and <span class="texhtml"><i>q</i> = 53</span></dd></dl> </li><li>Compute <img class="tex" alt="n = p q \," src="http://upload.wikimedia.org/math/6/8/d/68d74ff176503095ac4d06c909b68b6b.png" /> <dl><dd><span class="texhtml"><i>n</i> = 61 * 53 = 3233</span></dd></dl> </li><li>Compute the <a href="http://en.wikipedia.org/wiki/Totient" title="Totient" class="mw-redirect">totient</a> <img class="tex" alt="\varphi(n) = (p-1)(q-1) \," src="http://upload.wikimedia.org/math/5/a/9/5a92cc4fb89ba9160def68ddf50205b2.png" /> <dl><dd><img class="tex" alt="\varphi(n) = (61 - 1)(53 - 1) = 3120\," src="http://upload.wikimedia.org/math/b/2/b/b2b0ea91c8d25233ec5fefb9018f3c4b.png" /></dd></dl> </li><li>Choose <span class="texhtml"><i>e</i> > 1</span> coprime to 3120 <dl><dd><span class="texhtml"><i>e</i> = 17</span></dd></dl> </li><li>Compute <img class="tex" alt="d\," src="http://upload.wikimedia.org/math/3/d/6/3d6de401d007ea0cffc99610ad623239.png" /> such that <img class="tex" alt="d e \equiv 1\pmod{\varphi(n)}\," src="http://upload.wikimedia.org/math/f/e/3/fe32436d52a5ae3ea9648b05203a939c.png" /> e.g., by computing the <a href="http://en.wikipedia.org/wiki/Modular_multiplicative_inverse" title="Modular multiplicative inverse">modular multiplicative inverse</a> of <i>e</i> modulo <img class="tex" alt="\varphi(n)\," src="http://upload.wikimedia.org/math/1/3/4/134f4088d5c7021ac1acbf96f3b14f6d.png" />: <dl><dd><span class="texhtml"><i>d</i> = 2753</span></dd><dd>17 * 2753 = 46801 = 1 + 15 * 3120.</dd></dl> </li></ol> <p>
<br />The <b>public key</b> is (<span class="texhtml"><i>n</i> = 3233</span>, <span class="texhtml"><i>e</i> = 17</span>). For a padded message <img class="tex" alt="m\," src="http://upload.wikimedia.org/math/7/9/d/79dd9720ffa5bbe026e23afc9ab4df3c.png" /> the encryption function is:</p> <dl><dd><img class="tex" alt="c = m^e\mod {n} = m^{17} \mod {3233}." src="http://upload.wikimedia.org/math/b/b/1/bb1e01b2138281a2f704d026def95abf.png" /></dd></dl> <p>The <b>private key</b> is (<span class="texhtml"><i>n</i> = 3233</span>, <span class="texhtml"><i>d</i> = 2753</span>). The decryption function is:</p> <dl><dd><img class="tex" alt="m = c^d\mod {n} = c^{2753} \mod {3233}." src="http://upload.wikimedia.org/math/c/2/6/c261c16f5a42757665878e174e3c59f1.png" /></dd></dl> <p>
<br />For example, to encrypt <span class="texhtml"><i>m</i> = 123</span>, we calculate</p> <dl><dd><img class="tex" alt="c = 123^{17}\mod {3233} = 855." src="http://upload.wikimedia.org/math/5/6/9/56911caa84284e3c050f2bbd5a568ed2.png" /></dd></dl> <p>To decrypt <span class="texhtml"><i>c</i> = 855</span>, we calculate</p> <dl><dd><img class="tex" alt="m = 855^{2753}\mod {3233} = 123" src="http://upload.wikimedia.org/math/6/4/3/6436b6eb89d64363f94ec9d9a6ee5cb4.png" />.</dd></dl> <p>Both of these calculations can be computed efficiently using the <a href="http://en.wikipedia.org/wiki/Square-and-multiply_algorithm" title="Square-and-multiply algorithm" class="mw-redirect">square-and-multiply algorithm</a> for <a href="http://en.wikipedia.org/wiki/Modular_exponentiation" title="Modular exponentiation">modular exponentiation</a>.</p> <p><a name="Padding_schemes" id="Padding_schemes"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Padding schemes</span></h3> <p>When used in practice, RSA is generally combined with some <a href="http://en.wikipedia.org/wiki/Padding_%28cryptography%29" title="Padding (cryptography)">padding scheme</a>. The goal of the padding scheme is to prevent a number of attacks that potentially work against RSA without padding:</p> <ul><li>When encrypting with low encryption exponents (e.g., <i>e</i> = 3) and small values of the <i>m</i>, (i.e. <i>m</i><<i>n</i><sup>1/e</sup>) the result of <span class="texhtml"><i>m</i><sup><i>e</i></sup></span> is strictly less than the modulus <i>n</i>. In this case, ciphertexts can be easily decrypted by taking the <i>e</i>th root of the ciphertext over the integers.</li><li>If the same clear text message is sent to <i>e</i> or more recipients in an encrypted way, and the receivers share the same exponent <i>e</i>, but different <i>p</i>, <i>q</i>, and <i>n</i>, then it is easy to decrypt the original clear text message via the <a href="http://en.wikipedia.org/wiki/Chinese_remainder_theorem" title="Chinese remainder theorem">Chinese remainder theorem</a>. <a href="http://en.wikipedia.org/wiki/Johan_H%C3%A5stad" title="Johan Håstad">Johan Håstad</a> noticed that this attack is possible even if the cleartexts are not equal, but the attacker knows a linear relation between them <sup id="cite_ref-2" class="reference"><a href="http://en.wikipedia.org/wiki/RSA#cite_note-2" title="">[3]</a></sup>. This attack was later improved by <a href="http://en.wikipedia.org/wiki/Don_Coppersmith" title="Don Coppersmith">Don Coppersmith</a> <sup id="cite_ref-3" class="reference"><a href="http://en.wikipedia.org/wiki/RSA#cite_note-3" title="">[4]</a></sup>.</li><li>Because RSA encryption is a <a href="http://en.wikipedia.org/wiki/Deterministic_algorithm" title="Deterministic algorithm">deterministic encryption algorithm</a> – i.e., has no random component – an attacker can successfully launch a <a href="http://en.wikipedia.org/wiki/Chosen_plaintext_attack" title="Chosen plaintext attack" class="mw-redirect">chosen plaintext attack</a> against the cryptosystem, by encrypting likely plaintexts under the public key and test if they are equal to the ciphertext. A cryptosystem is called <a href="http://en.wikipedia.org/wiki/Semantically_secure" title="Semantically secure" class="mw-redirect">semantically secure</a> if an attacker cannot distinguish two encryptions from each other even if the attacker knows (or has chosen) the corresponding plaintexts. As described above, RSA without padding is not semantically secure.</li><li>RSA has the property that the product of two ciphertexts is equal to the encryption of the product of the respective plaintexts. That is <img class="tex" alt="m_1^em_2^e\equiv (m_1m_2)^e\pmod{n}." src="http://upload.wikimedia.org/math/f/f/d/ffd7673e563482acf4edbc022157429b.png" /> Because of this multiplicative property a <a href="http://en.wikipedia.org/wiki/Chosen-ciphertext_attack" title="Chosen-ciphertext attack">chosen-ciphertext attack</a> is possible. E.g. an attacker, who wants to know the decryption of a ciphertext <i>c</i>=<i>m</i><sup>e</sup> mod <i>n</i> may ask the holder of the secret key to decrypt an unsuspicious-looking ciphertext <span class="texhtml"><i>c</i>' = <i>c</i><i>r</i><sup><i>e</i></sup>mod <i>n</i></span> for some value <i>r</i> chosen by the attacker. Because of the multiplicative property <span class="texhtml"><i>c</i>'</span> is the encryption of <span class="texhtml"><i>m</i><i>r</i>mod <i>n</i></span>. Hence, if the attacker is successful with the attack, he will learn <span class="texhtml"><i>m</i><i>r</i>mod <i>n</i></span> from which he can derive the message <i>m</i> by multiplying <i>mr</i> with the modular inverse of <i>r</i> modulo <i>n</i>.</li></ul> <p>To avoid these problems, practical RSA implementations typically embed some form of structured, randomized <a href="http://en.wikipedia.org/wiki/Padding_%28cryptography%29" title="Padding (cryptography)">padding</a> into the value <i>m</i> before encrypting it. This padding ensures that <i>m</i> does not fall into the range of insecure plaintexts, and that a given message, once padded, will encrypt to one of a large number of different possible ciphertexts.</p> <p>Standards such as <a href="http://en.wikipedia.org/wiki/PKCS1" title="PKCS1">PKCS#1</a> have been carefully designed to securely pad messages prior to RSA encryption. Because these schemes pad the plaintext <i>m</i> with some number of additional bits, the size of the un-padded message <i>M</i> must be somewhat smaller. RSA padding schemes must be carefully designed so as to prevent sophisticated attacks which may be facilitated by a predictable message structure. Early versions of the PKCS#1 standard (up to version 1.5) used a construction that turned RSA into a semantically secure encryption scheme. This version was later found vulnerable to a practical <a href="http://en.wikipedia.org/wiki/Adaptive_chosen_ciphertext_attack" title="Adaptive chosen ciphertext attack" class="mw-redirect">adaptive chosen ciphertext attack</a>. Later versions of the standard include <a href="http://en.wikipedia.org/wiki/Optimal_Asymmetric_Encryption_Padding" title="Optimal Asymmetric Encryption Padding">Optimal Asymmetric Encryption Padding</a> (OAEP), which prevents these attacks. The PKCS#1 standard also incorporates processing schemes designed to provide additional security for RSA signatures, e.g., the Probabilistic Signature Scheme for RSA (<a href="http://en.wikipedia.org/wiki/RSA-PSS" title="RSA-PSS" class="mw-redirect">RSA-PSS</a>).</p> <p><a name="Signing_messages" id="Signing_messages"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Signing messages</span></h3> <p>Suppose Alice uses Bob's public key to send him an encrypted message. In the message, she can claim to be Alice but Bob has no way of verifying that the message was actually from Alice since anyone can use Bob's public key to send him encrypted messages. So, in order to verify the origin of a message, RSA can also be used to <a href="http://en.wikipedia.org/wiki/Digital_signature" title="Digital signature">sign</a> a message.</p> <p>Suppose Alice wishes to send a signed message to Bob. She can use her own private key to do so. She produces a <a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function" title="Cryptographic hash function">hash value</a> of the message, raises it to the power of <i>d</i> mod <i>n</i> (as she does when decrypting a message), and attaches it as a "signature" to the message. When Bob receives the signed message, he uses the same hash algorithm in conjunction with Alice's public key. He raises the signature to the power of <i>e</i> mod <i>n</i> (as he does when encrypting a message), and compares the resulting hash value with the message's actual hash value. If the two agree, he knows that the author of the message was in possession of Alice's secret key, and that the message has not been tampered with since.</p> <p>Note that secure padding schemes such as <a href="http://en.wikipedia.org/wiki/RSA-PSS" title="RSA-PSS" class="mw-redirect">RSA-PSS</a> are as essential for the security of message signing as they are for message encryption, and that the same key should never be used for both encryption and signing purposes.</p> <p><a name="Security" id="Security"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Security</span></h2> <table class="metadata plainlinks ambox ambox-content" style=""> <tbody><tr> <td class="mbox-image"> <div style="width: 52px;"><a href="http://en.wikipedia.org/wiki/Image:Ambox_outdated_serious.svg" class="image" title="Ambox outdated serious.svg"><img alt="" src="http://upload.wikimedia.org/wikipedia/commons/thumb/8/8f/Ambox_outdated_serious.svg/44px-Ambox_outdated_serious.svg.png" width="44" border="0" height="44" /></a></div> </td> <td class="mbox-text" style=""><b>This article or section needs to be updated.</b><small>
<br />Please update the article to reflect recent events / newly available information, and remove this template when finished.</small></td> </tr> </tbody></table> <dl><dd><span class="boilerplate seealso"><i>See also: <a href="http://en.wikipedia.org/wiki/RSA_Factoring_Challenge" title="RSA Factoring Challenge">RSA Factoring Challenge</a> and <a href="http://en.wikipedia.org/wiki/Integer_factorization_records" title="Integer factorization records">Integer factorization records</a></i></span></dd></dl> <p>The security of the RSA cryptosystem is based on two mathematical problems: the problem of <a href="http://en.wikipedia.org/wiki/Integer_factorization" title="Integer factorization">factoring large numbers</a> and the <a href="http://en.wikipedia.org/wiki/RSA_problem" title="RSA problem">RSA problem</a>. Full decryption of an RSA ciphertext is thought to be infeasible on the assumption that both of these problems are hard, i.e., no efficient algorithm exists for solving them. Providing security against <i>partial</i> decryption may require the addition of a secure <a href="http://en.wikipedia.org/wiki/Padding_%28cryptography%29" title="Padding (cryptography)">padding scheme</a>.</p> <p>The <a href="http://en.wikipedia.org/wiki/RSA_problem" title="RSA problem">RSA problem</a> is defined as the task of taking <i>e</i>th roots modulo a composite <i>n</i>: recovering a value <i>m</i> such that <i>c=m<sup>e</sup></i> mod n, where (<i>n</i>, <i>e</i>) is an RSA public key and <i>c</i> is an RSA ciphertext. Currently the most promising approach to solving the RSA problem is to factor the modulus <i>n</i>. With the ability to recover prime factors, an attacker can compute the secret exponent <i>d</i> from a public key (<i>n</i>, <i>e</i>), then decrypt <i>c</i> using the standard procedure. To accomplish this, an attacker factors <i>n</i> into <i>p</i> and <i>q</i>, and computes (<i>p</i>-1)(<i>q</i>-1) which allows the determination of <i>d</i> from <i>e</i>. No polynomial-time method for factoring large integers on a classical computer has yet been found, but it has not been proven that none exists. See <a href="http://en.wikipedia.org/wiki/Integer_factorization" title="Integer factorization">integer factorization</a> for a discussion of this problem.</p> <p><a href="http://en.wikipedia.org/wiki/As_of_2005" title="As of 2005" class="mw-redirect">As of 2005</a>, the largest number factored by a general-purpose factoring algorithm was 663 bits long (see <a href="http://en.wikipedia.org/wiki/RSA-200" title="RSA-200" class="mw-redirect">RSA-200</a>), using a state-of-the-art distributed implementation. RSA keys are typically 1024–2048 bits long. Some experts believe that 1024-bit keys may become breakable in the near term (though this is disputed); few see any way that 4096-bit keys could be broken in the foreseeable future. Therefore, it is generally presumed that RSA is secure if <i>n</i> is sufficiently large. If <i>n</i> is 256 <a href="http://en.wikipedia.org/wiki/Bit" title="Bit">bits</a> or shorter, it can be factored in a few hours on a <a href="http://en.wikipedia.org/wiki/Personal_computer" title="Personal computer">personal computer</a>, using software already freely available. Keys of 512 bits (or less) have been shown to be practically breakable in <a href="http://en.wikipedia.org/wiki/1999" title="1999">1999</a> when <a href="http://en.wikipedia.org/wiki/RSA-155" title="RSA-155" class="mw-redirect">RSA-155</a> was factored by using several hundred computers. A theoretical hardware device named <a href="http://en.wikipedia.org/wiki/TWIRL" title="TWIRL">TWIRL</a> and described by Shamir and Tromer in 2003 called into question the security of 1024 bit keys. It is currently recommended that <i>n</i> be at least 2048 bits long.</p> <p>In 1994, <a href="http://en.wikipedia.org/wiki/Peter_Shor" title="Peter Shor">Peter Shor</a> published <a href="http://en.wikipedia.org/wiki/Shor%27s_algorithm" title="Shor's algorithm">Shor's algorithm</a>, showing that a <a href="http://en.wikipedia.org/wiki/Quantum_computer" title="Quantum computer">quantum computer</a> could in principle perform the factorization in <a href="http://en.wikipedia.org/wiki/Polynomial_time" title="Polynomial time">polynomial time</a>. However, quantum computation is still in the early stages of development and may never prove to be practical.</p> <p><a name="Practical_considerations" id="Practical_considerations"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Practical considerations</span></h2> <p><a name="Key_generation" id="Key_generation"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Key generation</span></h3> <p>Finding the large primes <i>p</i> and <i>q</i> is usually done by testing random numbers of the right size with probabilistic <a href="http://en.wikipedia.org/wiki/Primality_test" title="Primality test">primality tests</a> which quickly eliminate virtually all non-primes.</p> <p><i>p</i> and <i>q</i> should not be 'too close', lest the <a href="http://en.wikipedia.org/wiki/Fermat_factorization" title="Fermat factorization" class="mw-redirect">Fermat factorization</a> for <i>n</i> be successful, if p-q, for instance is less than 2n<sup>1/4</sup> (which for even small 1024-bit values of n is 3x10<sup>77</sup>) solving for p and q is trivial. Furthermore, if either <i>p</i>-1 or <i>q</i>-1 has only small prime factors, <i>n</i> can be factored quickly by <a href="http://en.wikipedia.org/wiki/Pollard%27s_p_-_1_algorithm" title="Pollard's p - 1 algorithm">Pollard's p − 1 algorithm</a>, and these values of <i>p</i> or <i>q</i> should therefore be discarded as well.</p> <p>It is important that the secret key <i>d</i> be large enough. <a href="http://en.wikipedia.org/w/index.php?title=Michael_J._Wiener&action=edit&redlink=1" class="new" title="Michael J. Wiener (page does not exist)">Michael J. Wiener</a> showed<sup id="cite_ref-wiener_4-0" class="reference"><a href="http://en.wikipedia.org/wiki/RSA#cite_note-wiener-4" title="">[5]</a></sup> that if <i>p</i> is between <i>q</i> and 2<i>q</i> (which is quite typical) and <i>d</i> < <i>n</i><sup>1/4</sup>/3, then <i>d</i> can be computed efficiently from <i>n</i> and <i>e</i>. There is no known attack against small public exponents such as <i>e</i>=3, provided that proper padding is used. However, when no padding is used or when the padding is improperly implemented then small public exponents have a greater risk of leading to an attack, such as for example the unpadded plaintext vulnerability listed above. 65537 is a commonly used value for <i>e</i>. This value can be regarded as a compromise between avoiding potential small exponent attacks and still allowing efficient encryptions (or signature verification). The NIST Special Publication on Computer Security (SP 800-78 Rev 1 of August 2007) does not allow public exponents <i>e</i> smaller than 65537, but does not state a reason for this restriction.</p> <p><a name="Speed" id="Speed"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Speed</span></h3> <p><b>RSA</b> is much slower than <a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard" title="Data Encryption Standard">DES</a> and other <a href="http://en.wikipedia.org/wiki/Symmetric_algorithm" title="Symmetric algorithm" class="mw-redirect">symmetric cryptosystems</a>. In practice, <a href="http://en.wikipedia.org/wiki/Alice_and_Bob" title="Alice and Bob">Bob</a> typically encrypts a secret message with a symmetric algorithm, encrypts the (comparatively short) symmetric key with RSA, and transmits both the RSA-encrypted symmetric key and the symmetrically-encrypted message to Alice.</p> <p>This procedure raises additional security issues. For instance, it is of utmost importance to use a strong <a href="http://en.wikipedia.org/wiki/Random_number_generator" title="Random number generator" class="mw-redirect">random number generator</a> for the symmetric key, because otherwise Eve (an eavesdropper wanting to see what was sent) could bypass RSA by guessing the symmetric key.</p> <p><a name="Key_distribution" id="Key_distribution"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Key distribution</span></h3> <p>As with all ciphers, how RSA public keys are distributed is important to security. Key distribution must be secured against a <a href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack" title="Man-in-the-middle attack">man-in-the-middle attack</a>. Suppose Eve has some way to give Bob arbitrary keys and make him believe they belong to Alice. Suppose further that Eve can <i>intercept</i> transmissions between Alice and Bob. Eve sends Bob her own public key, which Bob believes to be Alice's. Eve can then intercept any ciphertext sent by Bob, decrypt it with her own secret key, keep a copy of the message, encrypt the message with Alice's public key, and send the new ciphertext to Alice. In principle, neither Alice nor Bob would be able to detect Eve's presence. Defenses against such attacks are often based on <a href="http://en.wikipedia.org/wiki/Digital_certificate" title="Digital certificate" class="mw-redirect">digital certificates</a> or other components of a <a href="http://en.wikipedia.org/wiki/Public_key_infrastructure" title="Public key infrastructure">public key infrastructure</a>.</p> <p><a name="Timing_attacks" id="Timing_attacks"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Timing attacks</span></h3> <p><a href="http://en.wikipedia.org/wiki/Paul_Kocher" title="Paul Kocher">Kocher</a> described a new attack on <b>RSA</b> in 1995: if the attacker <i>Eve</i> knows <i>Alice's</i> hardware in sufficient detail and is able to measure the decryption times for several known ciphertexts, she can deduce the decryption key <i>d</i> quickly. This attack can also be applied against the <b>RSA</b> signature scheme. In <a href="http://en.wikipedia.org/wiki/2003" title="2003">2003</a>, <a href="http://en.wikipedia.org/wiki/Dan_Boneh" title="Dan Boneh">Boneh</a> and <a href="http://en.wikipedia.org/wiki/David_Brumley" title="David Brumley">Brumley</a> demonstrated a more practical attack capable of recovering <b>RSA</b> factorizations over a network connection (e.g., from a <a href="http://en.wikipedia.org/wiki/Secure_Socket_Layer" title="Secure Socket Layer" class="mw-redirect">Secure Socket Layer</a> (SSL)-enabled webserver). This attack takes advantage of information leaked by the <a href="http://en.wikipedia.org/wiki/Chinese_remainder_theorem" title="Chinese remainder theorem">Chinese remainder theorem</a> optimization used by many RSA implementations.</p> <p>One way to thwart these attacks is to ensure that the decryption operation takes a constant amount of time for every ciphertext. However, this approach can significantly reduce performance. Instead, most <b>RSA</b> implementations use an alternate technique known as <a href="http://en.wikipedia.org/wiki/Blinding_%28cryptography%29" title="Blinding (cryptography)">cryptographic blinding</a>. <b>RSA</b> blinding makes use of the multiplicative property of <b>RSA</b>. Instead of computing <i>c<sup>d</sup> mod n</i>, Alice first chooses a secret random value <i>r</i> and computes <i>(r<sup>e</sup>c)<sup>d</sup> mod n</i>. The result of this computation is <i>r m mod n</i> and so the effect of <i>r</i> can be removed by multiplying by its inverse. A new value of <i>r</i> is chosen for each ciphertext. With blinding applied, the decryption time is no longer correlated to the value of the input ciphertext and so the timing attack fails.</p> <p><a name="Adaptive_chosen_ciphertext_attacks" id="Adaptive_chosen_ciphertext_attacks"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Adaptive chosen ciphertext attacks</span></h3> <p>In <a href="http://en.wikipedia.org/wiki/1998" title="1998">1998</a>, <a href="http://en.wikipedia.org/wiki/Daniel_Bleichenbacher" title="Daniel Bleichenbacher">Daniel Bleichenbacher</a> described the first practical <a href="http://en.wikipedia.org/wiki/Adaptive_chosen_ciphertext_attack" title="Adaptive chosen ciphertext attack" class="mw-redirect">adaptive chosen ciphertext attack</a>, against RSA-encrypted messages using the PKCS #1 v1 <a href="http://en.wikipedia.org/wiki/Padding_%28cryptography%29" title="Padding (cryptography)">padding scheme</a> (a padding scheme randomizes and adds structure to an RSA-encrypted message, so it is possible to determine whether a decrypted message is valid.) Due to flaws with the PKCS #1 scheme, Bleichenbacher was able to mount a practical attack against RSA implementations of the <a href="http://en.wikipedia.org/wiki/Secure_Socket_Layer" title="Secure Socket Layer" class="mw-redirect">Secure Socket Layer</a> protocol, and to recover session keys. As a result of this work, cryptographers now recommend the use of provably secure padding schemes such as <a href="http://en.wikipedia.org/wiki/Optimal_Asymmetric_Encryption_Padding" title="Optimal Asymmetric Encryption Padding">Optimal Asymmetric Encryption Padding</a>, and RSA Laboratories has released new versions of PKCS #1 that are not vulnerable to these attacks.</p> <p><a name="Branch_prediction_analysis_attacks" id="Branch_prediction_analysis_attacks"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Branch prediction analysis attacks</span></h3> <p>Branch prediction analysis is also called BPA. Many processors use a <a href="http://en.wikipedia.org/wiki/Branch_predictor" title="Branch predictor">branch predictor</a> to determine whether a conditional branch in the instruction flow of a program is likely to be taken or not. Usually these processors also implement <a href="http://en.wikipedia.org/wiki/Simultaneous_multithreading" title="Simultaneous multithreading">simultaneous multithreading</a> (SMT). Branch prediction analysis attacks use a spy process to discover (statistically) the private key when processed with these processors.</p> <p>Simple Branch Prediction Analysis (SBPA) claims to improve BPA in a non-statistical way. In their paper, "On the Power of Simple Branch Prediction Analysis", the authors of SBPA (<a href="http://en.wikipedia.org/w/index.php?title=Onur_Aciicmez&action=edit&redlink=1" class="new" title="Onur Aciicmez (page does not exist)">Onur Aciicmez</a> and <a href="http://en.wikipedia.org/w/index.php?title=Cetin_Kaya_Koc&action=edit&redlink=1" class="new" title="Cetin Kaya Koc (page does not exist)">Cetin Kaya Koc</a>) claim to have discovered 508 out of 512 bits of an RSA key in 10 iterations.</p> <p><a name="See_also" id="See_also"></a></p> <h2><span class="editsection"></span><span class="mw-headline">See also</span></h2> <ul><li><a href="http://en.wikipedia.org/wiki/Clifford_Cocks" title="Clifford Cocks">Clifford Cocks</a></li><li><a href="http://en.wikipedia.org/wiki/Quantum_cryptography" title="Quantum cryptography">Quantum cryptography</a></li><li><a href="http://en.wikipedia.org/wiki/Cryptographic_key_length" title="Cryptographic key length" class="mw-redirect">Cryptographic key length</a></li><li><a href="http://en.wikipedia.org/wiki/Computational_complexity_theory" title="Computational complexity theory">Computational complexity theory</a></li><li><a href="http://en.wikipedia.org/wiki/Diffie-Hellman" title="Diffie-Hellman" class="mw-redirect">Diffie-Hellman</a></li><li><a href="http://en.wikipedia.org/wiki/RSA_Factoring_Challenge" title="RSA Factoring Challenge">RSA Factoring Challenge</a></li><li><a href="http://en.wikipedia.org/wiki/List_of_software_patents" title="List of software patents">List of software patents</a></li></ul> <p><a name="Notes" id="Notes"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Notes</span></h2> <div class="references-small"> <ol class="references"><li id="cite_note-SIAM-0">^ <a href="http://en.wikipedia.org/wiki/RSA#cite_ref-SIAM_0-0" title=""><sup><i><b>a</b></i></sup></a> <a href="http://en.wikipedia.org/wiki/RSA#cite_ref-SIAM_0-1" title=""><sup><i><b>b</b></i></sup></a> <a href="http://www.msri.org/people/members/sara/articles/rsa.pdf" class="external text" title="http://www.msri.org/people/members/sara/articles/rsa.pdf" rel="nofollow">SIAM News, Volume 36, Number 5, June 2003</a>, "Still Guarding Secrets after Years of Attacks, RSA Earns Accolades for its Founders", by Sara Robinson</li><li id="cite_note-Boneh-1"><b><a href="http://en.wikipedia.org/wiki/RSA#cite_ref-Boneh_1-0" title="">^</a></b> <cite style="font-style: normal;">Boneh, Dan (1999). "<a href="http://crypto.stanford.edu/%7Edabo/abstracts/RSAattack-survey.html" class="external text" title="http://crypto.stanford.edu/~dabo/abstracts/RSAattack-survey.html" rel="nofollow">Twenty Years of attacks on the RSA Cryptosystem</a>". <i>Notices of the American Mathematical Society (AMS)</i> <b>46</b> (2): pp. 203-213.</cite><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Twenty+Years+of+attacks+on+the+RSA+Cryptosystem&rft.jtitle=Notices+of+the+American+Mathematical+Society+%28AMS%29&rft.date=1999&rft.volume=46&rft.issue=2&rft.aulast=Boneh&rft.aufirst=Dan&rft.pages=pp.+203-213&rft_id=http%3A%2F%2Fcrypto.stanford.edu%2F%7Edabo%2Fabstracts%2FRSAattack-survey.html"><span style="display: none;"> </span></span></li><li id="cite_note-2"><b><a href="http://en.wikipedia.org/wiki/RSA#cite_ref-2" title="">^</a></b> Johan Håstad, "On using RSA with Low Exponent in a Public Key Network", Crypto 85</li><li id="cite_note-3"><b><a href="http://en.wikipedia.org/wiki/RSA#cite_ref-3" title="">^</a></b> Don Coppersmith, "Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities", Journal of Cryptology, v. 10, n. 4, Dec. 1997</li><li id="cite_note-wiener-4"><b><a href="http://en.wikipedia.org/wiki/RSA#cite_ref-wiener_4-0" title="">^</a></b> <cite style="font-style: normal;" id="CITEREFWiener1990">Wiener, Michael J. (May 1990), "Cryptanalysis of short RSA secret exponents", <i>Information Theory, IEEE Transactions on</i> <b>36</b>(3): 553-558, <a href="http://en.wikipedia.org/wiki/Digital_object_identifier" title="Digital object identifier">doi</a>:<span class="neverexpand"><a href="http://dx.doi.org/10.1109%2F18.54902" class="external text" title="http://dx.doi.org/10.1109%2F18.54902" rel="nofollow">10.1109/18.54902</a></span></cite><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Cryptanalysis+of+short+RSA+secret+exponents&rft.jtitle=Information+Theory%2C+IEEE+Transactions+on&rft.aulast=Wiener&rft.aufirst=Michael+J.&rft.au=Wiener%2C+Michael+J.&rft.date=May+1990&rft.volume=36&rft.issue=3&rft.pages=553-558&rft_id=info:doi/10.1109%2F18.54902&rfr_id=info:sid/en.wikipedia.org:RSA"><span style="display: none;"> </span></span></li></ol> </div> <p><a name="References" id="References"></a></p> <h2><span class="editsection"></span><span class="mw-headline">References</span></h2> <ul><li><cite class="book" style="font-style: normal;" id="Reference-Menezes-1996">Menezes, Alfred; Paul C. van Oorschot; Scott A. Vanstone (October 1996). <i>Handbook of Applied Cryptography</i>. CRC Press. <a href="http://en.wikipedia.org/wiki/Special:BookSources/0849385237" class="internal">ISBN 0-8493-8523-7</a>.</cite><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Handbook+of+Applied+Cryptography&rft.aulast=Menezes&rft.aufirst=Alfred&rft.date=1996&rft.pub=CRC+Press&rft.isbn=0-8493-8523-7"><span style="display: none;"> </span></span></li><li><cite style="font-style: normal;">Rivest, R.; A. Shamir; L. Adleman (1978). "<a href="http://theory.lcs.mit.edu/%7Erivest/rsapaper.pdf" class="external text" title="http://theory.lcs.mit.edu/~rivest/rsapaper.pdf" rel="nofollow">A Method for Obtaining Digital Signatures and Public-Key Cryptosystems</a>". <i>Communications of the ACM</i> <b>21</b> (2): pp.120-126.</cite><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=A+Method+for+Obtaining+Digital+Signatures+and+Public-Key+Cryptosystems&rft.jtitle=Communications+of+the+ACM&rft.date=1978&rft.volume=21&rft.issue=2&rft.aulast=Rivest&rft.aufirst=R.&rft.pages=pp.120-126&rft_id=http%3A%2F%2Ftheory.lcs.mit.edu%2F%7Erivest%2Frsapaper.pdf"><span style="display: none;"> </span></span></li><li><cite class="book" style="font-style: normal;" id="Reference-Cormen-2001"><a href="http://en.wikipedia.org/wiki/Thomas_H._Cormen" title="Thomas H. Cormen">Cormen, Thomas H.</a>; <a href="http://en.wikipedia.org/wiki/Charles_E._Leiserson" title="Charles E. Leiserson">Charles E. Leiserson</a>; <a href="http://en.wikipedia.org/wiki/Ronald_L._Rivest" title="Ronald L. Rivest" class="mw-redirect">Ronald L. Rivest</a>; <a href="http://en.wikipedia.org/wiki/Clifford_Stein" title="Clifford Stein">Clifford Stein</a> (2001). <i><a href="http://en.wikipedia.org/wiki/Introduction_to_Algorithms" title="Introduction to Algorithms">Introduction to Algorithms</a></i>, 2e, MIT Press and McGraw-Hill, pp.881-887. <a href="http://en.wikipedia.org/wiki/Special:BookSources/0262032937" class="internal">ISBN 0-262-03293-7</a>.</cite><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=%5B%5BIntroduction+to+Algorithms%5D%5D&rft.aulast=Cormen&rft.aufirst=Thomas+H.&rft.date=2001&rft.edition=2e&rft.pub=MIT+Press+and+McGraw-Hill&rft.pages=pp.881-887&rft.isbn=0-262-03293-7"><span style="display: none;"> </span></span></li></ul> <p><a name="External_links" id="External_links"></a></p> <h2><span class="editsection"></span><span class="mw-headline">External links</span></h2> <ul><li><a href="http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&co1=AND&d=PTXT&s1=4,405,829.PN.&OS=PN/4,405,829&RS=PN/4,405,829" class="external text" title="http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&co1=AND&d=PTXT&s1=4,405,829.PN.&OS=PN/4,405,829&RS=PN/4,405,829" rel="nofollow">The Original RSA Patent</a> as filed with the U.S. Patent Office by Rivest; Ronald L. (Belmont, MA), Shamir; Adi (Cambridge, MA), Adleman; Leonard M. (Arlington, MA), December 14, 1977, Patent Number 4405829.</li><li><a href="http://www.rsasecurity.com/rsalabs/node.asp?id=2125" class="external text" title="http://www.rsasecurity.com/rsalabs/node.asp?id=2125" rel="nofollow">PKCS #1: RSA Cryptography Standard</a> (<a href="http://en.wikipedia.org/wiki/RSA_Laboratories" title="RSA Laboratories" class="mw-redirect">RSA Laboratories</a> website) <ul><li>The <i><a href="http://en.wikipedia.org/wiki/PKCS" title="PKCS">PKCS</a> #1</i> <a href="http://en.wikipedia.org/wiki/Standardization" title="Standardization">standard</a> <i>"provides recommendations for the implementation of <a href="http://en.wikipedia.org/wiki/Public-key_cryptography" title="Public-key cryptography">public-key cryptography</a> based on the <b>RSA</b> algorithm, covering the following aspects: cryptographic <a href="http://en.wikipedia.org/wiki/Primitive_type" title="Primitive type">primitives</a>; <a href="http://en.wikipedia.org/wiki/Encryption" title="Encryption">encryption</a> schemes; <a href="http://en.wikipedia.org/wiki/Digital_signature" title="Digital signature">signature</a> schemes with appendix; <a href="http://en.wikipedia.org/wiki/ASN.1" title="ASN.1" class="mw-redirect">ASN.1</a> syntax for representing keys and for identifying the schemes"</i>.</li></ul> </li><li><a href="http://www.di-mgt.com.au/rsa_alg.html" class="external text" title="http://www.di-mgt.com.au/rsa_alg.html" rel="nofollow">Thorough walk through of RSA</a></li><li><a href="http://www.securecottage.com/demo/rsa2.html" class="external text" title="http://www.securecottage.com/demo/rsa2.html" rel="nofollow">RSA demo with Java and Javascript</a></li><li><a href="http://cisnet.baruch.cuny.edu/holowczak/classes/9444/rsademo/" class="external text" title="http://cisnet.baruch.cuny.edu/holowczak/classes/9444/rsademo/" rel="nofollow">RSA demo Applet</a></li><li><a href="http://www.muppetlabs.com/%7Ebreadbox/txt/rsa.html" class="external text" title="http://www.muppetlabs.com/~breadbox/txt/rsa.html" rel="nofollow">How the RSA Cipher Works</a></li><li><a href="http://www.cacr.math.uwaterloo.ca/hac/" class="external text" title="http://www.cacr.math.uwaterloo.ca/hac/" rel="nofollow">Menezes, Oorschot, Vanstone, Scott: <i>Handbook of Applied Cryptography</i> (free PDF downloads), see Chapter 8</a></li><li><a href="http://eprint.iacr.org/2006/351" class="external text" title="http://eprint.iacr.org/2006/351" rel="nofollow">Onur Aciicmez, Cetin Kaya Koc, Jean-Pierre Seifert: <i>On the Power of Simple Branch Prediction Analysis</i></a></li><li><a href="http://blog.cacert.org/2006/11/193.html" class="external text" title="http://blog.cacert.org/2006/11/193.html" rel="nofollow">A New Vulnerability In RSA Cryptography, CAcert NEWS Blog</a></li><li><a href="http://xyssl.org/code/source/rsa/" class="external text" title="http://xyssl.org/code/source/rsa/" rel="nofollow">Example of an RSA implementation with PKCS#1 padding (LGPL source code)</a></li><li><a href="http://www.cryptography.com/resources/whitepapers/TimingAttacks.pdf" class="external text" title="http://www.cryptography.com/resources/whitepapers/TimingAttacks.pdf" rel="nofollow">Kocher's article about timing attacks</a></li></ul> <table class="navbox" style="" cellspacing="0"> <tbody><tr> <td style="padding: 2px;"> <table class="nowraplinks" style="background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; color: inherit;" cellspacing="0"> <tbody><tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <th style="background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" colspan="2" class="navbox-title"> <div style="float: left; width: 6em; text-align: left;"> <div class="noprint plainlinksneverexpand" style="border: medium none ; padding: 0pt; background: rgb(204, 204, 255) none repeat scroll 0% 0%; white-space: nowrap; font-weight: normal; font-size: xx-small; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"><a href="http://en.wikipedia.org/wiki/Template:Crypto_public-key" title="Template:Crypto public-key"><span title="View this template" style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">v</span></a> <span style="font-size:80;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template_talk:Crypto_public-key&action=edit&redlink=1" class="new" title="Template talk:Crypto public-key (page does not exist)"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="Discussion about this template">d</span></a> <span style="font-size:80;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template:Crypto_public-key&action=edit" class="external text" title="http://en.wikipedia.org/w/index.php?title=Template:Crypto_public-key&action=edit" rel="nofollow"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="You can edit this template. Please use the preview button before saving.">e</span></a></div> </div> <div style="float: right; width: 6em;"> </div> <span style="font-size:100%;"><a href="http://en.wikipedia.org/wiki/Public-key_cryptography" title="Public-key cryptography">Public-key cryptography</a></span></th> </tr> <tr style="height: 2px;"> <td>
<br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Algorithms:</b> <a href="http://en.wikipedia.org/wiki/CEILIDH" title="CEILIDH">CEILIDH</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Cramer-Shoup_system" title="Cramer-Shoup system" class="mw-redirect">Cramer-Shoup</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange" title="Diffie-Hellman key exchange">DH</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Digital_Signature_Algorithm" title="Digital Signature Algorithm">DSA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Elliptic_Curve_Diffie-Hellman" title="Elliptic Curve Diffie-Hellman">ECDH</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Elliptic_Curve_DSA" title="Elliptic Curve DSA">ECDSA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Encrypted_key_exchange" title="Encrypted key exchange">EKE</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/ElGamal_encryption" title="ElGamal encryption">ElGamal encryption</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/ElGamal_signature_scheme" title="ElGamal signature scheme">ElGamal signature scheme</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/GMR_%28cryptography%29" title="GMR (cryptography)">GMR</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Integrated_Encryption_Scheme" title="Integrated Encryption Scheme">IES</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Lamport_signature" title="Lamport signature">Lamport</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MQV" title="MQV">MQV</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NTRUEncrypt" title="NTRUEncrypt">NTRUEncrypt</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NTRUSign" title="NTRUSign">NTRUSign</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Paillier_cryptosystem" title="Paillier cryptosystem">Paillier</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Rabin_cryptosystem" title="Rabin cryptosystem">Rabin</a> |</span> <span style="white-space: nowrap;"><strong class="selflink">RSA</strong> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Schnorr_signature" title="Schnorr signature">Schnorr</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SPEKE_%28cryptography%29" title="SPEKE (cryptography)">SPEKE</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Secure_remote_password_protocol" title="Secure remote password protocol">SRP</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Station-to-Station_protocol" title="Station-to-Station protocol">STS</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/XTR" title="XTR">XTR</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td>
<br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Theory:</b> <a href="http://en.wikipedia.org/wiki/Discrete_logarithm" title="Discrete logarithm">Discrete logarithm</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Elliptic_curve_cryptography" title="Elliptic curve cryptography">Elliptic curve cryptography</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/RSA_problem" title="RSA problem">RSA problem</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td>
<br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Standardization:</b> <a href="http://en.wikipedia.org/w/index.php?title=ANS_X9F1&action=edit&redlink=1" class="new" title="ANS X9F1 (page does not exist)">ANS X9F1</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CRYPTREC" title="CRYPTREC">CRYPTREC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/IEEE_P1363" title="IEEE P1363">IEEE P1363</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NESSIE" title="NESSIE">NESSIE</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NSA_Suite_B" title="NSA Suite B" class="mw-redirect">NSA Suite B</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td>
<br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Misc:</b> <a href="http://en.wikipedia.org/wiki/Digital_signature" title="Digital signature">Digital signature</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Public_key_fingerprint" title="Public key fingerprint">Fingerprint</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Public_key_infrastructure" title="Public key infrastructure">PKI</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Web_of_trust" title="Web of trust">Web of trust</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Key_size" title="Key size">Key size</a></span></p> </div> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </td> </tr> <tr style="height: 2px;"> <td>
<br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <th style="background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" colspan="2" class="navbox-title"> <div style="float: left; width: 6em; text-align: left;"> <div class="noprint plainlinksneverexpand" style="border: medium none ; padding: 0pt; background: rgb(204, 204, 255) none repeat scroll 0% 0%; white-space: nowrap; font-weight: normal; font-size: xx-small; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"><a href="http://en.wikipedia.org/wiki/Template:Crypto_navbox" title="Template:Crypto navbox"><span title="View this template" style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">v</span></a> <span style="font-size:80;">•</span> <a href="http://en.wikipedia.org/wiki/Template_talk:Crypto_navbox" title="Template talk:Crypto navbox"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="Discussion about this template">d</span></a> <span style="font-size:80;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template:Crypto_navbox&action=edit" class="external text" title="http://en.wikipedia.org/w/index.php?title=Template:Crypto_navbox&action=edit" rel="nofollow"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="You can edit this template. Please use the preview button before saving.">e</span></a></div> </div> <div style="float: right; width: 6em;"> </div> <span style="font-size:100%;"><a href="http://en.wikipedia.org/wiki/Cryptography" title="Cryptography">Cryptography</a></span></th> </tr> <tr style="height: 2px;"> <td>
<br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"><a href="http://en.wikipedia.org/wiki/History_of_cryptography" title="History of cryptography">History of cryptography</a> | <a href="http://en.wikipedia.org/wiki/Cryptanalysis" title="Cryptanalysis">Cryptanalysis</a> | <a href="http://en.wikipedia.org/wiki/Portal:Cryptography" title="Portal:Cryptography">Cryptography portal</a> | <a href="http://en.wikipedia.org/wiki/Topics_in_cryptography" title="Topics in cryptography">Topics in cryptography</a></div> </td> </tr> <tr style="height: 2px;"> <td>
<br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"><a href="http://en.wikipedia.org/wiki/Symmetric-key_algorithm" title="Symmetric-key algorithm">Symmetric-key algorithm</a> | <a href="http://en.wikipedia.org/wiki/Block_cipher" title="Block cipher">Block cipher</a> | <a href="http://en.wikipedia.org/wiki/Stream_cipher" title="Stream cipher">Stream cipher</a> | <a href="http://en.wikipedia.org/wiki/Public-key_cryptography" title="Public-key cryptography">Public-key cryptography</a> | <a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function" title="Cryptographic hash function">Cryptographic hash function</a> | <a href="http://en.wikipedia.org/wiki/Message_authentication_code" title="Message authentication code">Message authentication code</a> | <a href="http://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator" title="Cryptographically secure pseudorandom number generator">Random numbers</a> | <a href="http://en.wikipedia.org/wiki/Steganography" title="Steganography">Steganography</a></div> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </td> </tr> </tbody></table> <!-- NewPP limit report Preprocessor node count: 3050/1000000 Post-expand include size: 64198/2048000 bytes Template argument size: 57763/2048000 bytes Expensive parser function count: 0/500 --> <!-- Saved in parser cache with key enwiki:pcache:idhash:25385-0!1!0!default!!en!2 and timestamp 20080930084049 --> <div class="printfooter"> Retrieved from "<a href="http://en.wikipedia.org/wiki/RSA">http://en.wikipedia.org/wiki/RSA</a>"
<br />
<br /></div> <div id="mw-normal-catlinks"><a href="http://en.wikipedia.org/wiki/Special:Categories" title="Special:Categories">Categories</a>: <span dir="ltr"><a href="http://en.wikipedia.org/wiki/Category:Asymmetric-key_cryptosystems" title="Category:Asymmetric-key cryptosystems">Asymmetric-key cryptosystems</a></span> | <span dir="ltr"><a href="http://en.wikipedia.org/wiki/Category:Electronic_commerce" title="Category:Electronic commerce">Electronic commerce</a></span></div>vineethv2http://www.blogger.com/profile/10203333517491088500noreply@blogger.com1tag:blogger.com,1999:blog-8266941125214387001.post-23874257875727559382008-09-30T08:34:00.000-07:002008-09-30T08:36:45.325-07:00SHAThe <b>SHA hash functions</b> are a set of <a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function" title="Cryptographic hash function">cryptographic hash functions</a> designed by the <a href="http://en.wikipedia.org/wiki/National_Security_Agency" title="National Security Agency">National Security Agency</a> (NSA) and published by the <a href="http://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology" title="National Institute of Standards and Technology">NIST</a> as a U.S. <a href="http://en.wikipedia.org/wiki/Federal_Information_Processing_Standard" title="Federal Information Processing Standard">Federal Information Processing Standard</a>. SHA stands for <b>Secure Hash Algorithm</b>. The five algorithms are denoted <i>SHA-1</i>, <i>SHA-224</i>, <i>SHA-256</i>, <i>SHA-384</i>, and <i>SHA-512</i>. The latter four variants are sometimes collectively referred to as <i>SHA-2</i>. SHA-1 produces a message digest that is 160 bits long; the number in the other four algorithms' names denote the bit length of the digest they produce. <p>SHA-1 is the best established of the existing SHA hash functions, and is employed in several widely used security applications and protocols. In 2005, security flaws were identified in SHA-1, namely that a possible mathematical weakness might exist, indicating that a stronger hash function would be desirable.<sup id="cite_ref-0" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-0" title="">[1]</a></sup> Although no attacks have yet been reported on the SHA-2 variants, they are algorithmically similar to SHA-1 and so efforts are underway to develop improved alternatives.<sup id="cite_ref-1" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-1" title="">[2]</a></sup><sup id="cite_ref-2" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-2" title="">[3]</a></sup> A new hash function, to be known as SHA-3, is currently under development, to be selected via open competition held in 2008, and to be made official in 2012.</p> <table id="toc" class="toc" summary="Contents"> <tbody><tr> <td> <div id="toctitle"> <h2>Contents</h2> <span class="toctoggle"><br /></span></div> <ul><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/SHA#The_hash_functions"><span class="tocnumber">1</span> <span class="toctext">The hash functions</span></a> <ul><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/SHA#SHA-0_and_SHA-1"><span class="tocnumber">1.1</span> <span class="toctext">SHA-0 and SHA-1</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/SHA#SHA-2_family"><span class="tocnumber">1.2</span> <span class="toctext">SHA-2 family</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/SHA#SHA-3_.28in_development.29"><span class="tocnumber">1.3</span> <span class="toctext">SHA-3 (in development)</span></a></li></ul> </li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/SHA#Comparison_of_SHA_functions"><span class="tocnumber">2</span> <span class="toctext">Comparison of SHA functions</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/SHA#Applications"><span class="tocnumber">3</span> <span class="toctext">Applications</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/SHA#Cryptanalysis_and_validation"><span class="tocnumber">4</span> <span class="toctext">Cryptanalysis and validation</span></a> <ul><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/SHA#SHA-0"><span class="tocnumber">4.1</span> <span class="toctext">SHA-0</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/SHA#SHA-1"><span class="tocnumber">4.2</span> <span class="toctext">SHA-1</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/SHA#Official_validation"><span class="tocnumber">4.3</span> <span class="toctext">Official validation</span></a></li></ul> </li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/SHA#Examples_and_pseudocode"><span class="tocnumber">5</span> <span class="toctext">Examples and pseudocode</span></a> <ul><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/SHA#Example_hashes"><span class="tocnumber">5.1</span> <span class="toctext">Example hashes</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/SHA#SHA-1_pseudocode"><span class="tocnumber">5.2</span> <span class="toctext">SHA-1 pseudocode</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/SHA#SHA-256_.28a_SHA-2_variant.29_pseudocode"><span class="tocnumber">5.3</span> <span class="toctext">SHA-256 (a SHA-2 variant) pseudocode</span></a></li></ul> </li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/SHA#See_also"><span class="tocnumber">6</span> <span class="toctext">See also</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/SHA#References"><span class="tocnumber">7</span> <span class="toctext">References</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/SHA#External_links"><span class="tocnumber">8</span> <span class="toctext">External links</span></a> <ul><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/SHA#Online_Hash_Calculators"><span class="tocnumber">8.1</span> <span class="toctext">Online Hash Calculators</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/SHA#Standards:_SHA-0.2C_SHA-1.2C_SHA-2.2C_SHA-3..."><span class="tocnumber">8.2</span> <span class="toctext">Standards: SHA-0, SHA-1, SHA-2, SHA-3...</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/SHA#Cryptanalysis"><span class="tocnumber">8.3</span> <span class="toctext">Cryptanalysis</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/SHA#Implementations"><span class="tocnumber">8.4</span> <span class="toctext">Implementations</span></a></li></ul> </li></ul> </td> </tr> </tbody></table> <script type="text/javascript"> //<![CDATA[ if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); } //]]> </script> <p><a name="The_hash_functions" id="The_hash_functions"></a></p> <h2><span class="editsection"></span><span class="mw-headline">The hash functions</span></h2> <p><a name="SHA-0_and_SHA-1" id="SHA-0_and_SHA-1"></a></p> <h3><span class="editsection"></span><span class="mw-headline">SHA-0 and SHA-1</span></h3> <div class="thumb tright"> <div class="thumbinner" style="width: 302px;"><a href="http://en.wikipedia.org/wiki/Image:SHA-1.svg" class="image" title="One iteration within the SHA-1 compression function. A, B, C, D and E are 32-bit words of the state; F is a nonlinear function that varies; n denotes a left bit rotation by n places; n varies for each operation. Wt is the expanded message word of round t, Kt is the round constant of round t. denotes addition modulo 232."><img alt="One iteration within the SHA-1 compression function. A, B, C, D and E are 32-bit words of the state; F is a nonlinear function that varies; n denotes a left bit rotation by n places; n varies for each operation. Wt is the expanded message word of round t, Kt is the round constant of round t. denotes addition modulo 232." src="http://upload.wikimedia.org/wikipedia/commons/thumb/e/e2/SHA-1.svg/300px-SHA-1.svg.png" class="thumbimage" width="300" border="0" height="312" /></a> <div class="thumbcaption"> <div class="magnify"><a href="http://en.wikipedia.org/wiki/Image:SHA-1.svg" class="internal" title="Enlarge"><img src="http://en.wikipedia.org/skins-1.5/common/images/magnify-clip.png" alt="" width="15" height="11" /></a></div> One iteration within the SHA-1 compression function. A, B, C, D and E are 32-bit words of the state; <i>F</i> is a nonlinear function that varies; <a href="http://en.wikipedia.org/wiki/Image:Lll.png" class="image" title="left shift"><img alt="left shift" src="http://upload.wikimedia.org/wikipedia/commons/e/e1/Lll.png" width="19" border="0" height="10" /></a><sub><i>n</i></sub> denotes a left bit rotation by <i>n</i> places; <i>n</i> varies for each operation. W<sub>t</sub> is the expanded message word of round t, K<sub>t</sub> is the round constant of round t. <a href="http://en.wikipedia.org/wiki/Image:Boxplus.png" class="image" title="Addition"><img alt="Addition" src="http://upload.wikimedia.org/wikipedia/commons/7/75/Boxplus.png" width="11" border="0" height="11" /></a> denotes addition modulo 2<sup>32</sup>.</div> </div> </div> <p>The original specification of the algorithm was published in 1993 as the <i>Secure Hash Standard</i>, <a href="http://en.wikipedia.org/wiki/Federal_Information_Processing_Standard" title="Federal Information Processing Standard">FIPS</a> PUB 180, by US government standards agency <a href="http://en.wikipedia.org/wiki/NIST" title="NIST" class="mw-redirect">NIST</a> (National Institute of Standards and Technology). This version is now often referred to as <i>SHA-0</i>. It was withdrawn by <a href="http://en.wikipedia.org/wiki/NSA" title="NSA" class="mw-redirect">NSA</a> shortly after publication and was superseded by the revised version, published in 1995 in FIPS PUB 180-1 and commonly referred to as <i>SHA-1</i>. SHA-1 differs from SHA-0 only by a single bitwise rotation in the message schedule of its <a href="http://en.wikipedia.org/wiki/One-way_compression_function" title="One-way compression function">compression function</a>; this was done, according to NSA, to correct a flaw in the original algorithm which reduced its cryptographic security. However, NSA did not provide any further explanation or identify the flaw that was corrected. Weaknesses have subsequently been reported in both SHA-0 and SHA-1. SHA-1 appears to provide greater resistance to attacks, supporting the NSA’s assertion that the change increased the security.</p> <p>SHA-1 (as well as SHA-0) produces a 160-bit digest from a <a href="http://en.wikipedia.org/wiki/Message" title="Message">message</a> with a maximum length of (2<sup>64</sup> − 1) bits and is based on principles similar to those used by <a href="http://en.wikipedia.org/wiki/Ron_Rivest" title="Ron Rivest">Ronald L. Rivest</a> of <a href="http://en.wikipedia.org/wiki/Massachusetts_Institute_of_Technology" title="Massachusetts Institute of Technology">MIT</a> in the design of the <a href="http://en.wikipedia.org/wiki/MD4" title="MD4">MD4</a> and <a href="http://en.wikipedia.org/wiki/MD5" title="MD5">MD5</a> message digest algorithms.<br /></p> <p><a name="SHA-2_family" id="SHA-2_family"></a></p> <h3><span class="editsection"></span><span class="mw-headline">SHA-2 family</span></h3> <div class="thumb tright"> <div class="thumbinner" style="width: 402px;"><a href="http://en.wikipedia.org/wiki/Image:SHA-2.svg" class="image" title="One iteration within the SHA-2 family compression function."><img alt="One iteration within the SHA-2 family compression function." src="http://upload.wikimedia.org/wikipedia/commons/thumb/7/7d/SHA-2.svg/400px-SHA-2.svg.png" class="thumbimage" width="400" border="0" height="282" /></a> <div class="thumbcaption"> <div class="magnify"><a href="http://en.wikipedia.org/wiki/Image:SHA-2.svg" class="internal" title="Enlarge"><img src="http://en.wikipedia.org/skins-1.5/common/images/magnify-clip.png" alt="" width="15" height="11" /></a></div> One iteration within the SHA-2 family compression function.</div> </div> </div> <p>NIST published four additional hash functions in the SHA family, each with longer digests, collectively known as SHA-2. However the term SHA-2 officially is not standardized.</p> <p>The individual variants are named after their digest lengths (in bits): SHA-224, SHA-256, SHA-384, and SHA-512. The latter three were first published in 2001 in the draft FIPS PUB 180-2, at which time review and comment were accepted. FIPS PUB 180-2, which also includes SHA-1, was released as an official standard in 2002. In February 2004, a change notice was published for FIPS PUB 180-2, specifying an additional variant, SHA-224, defined to match the key length of two-key <a href="http://en.wikipedia.org/wiki/Triple_DES" title="Triple DES">Triple DES</a>. These variants are patented in <a href="http://v3.espacenet.com/textdoc?DB=EPODOC&IDX=US6829355" class="external text" title="http://v3.espacenet.com/textdoc?DB=EPODOC&IDX=US6829355" rel="nofollow">US patent 6829355</a>. The <a href="http://en.wikipedia.org/wiki/United_States" title="United States">United States</a>, representing NSA, has released the patent under a royalty free license.<sup id="cite_ref-3" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-3" title="">[4]</a></sup></p> <p>SHA-256 and SHA-512 are novel hash functions computed with 32- and 64-bit words, respectively. They use different shift amounts and additive constants, but their structures are otherwise virtually identical, differing only in the number of rounds. SHA-224 and SHA-384 are simply truncated versions of the first two, computed with different initial values.</p> <p>These new hash functions have not received as much scrutiny by the public cryptographic community as SHA-1 has, and so their cryptographic security is not yet as well-established. Gilbert and Handschuh (2003) have studied the newer variants and found no weaknesses.<sup id="cite_ref-4" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-4" title="">[5]</a></sup></p> <p><a name="SHA-3_.28in_development.29" id="SHA-3_.28in_development.29"></a></p> <h3><span class="editsection"></span><span class="mw-headline">SHA-3 (in development)</span></h3> <p>An open competition for a new SHA-3 function was formally announced in the <i><a href="http://en.wikipedia.org/wiki/Federal_Register" title="Federal Register">Federal Register</a></i> on November 2, 2007.<sup id="cite_ref-5" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-5" title="">[6]</a></sup> "NIST is initiating an effort to develop one or more additional hash algorithms through a public competition, similar to the <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard_process" title="Advanced Encryption Standard process">development process</a> for the <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard" title="Advanced Encryption Standard">Advanced Encryption Standard</a> (AES)."<sup id="cite_ref-6" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-6" title="">[7]</a></sup> Submissions are due October 31, 2008 and the proclamation of a winner and publication of the new standard are scheduled to take place in 2012.</p> <p><a name="Comparison_of_SHA_functions" id="Comparison_of_SHA_functions"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Comparison of SHA functions</span></h2> <p>In the table below, <i>internal state</i> means the “internal hash sum” after each compression of a data block; see <a href="http://en.wikipedia.org/wiki/Merkle-Damg%C3%A5rd_construction" title="Merkle-Damgård construction">Merkle-Damgård construction</a> for more details.</p> <table class="wikitable" border="1"> <tbody><tr> <th colspan="2">Algorithm and<br />variant</th> <th>Output size (bits)</th> <th>Internal state size (bits)</th> <th>Block size (bits)</th> <th>Max message size (bits)</th> <th>Word size (bits)</th> <th>Rounds</th> <th>Operations</th> <th><a href="http://en.wikipedia.org/wiki/Hash_collision" title="Hash collision">Collisions</a> found</th> </tr> <tr align="center"> <td colspan="2"><b>SHA-0</b></td> <td>160</td> <td>160</td> <td>512</td> <td>2<sup>64</sup> − 1</td> <td>32</td> <td>80</td> <td>+,and,or,xor,rotl</td> <td>Yes</td> </tr> <tr align="center"> <td colspan="2"><b>SHA-1</b></td> <td>160</td> <td>160</td> <td>512</td> <td>2<sup>64</sup> − 1</td> <td>32</td> <td>80</td> <td>+,and,or,xor,rotl</td> <td>2<sup>63</sup> attack</td> </tr> <tr align="center"> <td rowspan="2"><b>SHA-2</b></td> <td><i>SHA-256/224</i></td> <td>256/224</td> <td>256</td> <td>512</td> <td>2<sup>64</sup> − 1</td> <td>32</td> <td>64</td> <td>+,and,or,xor,shr,rotr</td> <td>None</td> </tr> <tr align="center"> <td><i>SHA-512/384</i></td> <td>512/384</td> <td>512</td> <td>1024</td> <td>2<sup>128</sup> − 1</td> <td>64</td> <td>80</td> <td>+,and,or,xor,shr,rotr</td> <td>None</td> </tr> </tbody></table> <p><a name="Applications" id="Applications"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Applications</span></h2> <dl><dd> <div class="boilerplate seealso"><i>For more details on this topic, see <a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#Applications" title="Cryptographic hash function">Cryptographic hash function#Applications</a>.</i></div> </dd></dl> <p>SHA-1 is the most widely employed of the SHA family. It forms part of several widely used security applications and protocols, including <a href="http://en.wikipedia.org/wiki/Transport_Layer_Security" title="Transport Layer Security">TLS</a> and <a href="http://en.wikipedia.org/wiki/Secure_Sockets_Layer" title="Secure Sockets Layer" class="mw-redirect">SSL</a>, <a href="http://en.wikipedia.org/wiki/Pretty_Good_Privacy" title="Pretty Good Privacy">PGP</a>, <a href="http://en.wikipedia.org/wiki/Secure_Shell" title="Secure Shell">SSH</a>, <a href="http://en.wikipedia.org/wiki/S/MIME" title="S/MIME">S/MIME</a>, and <a href="http://en.wikipedia.org/wiki/IPsec" title="IPsec">IPsec</a>. Those applications can also use <a href="http://en.wikipedia.org/wiki/MD5" title="MD5">MD5</a>; both MD5 and SHA-1 are descended from <a href="http://en.wikipedia.org/wiki/MD4" title="MD4">MD4</a>. SHA-1 hashing is also used in <a href="http://en.wikipedia.org/wiki/Distributed_revision_control" title="Distributed revision control">distributed revision control</a> systems such as <a href="http://en.wikipedia.org/wiki/Git_%28software%29" title="Git (software)">Git</a>, <a href="http://en.wikipedia.org/wiki/Mercurial_%28software%29" title="Mercurial (software)">Mercurial</a>, and <a href="http://en.wikipedia.org/wiki/Monotone_%28software%29" title="Monotone (software)">Monotone</a> to identify revisions, and detect <a href="http://en.wikipedia.org/wiki/Data_corruption" title="Data corruption">data corruption</a> or tampering.</p> <p>SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 are the secure hash algorithms required by law for use in certain U. S. Government applications, including use within other cryptographic algorithms and protocols, for the protection of sensitive unclassified information. FIPS PUB 180-1 also encouraged adoption and use of SHA-1 by private and commercial organizations.</p> <p>A prime motivation for the publication of the Secure Hash Algorithm was the <a href="http://en.wikipedia.org/wiki/Digital_Signature_Algorithm" title="Digital Signature Algorithm">Digital Signature Standard</a>, in which it is incorporated.</p> <p>The SHA hash functions have been used as the basis for the <a href="http://en.wikipedia.org/wiki/SHACAL" title="SHACAL">SHACAL</a> <a href="http://en.wikipedia.org/wiki/Block_cipher" title="Block cipher">block ciphers</a>.</p> <p><a name="Cryptanalysis_and_validation" id="Cryptanalysis_and_validation"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Cryptanalysis and validation</span></h2> <p>For a hash function which violates the first criterion listed above, finding a message that corresponds to a given message digest can always be done using a brute force search in 2<sup><i>L</i></sup> evaluations, where <i>L</i> is the number of bits in the message digest. This is called a <a href="http://en.wikipedia.org/wiki/Preimage_attack" title="Preimage attack">preimage attack</a> and may or may not be practical in a particular computing environment. The second criterion, finding two different messages that produce the same message digest, known as a <i>collision,</i> requires on average only 2<sup><i>L</i>/2</sup> evaluations using a <a href="http://en.wikipedia.org/wiki/Birthday_attack" title="Birthday attack">birthday attack</a>. For the latter reason the strength of a hash function is usually compared to a symmetric cipher of half the message digest length. Thus SHA-1 was originally thought to have 80-bit strength.</p> <p>Cryptographers have produced collision pairs for SHA-0 and have found algorithms that should produce SHA-1 collisions in far fewer than the originally expected 2<sup>80</sup> evaluations.</p> <p>In terms of practical security, a major concern about these new attacks is that they might pave the way to more efficient ones. Whether this is the case has yet to be seen, but a migration to stronger hashes is believed to be prudent. Some of the applications that use cryptographic hashes, such as password storage, are only minimally affected by a collision attack. Constructing a password that works for a given account requires a preimage attack, as well as access to the hash of the original password (typically in the <i>shadow</i> file) which may or may not be trivial. Reversing password encryption (e.g. to obtain a password to try against a user's account elsewhere) is not made possible by the attacks. (However, even a secure password hash can't prevent brute-force attacks on <a href="http://en.wikipedia.org/wiki/Password_strength" title="Password strength">weak passwords</a>.)</p> <p>In the case of document signing, an attacker could not simply fake a signature from an existing document—the attacker would have to produce a pair of documents, one innocuous and one damaging, and get the private key holder to sign the innocuous document. There are practical circumstances in which this is possible.</p> <p><a name="SHA-0" id="SHA-0"></a></p> <h3><span class="editsection"></span><span class="mw-headline">SHA-0</span></h3> <p>At <a href="http://en.wikipedia.org/wiki/CRYPTO_%28conference%29" title="CRYPTO (conference)">CRYPTO</a> 98, two French researchers, <a href="http://en.wikipedia.org/w/index.php?title=Florent_Chabaud&action=edit&redlink=1" class="new" title="Florent Chabaud (page does not exist)">Florent Chabaud</a> and <a href="http://en.wikipedia.org/w/index.php?title=Antoine_Joux&action=edit&redlink=1" class="new" title="Antoine Joux (page does not exist)">Antoine Joux</a>, presented an attack on SHA-0 (<a href="http://fchabaud.free.fr/English/Publications/sha.pdf" class="external text" title="http://fchabaud.free.fr/English/Publications/sha.pdf" rel="nofollow">Chabaud and Joux, 1998</a>): <a href="http://en.wikipedia.org/wiki/Hash_collision" title="Hash collision">collisions</a> can be found with complexity 2<sup>61</sup>, fewer than the 2<sup>80</sup> for an ideal hash function of the same size.</p> <p>In 2004, <a href="http://en.wikipedia.org/wiki/Eli_Biham" title="Eli Biham">Biham</a> and Chen found near-collisions for SHA-0 — two messages that hash to nearly the same value; in this case, 142 out of the 160 bits are equal. They also found full collisions of SHA-0 reduced to 62 out of its 80 rounds.</p> <p>Subsequently, on <a href="http://en.wikipedia.org/wiki/August_12" title="August 12">12 August</a> <a href="http://en.wikipedia.org/wiki/2004" title="2004">2004</a>, a collision for the full SHA-0 algorithm was announced by Joux, Carribault, Lemuet, and Jalby. This was done by using a generalization of the Chabaud and Joux attack. Finding the collision had complexity 2<sup>51</sup> and took about 80,000 CPU hours on a <a href="http://en.wikipedia.org/wiki/Supercomputer" title="Supercomputer">supercomputer</a> with 256 <a href="http://en.wikipedia.org/wiki/Itanium_2" title="Itanium 2" class="mw-redirect">Itanium 2</a> processors.</p> <p>On <a href="http://en.wikipedia.org/wiki/August_17" title="August 17">17 August</a> <a href="http://en.wikipedia.org/wiki/2004" title="2004">2004</a>, at the Rump Session of CRYPTO 2004, preliminary results were announced by <a href="http://en.wikipedia.org/wiki/Xiaoyun_Wang" title="Xiaoyun Wang" class="mw-redirect">Wang</a>, Feng, Lai, and Yu, about an attack on <a href="http://en.wikipedia.org/wiki/MD5" title="MD5">MD5</a>, SHA-0 and other hash functions. The complexity of their attack on SHA-0 is 2<sup>40</sup>, significantly better than the attack by Joux <i>et al.</i> <sup id="cite_ref-7" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-7" title="">[8]</a></sup><sup id="cite_ref-8" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-8" title="">[9]</a></sup></p> <p>In February 2005, an attack by Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu was announced which could find collisions in SHA-0 in 2<sup>39</sup> operations.<sup id="cite_ref-autogenerated1_9-0" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-autogenerated1-9" title="">[10]</a></sup><sup id="cite_ref-10" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-10" title="">[11]</a></sup></p> <p><a name="SHA-1" id="SHA-1"></a></p> <h3><span class="editsection">[<a href="http://en.wikipedia.org/w/index.php?title=SHA_hash_functions&action=edit&section=9" title="Edit section: SHA-1">edit</a>]</span> <span class="mw-headline">SHA-1</span></h3> <div class="thumb tright"> <div class="thumbinner" style="width: 402px;"><a href="http://en.wikipedia.org/wiki/Image:Shahmac.jpg" class="image" title="SHA-1 HMAC Generation."><img alt="SHA-1 HMAC Generation." src="http://upload.wikimedia.org/wikipedia/en/thumb/3/36/Shahmac.jpg/400px-Shahmac.jpg" class="thumbimage" width="400" border="0" height="320" /></a> <div class="thumbcaption"> <div class="magnify"><a href="http://en.wikipedia.org/wiki/Image:Shahmac.jpg" class="internal" title="Enlarge"><img src="http://en.wikipedia.org/skins-1.5/common/images/magnify-clip.png" alt="" width="15" height="11" /></a></div> SHA-1 HMAC Generation.</div> </div> </div> <p>In light of the results for SHA-0, some experts suggested that plans for the use of SHA-1 in new <a href="http://en.wikipedia.org/wiki/Cryptosystem" title="Cryptosystem">cryptosystems</a> should be reconsidered. After the CRYPTO 2004 results were published, NIST announced that they planned to phase out the use of SHA-1 by 2010 in favor of the SHA-2 variants.<sup id="cite_ref-11" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-11" title="">[12]</a></sup></p> <p>In early 2005, <a href="http://en.wikipedia.org/wiki/Vincent_Rijmen" title="Vincent Rijmen">Rijmen</a> and <a href="http://en.wikipedia.org/w/index.php?title=Elisabeth_Oswald&action=edit&redlink=1" class="new" title="Elisabeth Oswald (page does not exist)">Oswald</a> published an attack on a reduced version of SHA-1 — 53 out of 80 rounds — which finds collisions with a computational effort of fewer than 2<sup>80</sup> operations.<sup id="cite_ref-12" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-12" title="">[13]</a></sup></p> <p>In February 2005, an attack by <a href="http://en.wikipedia.org/wiki/Xiaoyun_Wang" title="Xiaoyun Wang" class="mw-redirect">Xiaoyun Wang</a>, <a href="http://en.wikipedia.org/w/index.php?title=Yiqun_Lisa_Yin&action=edit&redlink=1" class="new" title="Yiqun Lisa Yin (page does not exist)">Yiqun Lisa Yin</a>, and <a href="http://en.wikipedia.org/w/index.php?title=Hongbo_Yu&action=edit&redlink=1" class="new" title="Hongbo Yu (page does not exist)">Hongbo Yu</a> was announced.<sup id="cite_ref-autogenerated1_9-1" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-autogenerated1-9" title="">[10]</a></sup> The attacks can find collisions in the full version of SHA-1, requiring fewer than 2<sup>69</sup> operations. (A <a href="http://en.wikipedia.org/wiki/Brute-force_search" title="Brute-force search">brute-force search</a> would require 2<sup>80</sup> operations.)</p> <p>The authors write: "In particular, our analysis is built upon the original differential attack on SHA0 [<i>sic</i>], the near collision attack on SHA0, the multiblock collision techniques, as well as the message modification techniques used in the collision search attack on MD5. Breaking SHA1 would not be possible without these powerful analytical techniques."<sup id="cite_ref-13" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-13" title="">[14]</a></sup> The authors have presented a collision for 58-round SHA-1, found with 2<sup>33</sup> hash operations. The paper with the full attack description was published in August 2005 at the CRYPTO conference.</p> <p>In an interview, Yin states that, "Roughly, we exploit the following two weaknesses: One is that the file preprocessing step is not complicated enough; another is that certain math operations in the first 20 rounds have unexpected security problems."<sup id="cite_ref-14" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-14" title="">[15]</a></sup></p> <p>On <a href="http://en.wikipedia.org/wiki/August_17" title="August 17">17 August</a> <a href="http://en.wikipedia.org/wiki/2005" title="2005">2005</a>, an improvement on the SHA-1 attack was announced on behalf of Xiaoyun Wang, Andrew Yao and Frances Yao at the CRYPTO 2005 rump session, lowering the complexity required for finding a collision in SHA-1 to 2<sup>63</sup>.<sup id="cite_ref-15" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-15" title="">[16]</a></sup> On <a href="http://en.wikipedia.org/wiki/December_18" title="December 18">18 December</a> <a href="http://en.wikipedia.org/wiki/2007" title="2007">2007</a> the details of this result were explained and verified by Martin Cochran.<sup id="cite_ref-16" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-16" title="">[17]</a></sup></p> <p>Christophe De Cannière and Christian Rechberger further improved the attack on SHA-1 in "Finding SHA-1 Characteristics: General Results and Applications,"<sup id="cite_ref-17" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-17" title="">[18]</a></sup> receiving the Best Paper Award at <a href="http://en.wikipedia.org/wiki/ASIACRYPT" title="ASIACRYPT" class="mw-redirect">ASIACRYPT</a> <a href="http://en.wikipedia.org/wiki/2006" title="2006">2006</a>. A two-block collision for 64-round SHA-1 was presented, found using unoptimized methods with 2<sup>35</sup> compression function evaluations.</p> <p>As this attack requires the equivalent of about 2<sup>35</sup> evaluations, it is considered to be a significant theoretical break.<sup id="cite_ref-18" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-18" title="">[19]</a></sup> To find an actual collision, however, a massive distributed computing effort or very large parallel supercomputer such as those possessed by <a href="http://en.wikipedia.org/wiki/NSA" title="NSA" class="mw-redirect">NSA</a> would be required. To that end, a collision search for SHA-1 using the distributed computing platform <a href="http://en.wikipedia.org/wiki/BOINC" title="BOINC" class="mw-redirect">BOINC</a> is currently being made by the <a href="http://en.wikipedia.org/wiki/Graz_University_of_Technology" title="Graz University of Technology">Graz University of Technology</a>.<sup id="cite_ref-19" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-19" title="">[20]</a></sup></p> <p>At the Rump Session of CRYPTO 2006, Christian Rechberger and Christophe De Cannière claimed to have discovered a collision attack on SHA-1 that would allow an attacker to select at least parts of the message.<sup id="cite_ref-20" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-20" title="">[21]</a></sup><sup id="cite_ref-21" class="reference"><a href="http://en.wikipedia.org/wiki/SHA#cite_note-21" title="">[22]</a></sup></p> <p><a name="Official_validation" id="Official_validation"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Official validation</span></h3> <dl><dd> <div class="noprint relarticle mainarticle"><i>Main article: <a href="http://en.wikipedia.org/wiki/CMVP" title="CMVP" class="mw-redirect">CMVP</a></i></div> </dd></dl> <p>Implementations of all FIPS-approved security functions can be officially validated through the <a href="http://en.wikipedia.org/wiki/CMVP" title="CMVP" class="mw-redirect">CMVP program</a>, jointly run by the <a href="http://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology" title="National Institute of Standards and Technology">National Institute of Standards and Technology</a> (NIST) and the <a href="http://en.wikipedia.org/wiki/Communications_Security_Establishment" title="Communications Security Establishment" class="mw-redirect">Communications Security Establishment</a> (CSE). For informal verification, a package to generate a high number of test vectors is made available for download on the NIST site; the resulting verification however does not replace in any way the formal CMVP validation, which is required by law for certain applications.</p> <p><a href="http://en.wikipedia.org/wiki/As_of_2006" title="As of 2006" class="mw-redirect">As of October 2006</a>, there are more than 500 validated implementations of SHA-1, with fewer than ten of them capable of handling messages with a length in bits not a multiple of eight (see <a href="http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm" class="external text" title="http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm" rel="nofollow">SHS Validation List</a>). It is also important to note that some implementations available on the Internet do not digest the NIST validation vectors correctly, although they may correctly process the examples listed in the SHA-1 standard.</p> <p><a name="Examples_and_pseudocode" id="Examples_and_pseudocode"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Examples and pseudocode</span></h2> <p><a name="Example_hashes" id="Example_hashes"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Example hashes</span></h3> <dl><dd> <div class="noprint relarticle mainarticle"><i>Main article: <a href="http://en.wikipedia.org/wiki/Examples_of_SHA_digests" title="Examples of SHA digests">Examples of SHA digests</a></i></div> </dd></dl> <p>The following is an example of SHA-1 digests. <a href="http://en.wikipedia.org/wiki/ASCII" title="ASCII">ASCII</a> encoding is assumed for all messages.</p> <pre>SHA1("<a href="http://en.wikipedia.org/wiki/The_quick_brown_fox_jumps_over_the_lazy_dog" title="The quick brown fox jumps over the lazy dog">The quick brown fox jumps over the lazy dog</a>")<br />= 2fd4e1c6 7a2d28fc ed849ee1 bb76e739 1b93eb12<br /></pre> <p>Even a small change in the message will, with overwhelming probability, result in a completely different hash due to the <a href="http://en.wikipedia.org/wiki/Avalanche_effect" title="Avalanche effect">avalanche effect</a>. For example, changing <code>dog</code> to <code>cog</code>:</p> <pre>SHA1("The quick brown fox jumps over the lazy <b>c</b>og")<br />= de9f2c7f d25e1b3a fad3e85a 0bd17d9b 100db4b3<br /></pre> <p><a name="SHA-1_pseudocode" id="SHA-1_pseudocode"></a></p> <h3><span class="editsection"></span><span class="mw-headline">SHA-1 pseudocode</span></h3> <p><a href="http://en.wikipedia.org/wiki/Pseudocode" title="Pseudocode">Pseudocode</a> for the SHA-1 algorithm follows:</p> <pre><span style="color: green;"><i>Note: All variables are unsigned 32 bits and wrap modulo 2<sup>32</sup> when calculating</i></span><br /><br /><span style="color: green;"><i>Initialize variables:</i></span><br />h0 = 0x67452301<br />h1 = 0xEFCDAB89<br />h2 = 0x98BADCFE<br />h3 = 0x10325476<br />h4 = 0xC3D2E1F0<br /><br /><span style="color: green;"><i>Pre-processing:</i></span><br />append the bit '1' to the message<br />append k bits '0', where k is the minimum number ≥ 0 such that the resulting message<br /> length (in <i>bits</i>) is <a href="http://en.wikipedia.org/wiki/Modular_arithmetic" title="Modular arithmetic">congruent</a> to 448 (mod 512)<br />append length of message (before pre-processing), in <i>bits</i>, as 64-bit <a href="http://en.wikipedia.org/wiki/Endianness" title="Endianness">big-endian</a> integer<br /><br /><span style="color: green;"><i>Process the message in successive 512-bit chunks:</i></span><br />break message into 512-bit chunks<br /><b>for</b> each chunk<br /> break chunk into sixteen 32-bit big-endian words w[i], 0 <= i <= 15<br /><br /> <span style="color: green;"><i>Extend the sixteen 32-bit words into eighty 32-bit words:</i></span><br /> <b>for</b> i <b>from</b> 16 to 79<br /> w[i] = (w[i-3] <b>xor</b> w[i-8] <b>xor</b> w[i-14] <b>xor</b> w[i-16]) <b><a href="http://en.wikipedia.org/wiki/Circular_shift" title="Circular shift">leftrotate</a></b> 1<br /><br /> <span style="color: green;"><i>Initialize hash value for this chunk:</i></span><br /> a = h0<br /> b = h1<br /> c = h2<br /> d = h3<br /> e = h4<br /><br /> <span style="color: green;"><i>Main loop:</i></span><br /> <b>for</b> i <b>from</b> 0 to 79<br /> <b>if</b> 0 ≤ i ≤ 19 <b>then</b><br /> f = (b <b>and</b> c) <b>or</b> ((<b>not</b> b) <b>and</b> d)<br /> k = 0x5A827999<br /> <b>else if</b> 20 ≤ i ≤ 39<br /> f = b <b>xor</b> c <b>xor</b> d<br /> k = 0x6ED9EBA1<br /> <b>else if</b> 40 ≤ i ≤ 59<br /> f = (b <b>and</b> c) <b>or</b> (b <b>and</b> d) <b>or</b> (c <b>and</b> d)<br /> k = 0x8F1BBCDC<br /> <b>else if</b> 60 ≤ i ≤ 79<br /> f = b <b>xor</b> c <b>xor</b> d<br /> k = 0xCA62C1D6<br /><br /> temp = (a <b>leftrotate</b> 5) + f + e + k + w[i]<br /> e = d<br /> d = c<br /> c = b <b>leftrotate</b> 30<br /> b = a<br /> a = temp<br /><br /> <span style="color: green;"><i>Add this chunk's hash to result so far:</i></span><br /> h0 = h0 + a<br /> h1 = h1 + b<br /> h2 = h2 + c<br /> h3 = h3 + d<br /> h4 = h4 + e<br /><br /><span style="color: green;"><i>Produce the final hash value (big-endian):</i></span><br />digest = hash = h0 <b>append</b> h1 <b>append</b> h2 <b>append</b> h3 <b>append</b> h4<br /></pre> <p>Instead of the formulation from the original FIPS PUB 180-1 shown, the following equivalent expressions may be used to compute <code>f</code> in the main loop above:</p> <pre>(0 ≤ i ≤ 19): f = d <b>xor</b> (b <b>and</b> (c <b>xor</b> d)) <span style="color: green;"><i>(alternative 1)</i></span><br />(0 ≤ i ≤ 19): f = (b <b>and</b> c) <b>xor</b> ((<b>not</b> b) <b>and</b> d) <span style="color: green;"><i>(alternative 2)</i></span><br />(0 ≤ i ≤ 19): f = (b <b>and</b> c) + ((<b>not</b> b) <b>and</b> d) <span style="color: green;"><i>(alternative 3)</i></span><br /><br />(40 ≤ i ≤ 59): f = (b <b>and</b> c) <b>or</b> (d <b>and</b> (b <b>or</b> c)) <span style="color: green;"><i>(alternative 1)</i></span><br />(40 ≤ i ≤ 59): f = (b <b>and</b> c) <b>or</b> (d <b>and</b> (b <b>xor</b> c)) <span style="color: green;"><i>(alternative 2)</i></span><br />(40 ≤ i ≤ 59): f = (b <b>and</b> c) + (d <b>and</b> (b <b>xor</b> c)) <span style="color: green;"><i>(alternative 3)</i></span><br />(40 ≤ i ≤ 59): f = (b <b>and</b> c) <b>xor</b> (b <b>and</b> d) <b>xor</b> (c <b>and</b> d) <span style="color: green;"><i>(alternative 4)</i></span><br /></pre> <p><a name="SHA-256_.28a_SHA-2_variant.29_pseudocode" id="SHA-256_.28a_SHA-2_variant.29_pseudocode"></a></p> <h3><span class="editsection"></span><span class="mw-headline">SHA-256 (a SHA-2 variant) pseudocode</span></h3> <p><a href="http://en.wikipedia.org/wiki/Pseudocode" title="Pseudocode">Pseudocode</a> for the SHA-256 algorithm follows. Note the great increase in mixing between bits of the <code>w[16..63]</code> words compared to SHA-1.</p> <pre><span style="color: green;"><i>Note: All variables are unsigned 32 bits and wrap modulo 2<sup>32</sup> when calculating</i></span><br /><br /><span style="color: green;"><i>Initialize variables</i></span><br /><span style="color: green;">(first 32 bits of the <em>fractional parts</em> of the square roots of the first 8 primes 2..19):</span><br />h0 := 0x6a09e667<br />h1 := 0xbb67ae85<br />h2 := 0x3c6ef372<br />h3 := 0xa54ff53a<br />h4 := 0x510e527f<br />h5 := 0x9b05688c<br />h6 := 0x1f83d9ab<br />h7 := 0x5be0cd19<br /><br /><span style="color: green;"><i>Initialize table of round constants</i></span><br /><span style="color: green;">(first 32 bits of the <em>fractional parts</em> of the cube roots of the first 64 primes 2..311):</span><br />k[0..63] :=<br /> 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,<br /> 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,<br /> 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,<br /> 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,<br /> 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,<br /> 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,<br /> 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,<br /> 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2<br /><br /><span style="color: green;"><i>Pre-processing:</i></span><br />append the bit '1' to the message<br />append k bits '0', where k is the minimum number >= 0 such that the resulting message<br /> length (in <i>bits</i>) is <a href="http://en.wikipedia.org/wiki/Modular_arithmetic" title="Modular arithmetic">congruent</a> to 448 (mod 512)<br />append length of message (before pre-processing), in <i>bits</i>, as 64-bit big-endian integer<br /><br /><span style="color: green;"><i>Process the message in successive 512-bit chunks:</i></span><br />break message into 512-bit chunks<br /><b>for</b> each chunk<br /> break chunk into sixteen 32-bit big-endian words w[0..15]<br /><br /> <span style="color: green;"><i>Extend the sixteen 32-bit words into sixty-four 32-bit words:</i></span><br /> <b>for</b> i <b>from</b> 16 to 63<br /> s0 := (w[i-15] <b>rightrotate</b> 7) <b>xor</b> (w[i-15] <b>rightrotate</b> 18) <b>xor</b> (w[i-15] <b>rightshift</b> 3)<br /> s1 := (w[i-2] <b>rightrotate</b> 17) <b>xor</b> (w[i-2] <b>rightrotate</b> 19) <b>xor</b> (w[i-2] <b>rightshift</b> 10)<br /> w[i] := w[i-16] <b>+</b> s0 <b>+</b> w[i-7] <b>+</b> s1<br /><br /> <span style="color: green;"><i>Initialize hash value for this chunk:</i></span><br /> a := h0<br /> b := h1<br /> c := h2<br /> d := h3<br /> e := h4<br /> f := h5<br /> g := h6<br /> h := h7<br /><br /> <span style="color: green;"><i>Main loop:</i></span><br /> <b>for</b> i <b>from</b> 0 to 63<br /> s0 := (a <b>rightrotate</b> 2) <b>xor</b> (a <b>rightrotate</b> 13) <b>xor</b> (a <b>rightrotate</b> 22)<br /> maj := (a <b>and</b> b) <b>xor</b> (a <b>and</b> c) <b>xor</b> (b <b>and</b> c)<br /> t2 := s0 + maj<br /> s1 := (e <b>rightrotate</b> 6) <b>xor</b> (e <b>rightrotate</b> 11) <b>xor</b> (e <b>rightrotate</b> 25)<br /> ch := (e <b>and</b> f) <b>xor</b> ((<b>not</b> e) <b>and</b> g)<br /> t1 := h + s1 + ch + k[i] + w[i]<br /><br /> h := g<br /> g := f<br /> f := e<br /> e := d + t1<br /> d := c<br /> c := b<br /> b := a<br /> a := t1 + t2<br /><br /> <span style="color: green;"><i>Add this chunk's hash to result so far:</i></span><br /> h0 := h0 + a<br /> h1 := h1 + b<br /> h2 := h2 + c<br /> h3 := h3 + d<br /> h4 := h4 + e<br /> h5 := h5 + f<br /> h6 := h6 + g<br /> h7 := h7 + h<br /><br /><span style="color: green;"><i>Produce the final hash value (big-endian):</i></span><br />digest = hash = h0 <b>append</b> h1 <b>append</b> h2 <b>append</b> h3 <b>append</b> h4 <b>append</b> h5 <b>append</b> h6 <b>append</b> h7<br /></pre> <p>The <code>ch</code> and <code>maj</code> functions can be optimized the same way as described for SHA-1.</p> <p>SHA-224 is identical to SHA-256, except that:</p> <ul><li>the initial variable values <code>h0</code> through <code>h7</code> are different, and</li><li>the output is constructed by omitting <code>h7</code>.</li></ul> <p>SHA-512 is identical in structure, but:</p> <ul><li>all numbers are 64 bits long,</li><li>there are 80 rounds instead of 64,</li><li>the initial values and additive constants are extended to 64 bits, and</li><li>the shift and rotate amounts used are different.</li></ul> <p>SHA-384 is identical to SHA-512, except that:</p> <ul><li>the initial values <code>h0</code> through <code>h7</code> are different, and</li><li>the output is constructed by omitting <code>h6</code> and <code>h7</code>.</li></ul> <p><a name="See_also" id="See_also"></a></p> <h2><span class="editsection"></span><span class="mw-headline">See also</span></h2> <ul><li><a href="http://en.wikipedia.org/wiki/Digital_timestamping" title="Digital timestamping" class="mw-redirect">Digital timestamping</a></li><li><a href="http://en.wikipedia.org/wiki/Hash_collision" title="Hash collision">Hash collision</a></li><li><a href="http://en.wikipedia.org/wiki/Hashcash" title="Hashcash">Hashcash</a></li><li><a href="http://en.wikipedia.org/wiki/RIPEMD-160" title="RIPEMD-160" class="mw-redirect">RIPEMD-160</a> (Patent free)</li><li><a href="http://en.wikipedia.org/wiki/Secure_Hash_Standard" title="Secure Hash Standard">Secure Hash Standard</a></li><li><a href="http://en.wikipedia.org/wiki/Tiger_%28cryptography%29" title="Tiger (cryptography)">Tiger</a></li><li><a href="http://en.wikipedia.org/wiki/Whirlpool_%28cryptography%29" title="Whirlpool (cryptography)">WHIRLPOOL</a> (Patent free)</li></ul> <p><a name="References" id="References"></a></p> <h2><span class="editsection"></span><span class="mw-headline">References</span></h2> <div class="references-small"> <ol class="references"><li id="cite_note-0"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-0" title="">^</a></b> <a href="http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html" class="external text" title="http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html" rel="nofollow">Schneier on Security: Cryptanalysis of SHA-1</a></li><li id="cite_note-1"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-1" title="">^</a></b> <a href="http://www.schneier.com/blog/archives/2005/11/nist_hash_works_4.html" class="external text" title="http://www.schneier.com/blog/archives/2005/11/nist_hash_works_4.html" rel="nofollow">Schneier on Security: NIST Hash Workshop Liveblogging (5)</a></li><li id="cite_note-2"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-2" title="">^</a></b> <a href="http://www.heise-online.co.uk/security/Hash-cracked--/features/75686/2" class="external text" title="http://www.heise-online.co.uk/security/Hash-cracked--/features/75686/2" rel="nofollow">Hash cracked - heise Security</a></li><li id="cite_note-3"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-3" title="">^</a></b> <cite style="font-style: normal;">"<a href="https://datatracker.ietf.org/ipr/858/" class="external text" title="https://datatracker.ietf.org/ipr/858/" rel="nofollow">Licensing Declaration for US patent 6829355.</a>" <span class="reference-accessdate">. Retrieved on <a href="http://en.wikipedia.org/wiki/2008" title="2008">2008</a>-<a href="http://en.wikipedia.org/wiki/February_17" title="February 17">02-17</a>.</span></cite><span class="reference-accessdate"><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Licensing+Declaration+for+US+patent+6829355.&rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fipr%2F858%2F"><span style="display: none;"> </span></span></span></li><li id="cite_note-4"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-4" title="">^</a></b> <cite style="font-style: normal;">Henri Gilbert; Helena Handschuh. "<a href="http://cat.inist.fr/?aModele=afficheN&cpsidt=15735289" class="external text" title="http://cat.inist.fr/?aModele=afficheN&cpsidt=15735289" rel="nofollow">Security analysis of SHA-256 and sisters</a>" (fee required). <i>Lecture notes in computer science</i>. Springer, Berlin. <a href="http://en.wikipedia.org/wiki/International_Standard_Serial_Number" title="International Standard Serial Number">ISSN</a> <a href="http://worldcat.org/issn/0302-9743" class="external text" title="http://worldcat.org/issn/0302-9743" rel="nofollow">0302-9743</a><span class="reference-accessdate">. Retrieved on <a href="http://en.wikipedia.org/wiki/2008" title="2008">2008</a>-<a href="http://en.wikipedia.org/wiki/January_30" title="January 30">01-30</a>.</span></cite><span class="reference-accessdate"><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Security+analysis+of+SHA-256+and+sisters&rft.jtitle=Lecture+notes+in+computer+science&rft.au=Henri+Gilbert&rft.issn=0302-9743&rft_id=http%3A%2F%2Fcat.inist.fr%2F%3FaModele%3DafficheN%26cpsidt%3D15735289"><span style="display: none;"> </span></span></span></li><li id="cite_note-5"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-5" title="">^</a></b> <a href="http://csrc.nist.gov/groups/ST/hash/documents/FR_Notice_Nov07.pdf" class="external free" title="http://csrc.nist.gov/groups/ST/hash/documents/FR_Notice_Nov07.pdf" rel="nofollow">http://csrc.nist.gov/groups/ST/hash/documents/FR_Notice_Nov07.pdf</a></li><li id="cite_note-6"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-6" title="">^</a></b> <a href="http://www.csrc.nist.gov/pki/HashWorkshop/index.html" class="external text" title="http://www.csrc.nist.gov/pki/HashWorkshop/index.html" rel="nofollow">Bounce to index.html</a></li><li id="cite_note-7"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-7" title="">^</a></b> <a href="http://www.freedom-to-tinker.com/archives/000664.html" class="external text" title="http://www.freedom-to-tinker.com/archives/000664.html" rel="nofollow">Freedom to Tinker » Blog Archive » Report from Crypto 2004</a></li><li id="cite_note-8"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-8" title="">^</a></b> <a href="http://groups.google.com/groups?selm=fgrieu-05A994.05060218082004%40individual.net" class="external free" title="http://groups.google.com/groups?selm=fgrieu-05A994.05060218082004%40individual.net" rel="nofollow">http://groups.google.com/groups?selm=fgrieu-05A994.05060218082004%40individual.net</a></li><li id="cite_note-autogenerated1-9">^ <a href="http://en.wikipedia.org/wiki/SHA#cite_ref-autogenerated1_9-0" title=""><sup><i><b>a</b></i></sup></a> <a href="http://en.wikipedia.org/wiki/SHA#cite_ref-autogenerated1_9-1" title=""><sup><i><b>b</b></i></sup></a> <a href="http://www.schneier.com/blog/archives/2005/02/sha1_broken.html" class="external text" title="http://www.schneier.com/blog/archives/2005/02/sha1_broken.html" rel="nofollow">Schneier on Security: SHA-1 Broken</a></li><li id="cite_note-10"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-10" title="">^</a></b> <a href="http://www.infosec.sdu.edu.cn/paper/sha0-crypto-author-new.pdf" class="external free" title="http://www.infosec.sdu.edu.cn/paper/sha0-crypto-author-new.pdf" rel="nofollow">http://www.infosec.sdu.edu.cn/paper/sha0-crypto-author-new.pdf</a></li><li id="cite_note-11"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-11" title="">^</a></b> <a href="http://csrc.nist.gov/hash_standards_comments.pdf" class="external free" title="http://csrc.nist.gov/hash_standards_comments.pdf" rel="nofollow">http://csrc.nist.gov/hash_standards_comments.pdf</a></li><li id="cite_note-12"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-12" title="">^</a></b> <a href="http://eprint.iacr.org/2005/010" class="external text" title="http://eprint.iacr.org/2005/010" rel="nofollow">Cryptology ePrint Archive</a></li><li id="cite_note-13"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-13" title="">^</a></b> <a href="http://theory.csail.mit.edu/%7Eyiqun/shanote.pdf" class="external free" title="http://theory.csail.mit.edu/~yiqun/shanote.pdf" rel="nofollow">http://theory.csail.mit.edu/~yiqun/shanote.pdf</a></li><li id="cite_note-14"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-14" title="">^</a></b> <a href="http://news.zdnet.com/2100-1009_22-5598536.html" class="external text" title="http://news.zdnet.com/2100-1009_22-5598536.html" rel="nofollow">Fixing a hole in security | Tech News on ZDNet</a></li><li id="cite_note-15"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-15" title="">^</a></b> <a href="http://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html" class="external text" title="http://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html" rel="nofollow">Schneier on Security: New Cryptanalytic Results Against SHA-1</a></li><li id="cite_note-16"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-16" title="">^</a></b> <a href="http://eprint.iacr.org/2007/474" class="external text" title="http://eprint.iacr.org/2007/474" rel="nofollow">Cryptology ePrint Archive</a></li><li id="cite_note-17"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-17" title="">^</a></b> <a href="http://dx.doi.org/10.1007/11935230_1" class="external text" title="http://dx.doi.org/10.1007/11935230_1" rel="nofollow">SpringerLink Home - Main</a></li><li id="cite_note-18"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-18" title="">^</a></b> <a href="http://www.iaik.tugraz.at/research/krypto/collision/SHA1Collision_Description.php" class="external text" title="http://www.iaik.tugraz.at/research/krypto/collision/SHA1Collision_Description.php" rel="nofollow">IAIK Krypto Group - Description of SHA-1 Collision Search Project</a></li><li id="cite_note-19"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-19" title="">^</a></b> <a href="http://boinc.iaik.tugraz.at/sha1_coll_search/" class="external text" title="http://boinc.iaik.tugraz.at/sha1_coll_search/" rel="nofollow">SHA-1 Collision Search Graz</a></li><li id="cite_note-20"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-20" title="">^</a></b> <a href="http://www.heise-online.co.uk/security/SHA-1-hash-function-under-pressure--/news/77244" class="external text" title="http://www.heise-online.co.uk/security/SHA-1-hash-function-under-pressure--/news/77244" rel="nofollow">SHA-1 hash function under pressure - heise Security</a></li><li id="cite_note-21"><b><a href="http://en.wikipedia.org/wiki/SHA#cite_ref-21" title="">^</a></b> <a href="http://www.iacr.org/conferences/crypto2006/rumpsched.html" class="external text" title="http://www.iacr.org/conferences/crypto2006/rumpsched.html" rel="nofollow">Crypto 2006 Rump Schedule</a></li></ol> </div> <div class="references-small" style="margin-left: 1.5em;"> <ul><li>Florent Chabaud, Antoine Joux: Differential Collisions in SHA-0. <a href="http://en.wikipedia.org/wiki/CRYPTO" title="CRYPTO" class="mw-redirect">CRYPTO</a> 1998. pp56–71</li><li><a href="http://en.wikipedia.org/wiki/Eli_Biham" title="Eli Biham">Eli Biham</a>, Rafi Chen, Near-Collisions of SHA-0, Cryptology ePrint Archive, Report 2004/146, 2004 (appeared on CRYPTO 2004) <a href="http://eprint.iacr.org/2004/146/" class="external autonumber" title="http://eprint.iacr.org/2004/146/" rel="nofollow">[1]</a></li><li>Joux, Carribault, Lemuet, Jalby: Collision for the full SHA-0 algorithm, CRYPTO 2004 <a href="http://www.mail-archive.com/cryptography@metzdowd.com/msg02554.html" class="external autonumber" title="http://www.mail-archive.com/cryptography@metzdowd.com/msg02554.html" rel="nofollow">[2]</a></li><li><a href="http://en.wikipedia.org/wiki/Xiaoyun_Wang" title="Xiaoyun Wang" class="mw-redirect">Xiaoyun Wang</a>, Hongbo Yu and Yiqun Lisa Yin, Efficient Collision Search Attacks on SHA-0, CRYPTO 2005 <a href="http://www.cs.cmu.edu/%7Edbrumley/srg/spring06/sha-0.pdf" class="external autonumber" title="http://www.cs.cmu.edu/~dbrumley/srg/spring06/sha-0.pdf" rel="nofollow">[3]</a></li><li><a href="http://en.wikipedia.org/wiki/Xiaoyun_Wang" title="Xiaoyun Wang" class="mw-redirect">Xiaoyun Wang</a>, Yiqun Lisa Yin and Hongbo Yu, Finding Collisions in the Full SHA-1, CRYPTO 2005 <a href="http://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf" class="external autonumber" title="http://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf" rel="nofollow">[4]</a></li><li><a href="http://en.wikipedia.org/w/index.php?title=Henri_Gilbert&action=edit&redlink=1" class="new" title="Henri Gilbert (page does not exist)">Henri Gilbert</a>, <a href="http://en.wikipedia.org/w/index.php?title=Helena_Handschuh&action=edit&redlink=1" class="new" title="Helena Handschuh (page does not exist)">Helena Handschuh</a>: Security Analysis of SHA-256 and Sisters. <a href="http://en.wikipedia.org/wiki/Selected_Areas_in_Cryptography" title="Selected Areas in Cryptography">Selected Areas in Cryptography</a> 2003: pp175–193</li><li><cite style="font-style: normal;">"<a href="http://frwebgate1.access.gpo.gov/cgi-bin/waisgate.cgi?WAISdocID=5963452267+0+0+0&WAISaction=retrieve" class="external text" title="http://frwebgate1.access.gpo.gov/cgi-bin/waisgate.cgi?WAISdocID=5963452267+0+0+0&WAISaction=retrieve" rel="nofollow">Proposed Revision of Federal Information Processing Standard (FIPS) 180, Secure Hash Standard</a>" (1994-07-11). <i>Federal Register</i> <b>59</b> (131): 35317–35318<span class="reference-accessdate">. Retrieved on <a href="http://en.wikipedia.org/wiki/2007" title="2007">2007</a>-<a href="http://en.wikipedia.org/wiki/April_26" title="April 26">04-26</a>.</span></cite><span class="reference-accessdate"><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Proposed+Revision+of+Federal+Information+Processing+Standard+%28FIPS%29+180%2C+Secure+Hash+Standard&rft.jtitle=Federal+Register&rft.date=1994-07-11&rft.volume=59&rft.issue=131&rft.pages=35317%E2%80%9335318&rft_id=http%3A%2F%2Ffrwebgate1.access.gpo.gov%2Fcgi-bin%2Fwaisgate.cgi%3FWAISdocID%3D5963452267%2B0%2B0%2B0%26WAISaction%3Dretrieve"><span style="display: none;"> </span></span></span></li></ul> </div> <p><a name="External_links" id="External_links"></a></p> <h2><span class="editsection"></span><span class="mw-headline">External links</span></h2> <p><a name="Online_Hash_Calculators" id="Online_Hash_Calculators"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Online Hash Calculators</span></h3> <ul><li><a href="http://www.hashemall.com/" class="external text" title="http://www.hashemall.com" rel="nofollow">Hash'em all!</a> — free online text and file hashing with over 30 different algorithms</li><li><a href="http://hash-it.net/" class="external text" title="http://hash-it.net" rel="nofollow">hash-it.net</a> — instant javascript based text hashing with three algorithms</li></ul> <p><a name="Standards:_SHA-0.2C_SHA-1.2C_SHA-2.2C_SHA-3..." id="Standards:_SHA-0.2C_SHA-1.2C_SHA-2.2C_SHA-3..."></a></p> <h3><span class="editsection"></span><span class="mw-headline">Standards: SHA-0, SHA-1, SHA-2, SHA-3...</span></h3> <ul><li><a href="http://www.eff.org/Privacy/Digital_signature/?f=fips_sha_shs.standard.txt" class="external text" title="http://www.eff.org/Privacy/Digital_signature/?f=fips_sha_shs.standard.txt" rel="nofollow">Specifications for a Secure Hash Standard (SHS)</a> – Draft for proposed SHS standard (SHA-0)</li><li><a href="http://www.eff.org/Privacy/Digital_signature/?f=fips_sha_shs.info.txt" class="external text" title="http://www.eff.org/Privacy/Digital_signature/?f=fips_sha_shs.info.txt" rel="nofollow">Secure Hash Standard (SHS)</a> – Proposed SHS standard (SHA-0)</li><li><a href="http://csrc.nist.gov/CryptoToolkit/tkhash.html" class="external text" title="http://csrc.nist.gov/CryptoToolkit/tkhash.html" rel="nofollow">CSRC Cryptographic Toolkit</a> – Official <a href="http://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology" title="National Institute of Standards and Technology">NIST</a> site for the Secure Hash Standard <ul><li><a href="http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf" class="external text" title="http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf" rel="nofollow">FIPS 180-2: Secure Hash Standard (SHS)</a> (<a href="http://en.wikipedia.org/wiki/Portable_Document_Format" title="Portable Document Format">PDF</a>, 236 kB) – Current version of the Secure Hash Standard (SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512), 1 August 2002, amended 25 February 2004</li></ul> </li><li><a href="http://www.csrc.nist.gov/groups/ST/hash/index.html" class="external text" title="http://www.csrc.nist.gov/groups/ST/hash/index.html" rel="nofollow">NIST Cryptographic Hash Project</a> SHA-3 competition</li></ul> <p><a name="Cryptanalysis" id="Cryptanalysis"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Cryptanalysis</span></h3> <ul><li><a href="http://news.zdnet.com/2100-1009_22-5598536.html" class="external text" title="http://news.zdnet.com/2100-1009_22-5598536.html" rel="nofollow">Interview with Yiqun Lisa Yin concerning the attack on SHA-1</a></li><li><a href="http://cm.bell-labs.com/who/akl/hash.pdf" class="external text" title="http://cm.bell-labs.com/who/akl/hash.pdf" rel="nofollow">Lenstra's Summary of impact of the February 2005 cryptanalytic results</a></li><li><a href="http://www.heise-online.co.uk/security/Hash-cracked--/features/75686" class="external text" title="http://www.heise-online.co.uk/security/Hash-cracked--/features/75686" rel="nofollow">Explanation of the successful attacks on SHA-1</a> (3 pages, 2006)</li><li><a href="http://www.cryptography.com/cnews/hash.html" class="external text" title="http://www.cryptography.com/cnews/hash.html" rel="nofollow">Cryptography Research - Hash Collision Q&A</a></li></ul> <p><a name="Implementations" id="Implementations"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Implementations</span></h3> <ul><li><a href="http://en.wikipedia.org/wiki/OpenSSL" title="OpenSSL">The OpenSSL Project</a> – The widely used OpenSSL <code>crypto</code> library includes <a href="http://en.wikipedia.org/wiki/Free_software" title="Free software">free</a>, <a href="http://en.wikipedia.org/wiki/Open_source" title="Open source">open-source</a> implementations of SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512</li><li><a href="http://www.cryptopp.com/" class="external text" title="http://www.cryptopp.com/" rel="nofollow">Crypto++</a> Crypto++ Library is a free C++ class library of cryptographic schemes.</li><li><a href="http://www.bouncycastle.org/" class="external text" title="http://www.bouncycastle.org/" rel="nofollow">Bouncy Castle</a> The Bouncy Castle Library is a free Java and C# class library that contains implementations of the SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 algorithms as well as other algorithms like <a href="http://en.wikipedia.org/wiki/Whirlpool_%28cryptography%29" title="Whirlpool (cryptography)">Whirlpool</a>, <a href="http://en.wikipedia.org/wiki/Tiger_%28hash%29" title="Tiger (hash)" class="mw-redirect">Tiger</a>, <a href="http://en.wikipedia.org/wiki/RIPEMD" title="RIPEMD">RIPEMD</a>, GOST-3411, <a href="http://en.wikipedia.org/wiki/MD2_%28cryptography%29" title="MD2 (cryptography)">MD2</a>, <a href="http://en.wikipedia.org/wiki/MD4" title="MD4">MD4</a> and <a href="http://en.wikipedia.org/wiki/MD5" title="MD5">MD5</a>.</li><li><a href="http://jssha.sourceforge.net/" class="external text" title="http://jssha.sourceforge.net" rel="nofollow">jsSHA</a> — jsSHA is a free, open source Javascript library implementing the complete SHA family of hashes</li></ul> <table class="navbox" style="" cellspacing="0"> <tbody><tr> <td style="padding: 2px;"> <table class="nowraplinks" style="background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; color: inherit;" cellspacing="0"> <tbody><tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <th style="background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" colspan="2" class="navbox-title"> <div style="float: left; width: 6em; text-align: left;"> <div class="noprint plainlinksneverexpand" style="border: medium none ; padding: 0pt; background: rgb(204, 204, 255) none repeat scroll 0% 0%; white-space: nowrap; font-weight: normal; font-size: xx-small; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"><a href="http://en.wikipedia.org/wiki/Template:Crypto_hash" title="Template:Crypto hash"><span title="View this template" style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">v</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template_talk:Crypto_hash&action=edit&redlink=1" class="new" title="Template talk:Crypto hash (page does not exist)"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="Discussion about this template">d</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template:Crypto_hash&action=edit" class="external text" title="http://en.wikipedia.org/w/index.php?title=Template:Crypto_hash&action=edit" rel="nofollow"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="You can edit this template. Please use the preview button before saving.">e</span></a></div> </div> <div style="float: right; width: 6em;"> </div> <span style="font-size: 100%;"><a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function" title="Cryptographic hash function">Cryptographic hash functions</a> and <a href="http://en.wikipedia.org/wiki/Message_authentication_code" title="Message authentication code">Message authentication codes (MACs)</a></span></th> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Hash algorithms:</b> <a href="http://en.wikipedia.org/wiki/GOST_%28hash_function%29" title="GOST (hash function)">GOST</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/HAS-160" title="HAS-160">HAS-160</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/HAVAL" title="HAVAL">HAVAL</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MDC-2" title="MDC-2">MDC-2</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MD2_%28cryptography%29" title="MD2 (cryptography)">MD2</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MD4" title="MD4">MD4</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MD5" title="MD5">MD5</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/N-Hash" title="N-Hash">N-Hash</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/RadioGat%C3%BAn" title="RadioGatún" class="mw-redirect">RadioGatún</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/RIPEMD" title="RIPEMD">RIPEMD</a> |</span> <span style="white-space: nowrap;"><strong class="selflink">SHA family</strong> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Snefru" title="Snefru">Snefru</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Tiger_%28cryptography%29" title="Tiger (cryptography)">Tiger</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Whirlpool_%28cryptography%29" title="Whirlpool (cryptography)">WHIRLPOOL</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Crypt_%28Unix%29#Library_Function" title="Crypt (Unix)">crypt(3) DES</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>MAC algorithms:</b> <a href="http://en.wikipedia.org/wiki/Data_Authentication_Algorithm" title="Data Authentication Algorithm">DAA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CBC-MAC" title="CBC-MAC">CBC-MAC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/HMAC" title="HMAC">HMAC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/One-key_MAC" title="One-key MAC">OMAC/CMAC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/PMAC_%28cryptography%29" title="PMAC (cryptography)">PMAC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/UMAC" title="UMAC">UMAC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Poly1305-AES" title="Poly1305-AES">Poly1305-AES</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b><a href="http://en.wikipedia.org/wiki/Authenticated_encryption" title="Authenticated encryption">Authenticated encryption</a> modes:</b> <a href="http://en.wikipedia.org/wiki/CCM_mode" title="CCM mode">CCM</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CWC_mode" title="CWC mode">CWC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/EAX_mode" title="EAX mode">EAX</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Galois/Counter_Mode" title="Galois/Counter Mode">GCM</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/OCB_mode" title="OCB mode">OCB</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Attacks:</b> <a href="http://en.wikipedia.org/wiki/Hash_collision" title="Hash collision">Hash collision</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Birthday_attack" title="Birthday attack">Birthday attack</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Preimage_attack" title="Preimage attack">Preimage attack</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Rainbow_table" title="Rainbow table">Rainbow table</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Side_channel_attack" title="Side channel attack" class="mw-redirect">Side channel attack</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Brute_force_attack" title="Brute force attack">Brute force attack</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Misc:</b> <a href="http://en.wikipedia.org/wiki/Avalanche_effect" title="Avalanche effect">Avalanche effect</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Hash_collision" title="Hash collision">Hash collision</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Merkle-Damg%C3%A5rd_construction" title="Merkle-Damgård construction">Merkle-Damgård construction</a> <b>Standardization:</b> <a href="http://en.wikipedia.org/wiki/CRYPTREC" title="CRYPTREC">CRYPTREC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NESSIE" title="NESSIE">NESSIE</a></span></p> </div> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <th style="background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" colspan="2" class="navbox-title"> <div style="float: left; width: 6em; text-align: left;"> <div class="noprint plainlinksneverexpand" style="border: medium none ; padding: 0pt; background: rgb(204, 204, 255) none repeat scroll 0% 0%; white-space: nowrap; font-weight: normal; font-size: xx-small; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"><a href="http://en.wikipedia.org/wiki/Template:Crypto_navbox" title="Template:Crypto navbox"><span title="View this template" style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">v</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/wiki/Template_talk:Crypto_navbox" title="Template talk:Crypto navbox"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="Discussion about this template">d</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template:Crypto_navbox&action=edit" class="external text" title="http://en.wikipedia.org/w/index.php?title=Template:Crypto_navbox&action=edit" rel="nofollow"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="You can edit this template. Please use the preview button before saving.">e</span></a></div> </div> <div style="float: right; width: 6em;"> </div> <span style="font-size: 100%;"><a href="http://en.wikipedia.org/wiki/Cryptography" title="Cryptography">Cryptography</a></span></th> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"><a href="http://en.wikipedia.org/wiki/History_of_cryptography" title="History of cryptography">History of cryptography</a> | <a href="http://en.wikipedia.org/wiki/Cryptanalysis" title="Cryptanalysis">Cryptanalysis</a> | <a href="http://en.wikipedia.org/wiki/Portal:Cryptography" title="Portal:Cryptography">Cryptography portal</a> | <a href="http://en.wikipedia.org/wiki/Topics_in_cryptography" title="Topics in cryptography">Topics in cryptography</a></div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"><a href="http://en.wikipedia.org/wiki/Symmetric-key_algorithm" title="Symmetric-key algorithm">Symmetric-key algorithm</a> | <a href="http://en.wikipedia.org/wiki/Block_cipher" title="Block cipher">Block cipher</a> | <a href="http://en.wikipedia.org/wiki/Stream_cipher" title="Stream cipher">Stream cipher</a> | <a href="http://en.wikipedia.org/wiki/Public-key_cryptography" title="Public-key cryptography">Public-key cryptography</a> | <a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function" title="Cryptographic hash function">Cryptographic hash function</a> | <a href="http://en.wikipedia.org/wiki/Message_authentication_code" title="Message authentication code">Message authentication code</a> | <a href="http://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator" title="Cryptographically secure pseudorandom number generator">Random numbers</a> | <a href="http://en.wikipedia.org/wiki/Steganography" title="Steganography">Steganography</a></div> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </td> </tr> </tbody></table> <!-- NewPP limit report Preprocessor node count: 2251/1000000 Post-expand include size: 58455/2048000 bytes Template argument size: 56505/2048000 bytes Expensive parser function count: 0/500 --> <!-- Saved in parser cache with key enwiki:pcache:idhash:26672-0!1!0!default!!en!2 and timestamp 20080930082114 --> <div class="printfooter"> Retrieved from "<a href="http://en.wikipedia.org/wiki/SHA_hash_functions">http://en.wikipedia.org/wiki/SHA_hash_functions</a>"<br /><br /></div> <div id="catlinks" class="catlinks"><div id="mw-normal-catlinks"><a href="http://en.wikipedia.org/wiki/Special:Categories" title="Special:Categories">Categories</a>: <span dir="ltr"><a href="http://en.wikipedia.org/wiki/Category:Cryptographic_hash_functions" title="Category:Cryptographic hash functions">Cryptographic hash functions</a></span> | <span dir="ltr"><a href="http://en.wikipedia.org/wiki/Category:Articles_with_example_pseudocode" title="Category:Articles with example pseudocode">Articles with example pseudocode</a></span></div></div>vineethv2http://www.blogger.com/profile/10203333517491088500noreply@blogger.com1tag:blogger.com,1999:blog-8266941125214387001.post-43187787253697863282008-09-30T08:33:00.000-07:002008-09-30T08:34:28.223-07:00Triple DES (3DES)<h1 class="firstHeading"><br /></h1><!-- start content --> <table class="infobox" style="text-align: left; line-height: 1.5em; width: 23em; font-size: 90%;" cellspacing="5"> <tbody><tr> <td colspan="2" class="" style="background: transparent none repeat scroll 0% 0%; text-align: center; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; font-size: larger; font-weight: bold;">Triple DES</td> </tr> <tr> <td colspan="2" class="" style="padding-bottom: 1em; text-align: center;"> <div class="center"> <div class="floatnone"><span><a href="http://en.wikipedia.org/wiki/Image:3des-overall-view.png" class="image" title="3des-overall-view.png"><img alt="" src="http://upload.wikimedia.org/wikipedia/commons/thumb/b/b7/3des-overall-view.png/280px-3des-overall-view.png" width="280" border="0" height="265" /></a></span></div> </div><br /><div style="padding-top: 0.4em;"><span style="line-height: 1.2em; font-size: 80%;">Three successive invocations of DES</span></div> </td> </tr> <tr> <th colspan="2" style="background: lightsteelblue none repeat scroll 0% 0%; text-align: center; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">General</th> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">Designers</th> <td class="" style="line-height: 1.2em; vertical-align: middle;"><a href="http://en.wikipedia.org/wiki/IBM" title="IBM">IBM</a></td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">First published</th> <td class="" style="line-height: 1.2em; vertical-align: middle;">1978</td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">Derived from</th> <td class="" style="line-height: 1.2em; vertical-align: middle;"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard" title="Data Encryption Standard">DES</a></td> </tr> <tr> <th colspan="2" style="background: lightsteelblue none repeat scroll 0% 0%; text-align: center; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">Cipher detail</th> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;"><a href="http://en.wikipedia.org/wiki/Key_size" title="Key size">Key sizes</a></th> <td class="" style="line-height: 1.2em; vertical-align: middle;">112 (2TDES) or 168 bits (3TDES)</td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;"><a href="http://en.wikipedia.org/wiki/Block_size_%28cryptography%29" title="Block size (cryptography)">Block sizes</a></th> <td class="" style="line-height: 1.2em; vertical-align: middle;">64 bits</td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">Structure</th> <td class="" style="line-height: 1.2em; vertical-align: middle;"><a href="http://en.wikipedia.org/wiki/Feistel_network" title="Feistel network" class="mw-redirect">Feistel network</a></td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">Rounds</th> <td class="" style="line-height: 1.2em; vertical-align: middle;">48 DES-equivalent rounds</td> </tr> <tr> <th colspan="2" style="background: lightsteelblue none repeat scroll 0% 0%; text-align: center; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">Best public <a href="http://en.wikipedia.org/wiki/Cryptanalysis" title="Cryptanalysis">cryptanalysis</a></th> </tr> <tr> <td colspan="2" class="" style="text-align: center; line-height: 1.2em; vertical-align: middle;"> <div style="line-height: 1.25em; text-align: left;">Lucks: 2<sup>32</sup> known plaintexts, 2<sup>113</sup> operations including 2<sup>90</sup> DES encryptions, 2<sup>88</sup> memory; Biham: find one of 2<sup>28</sup> target keys with a handful of chosen plaintexts per key and 2<sup>84</sup> encryptions</div> </td> </tr> </tbody></table> <p>In <a href="http://en.wikipedia.org/wiki/Cryptography" title="Cryptography">cryptography</a>, <b>Triple DES</b> is a <a href="http://en.wikipedia.org/wiki/Block_cipher" title="Block cipher">block cipher</a> formed from the <a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard" title="Data Encryption Standard">Data Encryption Standard</a> (DES) <a href="http://en.wikipedia.org/wiki/Cipher" title="Cipher">cipher</a> by using it three times.</p> <p><br /></p> <table id="toc" class="toc" summary="Contents"> <tbody><tr> <td> <div id="toctitle"> <h2>Contents</h2> <span class="toctoggle"><br /></span></div> <ul><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Triple_DES#Algorithm"><span class="tocnumber">1</span> <span class="toctext">Algorithm</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Triple_DES#Security"><span class="tocnumber">2</span> <span class="toctext">Security</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Triple_DES#Usage"><span class="tocnumber">3</span> <span class="toctext">Usage</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Triple_DES#See_also"><span class="tocnumber">4</span> <span class="toctext">See also</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Triple_DES#References"><span class="tocnumber">5</span> <span class="toctext">References</span></a></li></ul> </td> </tr> </tbody></table> <script type="text/javascript"> //<![CDATA[ if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); } //]]> </script> <p><a name="Algorithm" id="Algorithm"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Algorithm</span></h2> <p>When it was found that a 56-bit key of DES is not enough to guard against <a href="http://en.wikipedia.org/wiki/Brute_force_attack" title="Brute force attack">brute force attacks</a>, TDES was chosen as a simple way to enlarge the key space without a need to switch to a new algorithm. The use of three steps is essential to prevent <a href="http://en.wikipedia.org/wiki/Meet-in-the-middle_attack" title="Meet-in-the-middle attack">meet-in-the-middle attacks</a> that are effective against double DES encryption. Note that DES is not a <a href="http://en.wikipedia.org/wiki/Group_%28mathematics%29" title="Group (mathematics)">group</a>; if it were one, the TDES construction would be equivalent to a single DES operation and no more secure.</p> <p>The simplest variant of TDES operates as follows: <span class="texhtml">DES(<i>k</i><sub>3</sub>;DES(<i>k</i><sub>2</sub>;DES(<i>k</i><sub>1</sub>;<i>M</i>)))</span>, where <span class="texhtml"><i>M</i></span> is the message block to be encrypted and <span class="texhtml"><i>k</i><sub>1</sub></span>, <span class="texhtml"><i>k</i><sub>2</sub></span>, and <span class="texhtml"><i>k</i><sub>3</sub></span> are DES keys. This variant is commonly known as EEE because all three DES operations are encryptions. In order to simplify interoperability between DES and TDES the middle step is usually replaced with decryption (EDE mode): <span class="texhtml">DES(<i>k</i><sub>3</sub>;DES<sup>-1</sup>(<i>k</i><sub>2</sub>;DES(<i>k</i><sub>1</sub>;<i>M</i>)))</span> and so a single DES encryption with key <span class="texhtml"><i>k</i></span> can be represented as TDES-EDE with <span class="texhtml"><i>k</i><sub>1</sub> = <i>k</i><sub>2</sub> = <i>k</i><sub>3</sub> = <i>k</i></span>. The choice of decryption for the middle step does not affect the security of the algorithm.</p> <p><a name="Security" id="Security"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Security</span></h2> <p>In general TDES with three different keys (3-key TDES) has a <a href="http://en.wikipedia.org/wiki/Key_length" title="Key length" class="mw-redirect">key length</a> of 168 bits: three 56-bit DES <a href="http://en.wikipedia.org/wiki/Key_%28cryptography%29" title="Key (cryptography)">keys</a> (with parity bits 3-key TDES has the total storage length of 192 bits), but due to the <a href="http://en.wikipedia.org/wiki/Meet-in-the-middle_attack" title="Meet-in-the-middle attack">meet-in-the-middle attack</a> the effective security it provides is only 112 bits. A variant, called two-key TDES (2-key TDES), uses k<sub>1</sub> = k<sub>3</sub>, thus reducing the key size to 112 bits and the storage length to 128 bits. However, this mode is susceptible to certain <a href="http://en.wikipedia.org/wiki/Chosen-plaintext_attack" title="Chosen-plaintext attack">chosen-plaintext</a> or <a href="http://en.wikipedia.org/wiki/Known-plaintext_attack" title="Known-plaintext attack">known-plaintext</a> attacks <sup id="cite_ref-0" class="reference"><a href="http://en.wikipedia.org/wiki/Triple_DES#cite_note-0" title="">[1]</a></sup> <sup id="cite_ref-1" class="reference"><a href="http://en.wikipedia.org/wiki/Triple_DES#cite_note-1" title="">[2]</a></sup> and thus it is designated by <a href="http://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology" title="National Institute of Standards and Technology">NIST</a> to have only 80 bits of security <sup id="cite_ref-NIST-SP800-57_2-0" class="reference"><a href="http://en.wikipedia.org/wiki/Triple_DES#cite_note-NIST-SP800-57-2" title="">[3]</a></sup>.</p> <p>The best attack known on 3-key TDES requires around 2<sup>32</sup> known plaintexts, 2<sup>113</sup> steps, 2<sup>90</sup> single DES encryptions, and 2<sup>88</sup> memory<sup id="cite_ref-3" class="reference"><a href="http://en.wikipedia.org/wiki/Triple_DES#cite_note-3" title="">[4]</a></sup> (the paper presents other tradeoffs between time and memory). This is not currently practical and NIST considers 3-key TDES to be appropriate through 2030 <sup id="cite_ref-NIST-SP800-57_2-1" class="reference"><a href="http://en.wikipedia.org/wiki/Triple_DES#cite_note-NIST-SP800-57-2" title="">[3]</a></sup>. If the attacker seeks to discover any one of many cryptographic keys, there is a memory-efficient attack which will discover one of 2<sup>28</sup> keys, given a handful of chosen plaintexts per key and around 2<sup>84</sup> encryption operations<sup id="cite_ref-4" class="reference"><a href="http://en.wikipedia.org/wiki/Triple_DES#cite_note-4" title="">[5]</a></sup>.</p> <p><a name="Usage" id="Usage"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Usage</span></h2> <p>TDES is slowly disappearing from use, largely replaced by the <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard" title="Advanced Encryption Standard">Advanced Encryption Standard</a> (AES). One large-scale exception is within the electronic payments industry, which still uses 2TDES extensively and continues to develop and promulgate standards based upon it (e.g. <a href="http://en.wikipedia.org/wiki/EMV" title="EMV">EMV</a>). This guarantees that TDES will remain an active cryptographic standard well into the future.</p> <p>By design, DES and therefore TDES, suffer from slow performance in software<sup id="cite_ref-softwareSlow_5-0" class="reference"><a href="http://en.wikipedia.org/wiki/Triple_DES#cite_note-softwareSlow-5" title="">[6]</a></sup>; on modern processors, AES tends to be around six<sup class="noprint Template-Fact"><span title="This claim needs references to reliable sources since December 2007" style="white-space: nowrap;">[<i><a href="http://en.wikipedia.org/wiki/Wikipedia:Citation_needed" title="Wikipedia:Citation needed">citation needed</a></i>]</span></sup> times faster. TDES is better suited to hardware implementations<sup id="cite_ref-softwareSlow_5-1" class="reference"><a href="http://en.wikipedia.org/wiki/Triple_DES#cite_note-softwareSlow-5" title="">[6]</a></sup>, and indeed where it is still used it tends to be with a hardware implementation (e.g., <a href="http://en.wikipedia.org/wiki/VPN" title="VPN" class="mw-redirect">VPN</a> appliances and the <a href="http://en.wikipedia.org/wiki/Nextel" title="Nextel" class="mw-redirect">Nextel</a> cellular and data network), but even there AES outperforms it<sup class="noprint Template-Fact"><span title="This claim needs references to reliable sources since December 2007" style="white-space: nowrap;">[<i><a href="http://en.wikipedia.org/wiki/Wikipedia:Citation_needed" title="Wikipedia:Citation needed">citation needed</a></i>]</span></sup>. Finally, AES offers markedly higher security margins: a larger block size and potentially longer keys.</p> <p><a name="See_also" id="See_also"></a></p> <h2><span class="editsection"></span><span class="mw-headline">See also</span></h2> <ul><li><a href="http://en.wikipedia.org/wiki/DES-X" title="DES-X">DES-X</a></li><li><a href="http://en.wikipedia.org/wiki/Walter_Tuchman" title="Walter Tuchman">Walter Tuchman</a></li><li><a href="http://en.wikipedia.org/wiki/Horst_Feistel" title="Horst Feistel">Horst Feistel</a></li><li><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard" title="Data Encryption Standard">Data Encryption Standard</a> (DES)</li><li><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard" title="Advanced Encryption Standard">Advanced Encryption Standard</a> (AES)</li></ul> <p><a name="References" id="References"></a></p> <h2><span class="editsection"></span><span class="mw-headline">References</span></h2> <div class="references-small"> <ol class="references"><li id="cite_note-0"><b><a href="http://en.wikipedia.org/wiki/Triple_DES#cite_ref-0" title="">^</a></b> <a href="http://en.wikipedia.org/wiki/Ralph_Merkle" title="Ralph Merkle">Ralph Merkle</a>, <a href="http://en.wikipedia.org/wiki/Martin_Hellman" title="Martin Hellman">Martin Hellman</a>: <a href="http://www.cs.purdue.edu/homes/ninghui/courses/Spring04/homeworks/p465-merkle.pdf" class="external text" title="http://www.cs.purdue.edu/homes/ninghui/courses/Spring04/homeworks/p465-merkle.pdf" rel="nofollow">On the Security of Multiple Encryption</a> (<a href="http://en.wikipedia.org/wiki/PDF" title="PDF" class="mw-redirect">PDF</a>), <a href="http://en.wikipedia.org/wiki/Communications_of_the_ACM" title="Communications of the ACM">Communications of the ACM</a>, Vol 24, No 7, pp 465–467, July 1981.</li><li id="cite_note-1"><b><a href="http://en.wikipedia.org/wiki/Triple_DES#cite_ref-1" title="">^</a></b> <a href="http://en.wikipedia.org/wiki/Paul_van_Oorschot" title="Paul van Oorschot">Paul van Oorschot</a>, <a href="http://en.wikipedia.org/w/index.php?title=Michael_J._Wiener&action=edit&redlink=1" class="new" title="Michael J. Wiener (page does not exist)">Michael J. Wiener</a> , <i>A known-plaintext attack on two-key triple encryption</i>, <a href="http://en.wikipedia.org/wiki/EUROCRYPT" title="EUROCRYPT" class="mw-redirect">EUROCRYPT</a>'90, LNCS 473, 1990, pp 318–325.</li><li id="cite_note-NIST-SP800-57-2">^ <a href="http://en.wikipedia.org/wiki/Triple_DES#cite_ref-NIST-SP800-57_2-0" title=""><sup><i><b>a</b></i></sup></a> <a href="http://en.wikipedia.org/wiki/Triple_DES#cite_ref-NIST-SP800-57_2-1" title=""><sup><i><b>b</b></i></sup></a> NIST, <a href="http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf" class="external text" title="http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf" rel="nofollow">Recommendation for Key Management—Part 1: general</a> (PDF), Special Publication 800-57.</li><li id="cite_note-3"><b><a href="http://en.wikipedia.org/wiki/Triple_DES#cite_ref-3" title="">^</a></b> <a href="http://en.wikipedia.org/wiki/Stefan_Lucks" title="Stefan Lucks">Stefan Lucks</a>: <a href="http://th.informatik.uni-mannheim.de/People/Lucks/papers/pdf/3des.pdf.gz" class="external text" title="http://th.informatik.uni-mannheim.de/People/Lucks/papers/pdf/3des.pdf.gz" rel="nofollow">Attacking Triple Encryption</a> (<a href="http://en.wikipedia.org/wiki/PDF" title="PDF" class="mw-redirect">PDF</a>), <a href="http://en.wikipedia.org/wiki/Fast_Software_Encryption" title="Fast Software Encryption">Fast Software Encryption</a> 1998, pp 239–253.</li><li id="cite_note-4"><b><a href="http://en.wikipedia.org/wiki/Triple_DES#cite_ref-4" title="">^</a></b> <a href="http://en.wikipedia.org/wiki/Eli_Biham" title="Eli Biham">Eli Biham</a>: <a href="http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1996/CS/CS0884.ps.gz" class="external text" title="http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1996/CS/CS0884.ps.gz" rel="nofollow">How to Forge DES-Encrypted Messages in 2<sup>28</sup> Steps</a> (<a href="http://en.wikipedia.org/wiki/PostScript" title="PostScript">PostScript</a>), 1996.</li><li id="cite_note-softwareSlow-5">^ <a href="http://en.wikipedia.org/wiki/Triple_DES#cite_ref-softwareSlow_5-0" title=""><sup><i><b>a</b></i></sup></a> <a href="http://en.wikipedia.org/wiki/Triple_DES#cite_ref-softwareSlow_5-1" title=""><sup><i><b>b</b></i></sup></a> <a href="http://www.quadibloc.com/crypto/co040201.htm" class="external text" title="http://www.quadibloc.com/crypto/co040201.htm" rel="nofollow">Details of the Data Encryption Standard</a></li></ol> </div> <p><br /></p> <table class="navbox" style="" cellspacing="0"> <tbody><tr> <td style="padding: 2px;"> <table class="nowraplinks" style="background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; color: inherit;" cellspacing="0"> <tbody><tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <th style="background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" colspan="2" class="navbox-title"> <div style="float: left; width: 6em; text-align: left;"> <div class="noprint plainlinksneverexpand" style="border: medium none ; padding: 0pt; background: rgb(204, 204, 255) none repeat scroll 0% 0%; white-space: nowrap; font-weight: normal; font-size: xx-small; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"><a href="http://en.wikipedia.org/wiki/Template:Crypto_block" title="Template:Crypto block"><span title="View this template" style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">v</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/wiki/Template_talk:Crypto_block" title="Template talk:Crypto block"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="Discussion about this template">d</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template:Crypto_block&action=edit" class="external text" title="http://en.wikipedia.org/w/index.php?title=Template:Crypto_block&action=edit" rel="nofollow"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="You can edit this template. Please use the preview button before saving.">e</span></a></div> </div> <div style="float: right; width: 6em;"> </div> <span style="font-size: 100%;"><a href="http://en.wikipedia.org/wiki/Block_cipher" title="Block cipher">Block ciphers</a></span></th> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Common algorithms:</b> <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard" title="Advanced Encryption Standard">AES</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Blowfish_%28cipher%29" title="Blowfish (cipher)">Blowfish</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard" title="Data Encryption Standard">DES</a> |</span> <span style="white-space: nowrap;"><strong class="selflink">Triple DES</strong> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Serpent_%28cipher%29" title="Serpent (cipher)">Serpent</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Twofish" title="Twofish">Twofish</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Other algorithms:</b> <a href="http://en.wikipedia.org/wiki/3-Way" title="3-Way">3-Way</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/ABC_%28block_cipher%29" title="ABC (block cipher)">ABC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Akelarre_%28cipher%29" title="Akelarre (cipher)">Akelarre</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Anubis_%28cipher%29" title="Anubis (cipher)">Anubis</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/ARIA_%28cipher%29" title="ARIA (cipher)">ARIA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/BaseKing" title="BaseKing">BaseKing</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/BassOmatic" title="BassOmatic">BassOmatic</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/BATON" title="BATON">BATON</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/BEAR_and_LION_Cipher" title="BEAR and LION Cipher">BEAR and LION</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Cryptomeria_cipher" title="Cryptomeria cipher">C2</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Camellia_%28cipher%29" title="Camellia (cipher)">Camellia</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CAST-128" title="CAST-128">CAST-128</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CAST-256" title="CAST-256">CAST-256</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CIKS-1" title="CIKS-1">CIKS-1</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CIPHERUNICORN-A" title="CIPHERUNICORN-A">CIPHERUNICORN-A</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CIPHERUNICORN-E" title="CIPHERUNICORN-E">CIPHERUNICORN-E</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CLEFIA" title="CLEFIA">CLEFIA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Cellular_Message_Encryption_Algorithm" title="Cellular Message Encryption Algorithm">CMEA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Cobra_ciphers" title="Cobra ciphers">Cobra</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/COCONUT98" title="COCONUT98">COCONUT98</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Crab_%28cipher%29" title="Crab (cipher)">Crab</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CRYPTON" title="CRYPTON">CRYPTON</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CS-Cipher" title="CS-Cipher">CS-Cipher</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/DEAL" title="DEAL">DEAL</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/DES-X" title="DES-X">DES-X</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/DFC_%28cipher%29" title="DFC (cipher)">DFC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/E2_%28cipher%29" title="E2 (cipher)">E2</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/FEAL" title="FEAL">FEAL</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/FEA-M" title="FEA-M">FEA-M</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/FROG" title="FROG">FROG</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/G-DES" title="G-DES" class="mw-redirect">G-DES</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/GOST_%28block_cipher%29" title="GOST (block cipher)">GOST</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Grand_Cru_%28cipher%29" title="Grand Cru (cipher)">Grand Cru</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Hasty_Pudding_cipher" title="Hasty Pudding cipher">Hasty Pudding cipher</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Hierocrypt" title="Hierocrypt">Hierocrypt</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/ICE_%28cipher%29" title="ICE (cipher)">ICE</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm" title="International Data Encryption Algorithm">IDEA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Idea_NXT" title="Idea NXT">IDEA NXT</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Intel_Cascade_Cipher" title="Intel Cascade Cipher">Intel Cascade Cipher</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Iraqi_block_cipher" title="Iraqi block cipher">Iraqi</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/KASUMI_%28block_cipher%29" title="KASUMI (block cipher)">KASUMI</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/KeeLoq" title="KeeLoq">KeeLoq</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/KHAZAD" title="KHAZAD">KHAZAD</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Khufu_and_Khafre" title="Khufu and Khafre">Khufu and Khafre</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/KN-Cipher" title="KN-Cipher">KN-Cipher</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Ladder-DES" title="Ladder-DES">Ladder-DES</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Libelle_%28cipher%29" title="Libelle (cipher)">Libelle</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/LOKI97" title="LOKI97">LOKI97</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/LOKI" title="LOKI">LOKI89/91</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Lucifer_%28cipher%29" title="Lucifer (cipher)">Lucifer</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/M6_%28cipher%29" title="M6 (cipher)">M6</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/M8_%28cipher%29" title="M8 (cipher)">M8</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MacGuffin_%28cipher%29" title="MacGuffin (cipher)">MacGuffin</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Madryga" title="Madryga">Madryga</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MAGENTA" title="MAGENTA">MAGENTA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MARS_%28cryptography%29" title="MARS (cryptography)">MARS</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Mercy_%28cipher%29" title="Mercy (cipher)">Mercy</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MESH_%28cipher%29" title="MESH (cipher)">MESH</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MISTY1" title="MISTY1">MISTY1</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MMB" title="MMB">MMB</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MULTI2" title="MULTI2">MULTI2</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MultiSwap" title="MultiSwap">MultiSwap</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/New_Data_Seal" title="New Data Seal">New Data Seal</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NewDES" title="NewDES">NewDES</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Nimbus_%28cipher%29" title="Nimbus (cipher)">Nimbus</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NOEKEON" title="NOEKEON">NOEKEON</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NUSH" title="NUSH">NUSH</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Q_%28cipher%29" title="Q (cipher)">Q</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/RC2" title="RC2">RC2</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/RC5" title="RC5">RC5</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/RC6" title="RC6">RC6</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/REDOC" title="REDOC">REDOC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Red_Pike" title="Red Pike">Red Pike</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/S-1_block_cipher" title="S-1 block cipher">S-1</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SAFER" title="SAFER">SAFER</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SAVILLE" title="SAVILLE">SAVILLE</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SC2000" title="SC2000">SC2000</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SEED" title="SEED">SEED</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SHACAL" title="SHACAL">SHACAL</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SHARK" title="SHARK">SHARK</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Skipjack_%28cipher%29" title="Skipjack (cipher)">Skipjack</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SMS4" title="SMS4">SMS4</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Spectr-H64" title="Spectr-H64">Spectr-H64</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Square_%28cipher%29" title="Square (cipher)">Square</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SXAL/MBAL" title="SXAL/MBAL">SXAL/MBAL</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm" title="Tiny Encryption Algorithm">TEA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Treyfer" title="Treyfer">Treyfer</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/UES_%28cipher%29" title="UES (cipher)">UES</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Xenon_%28cipher%29" title="Xenon (cipher)">Xenon</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Xmx" title="Xmx">xmx</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/XTEA" title="XTEA">XTEA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/XXTEA" title="XXTEA">XXTEA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Zodiac_%28cipher%29" title="Zodiac (cipher)">Zodiac</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Design:</b> <a href="http://en.wikipedia.org/wiki/Feistel_cipher" title="Feistel cipher">Feistel network</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Key_schedule" title="Key schedule">Key schedule</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Product_cipher" title="Product cipher">Product cipher</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Substitution_box" title="Substitution box">S-box</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Substitution-permutation_network" title="Substitution-permutation network">SPN</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Attacks:</b> <a href="http://en.wikipedia.org/wiki/Brute_force_attack" title="Brute force attack">Brute force</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Linear_cryptanalysis" title="Linear cryptanalysis">Linear</a> / <a href="http://en.wikipedia.org/wiki/Differential_cryptanalysis" title="Differential cryptanalysis">Differential</a> / <a href="http://en.wikipedia.org/wiki/Integral_cryptanalysis" title="Integral cryptanalysis">Integral</a> <a href="http://en.wikipedia.org/wiki/Cryptanalysis" title="Cryptanalysis">cryptanalysis</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Mod_n_cryptanalysis" title="Mod n cryptanalysis">Mod <i>n</i></a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Related-key_attack" title="Related-key attack">Related-key</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Slide_attack" title="Slide attack">Slide</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/XSL_attack" title="XSL attack">XSL</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Standardization:</b> <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard_process" title="Advanced Encryption Standard process">AES process</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CRYPTREC" title="CRYPTREC">CRYPTREC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NESSIE" title="NESSIE">NESSIE</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Misc:</b> <a href="http://en.wikipedia.org/wiki/Avalanche_effect" title="Avalanche effect">Avalanche effect</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Block_size_%28cryptography%29" title="Block size (cryptography)">Block size</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Initialization_vector" title="Initialization vector">IV</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Key_size" title="Key size">Key size</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation" title="Block cipher modes of operation">Modes of operation</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Piling-up_lemma" title="Piling-up lemma">Piling-up lemma</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Weak_key" title="Weak key">Weak key</a></span></p> </div> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <th style="background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" colspan="2" class="navbox-title"> <div style="float: left; width: 6em; text-align: left;"> <div class="noprint plainlinksneverexpand" style="border: medium none ; padding: 0pt; background: rgb(204, 204, 255) none repeat scroll 0% 0%; white-space: nowrap; font-weight: normal; font-size: xx-small; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"><a href="http://en.wikipedia.org/wiki/Template:Crypto_navbox" title="Template:Crypto navbox"><span title="View this template" style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">v</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/wiki/Template_talk:Crypto_navbox" title="Template talk:Crypto navbox"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="Discussion about this template">d</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template:Crypto_navbox&action=edit" class="external text" title="http://en.wikipedia.org/w/index.php?title=Template:Crypto_navbox&action=edit" rel="nofollow"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="You can edit this template. Please use the preview button before saving.">e</span></a></div> </div> <div style="float: right; width: 6em;"> </div> <span style="font-size: 100%;"><a href="http://en.wikipedia.org/wiki/Cryptography" title="Cryptography">Cryptography</a></span></th> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"><a href="http://en.wikipedia.org/wiki/History_of_cryptography" title="History of cryptography">History of cryptography</a> | <a href="http://en.wikipedia.org/wiki/Cryptanalysis" title="Cryptanalysis">Cryptanalysis</a> | <a href="http://en.wikipedia.org/wiki/Portal:Cryptography" title="Portal:Cryptography">Cryptography portal</a> | <a href="http://en.wikipedia.org/wiki/Topics_in_cryptography" title="Topics in cryptography">Topics in cryptography</a></div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"><a href="http://en.wikipedia.org/wiki/Symmetric-key_algorithm" title="Symmetric-key algorithm">Symmetric-key algorithm</a> | <a href="http://en.wikipedia.org/wiki/Block_cipher" title="Block cipher">Block cipher</a> | <a href="http://en.wikipedia.org/wiki/Stream_cipher" title="Stream cipher">Stream cipher</a> | <a href="http://en.wikipedia.org/wiki/Public-key_cryptography" title="Public-key cryptography">Public-key cryptography</a> | <a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function" title="Cryptographic hash function">Cryptographic hash function</a> | <a href="http://en.wikipedia.org/wiki/Message_authentication_code" title="Message authentication code">Message authentication code</a> | <a href="http://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator" title="Cryptographically secure pseudorandom number generator">Random numbers</a> | <a href="http://en.wikipedia.org/wiki/Steganography" title="Steganography">Steganography</a></div> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </td> </tr> </tbody></table> <!-- NewPP limit report Preprocessor node count: 2646/1000000 Post-expand include size: 114702/2048000 bytes Template argument size: 123783/2048000 bytes Expensive parser function count: 2/500 --> <!-- Saved in parser cache with key enwiki:pcache:idhash:48375-0!1!0!default!!en!2 and timestamp 20080930092115 --> <div class="printfooter"> Retrieved from "<a href="http://en.wikipedia.org/wiki/Triple_DES">http://en.wikipedia.org/wiki/Triple_DES</a>"<br /><br /></div> <div id="mw-normal-catlinks"><a href="http://en.wikipedia.org/wiki/Special:Categories" title="Special:Categories">Categories</a>: <span dir="ltr"><a href="http://en.wikipedia.org/wiki/Category:Block_ciphers" title="Category:Block ciphers">Block ciphers</a></span> | <span dir="ltr"><a href="http://en.wikipedia.org/wiki/Category:Data_Encryption_Standard" title="Category:Data Encryption Standard">Data Encryption Standard</a></span></div>vineethv2http://www.blogger.com/profile/10203333517491088500noreply@blogger.com1tag:blogger.com,1999:blog-8266941125214387001.post-10372418513558563482008-09-30T08:31:00.000-07:002008-09-30T08:33:11.276-07:00Data Encryption Standard (DES)<!-- start content --> <div style="right: 10px; display: none;" class="metadata topicon" id="featured-star"> <div><a href="http://en.wikipedia.org/wiki/Wikipedia:Featured_articles" title="This is a featured article. Click here for more information."><img alt="Featured article" src="http://upload.wikimedia.org/wikipedia/en/6/60/LinkFA-star.png" width="14" border="0" height="14" /></a></div> </div> <table class="infobox" style="text-align: left; line-height: 1.5em; width: 23em; font-size: 90%;" cellspacing="5"> <tbody><tr> <td colspan="2" class="" style="background: transparent none repeat scroll 0% 0%; text-align: center; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; font-size: larger; font-weight: bold;">Data Encryption Standard</td> </tr> <tr> <td colspan="2" class="" style="padding-bottom: 1em; text-align: center;"> <div class="center"> <div class="floatnone"><span><a href="http://en.wikipedia.org/wiki/Image:Data_Encryption_Standard_InfoBox_Diagram.png" class="image" title="Data Encryption Standard InfoBox Diagram.png"><img alt="" src="http://upload.wikimedia.org/wikipedia/commons/thumb/0/06/Data_Encryption_Standard_InfoBox_Diagram.png/280px-Data_Encryption_Standard_InfoBox_Diagram.png" width="280" border="0" height="270" /></a></span></div> </div><br /><div style="padding-top: 0.4em;"><span style="line-height: 1.2em; font-size: 80%;">The Feistel function (F function) of DES</span></div> </td> </tr> <tr> <th colspan="2" style="background: lightsteelblue none repeat scroll 0% 0%; text-align: center; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">General</th> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">Designers</th> <td class="" style="line-height: 1.2em; vertical-align: middle;"><a href="http://en.wikipedia.org/wiki/IBM" title="IBM">IBM</a></td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">First published</th> <td class="" style="line-height: 1.2em; vertical-align: middle;">1975 (standardized on January 1977)</td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">Derived from</th> <td class="" style="line-height: 1.2em; vertical-align: middle;"><a href="http://en.wikipedia.org/wiki/Lucifer_%28cipher%29" title="Lucifer (cipher)">Lucifer</a></td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">Successors</th> <td class="" style="line-height: 1.2em; vertical-align: middle;"><a href="http://en.wikipedia.org/wiki/Triple_DES" title="Triple DES">Triple DES</a>, <a href="http://en.wikipedia.org/wiki/G-DES" title="G-DES" class="mw-redirect">G-DES</a>, <a href="http://en.wikipedia.org/wiki/DES-X" title="DES-X">DES-X</a>, <a href="http://en.wikipedia.org/wiki/LOKI89" title="LOKI89" class="mw-redirect">LOKI89</a>, <a href="http://en.wikipedia.org/wiki/ICE_%28cipher%29" title="ICE (cipher)">ICE</a></td> </tr> <tr> <th colspan="2" style="background: lightsteelblue none repeat scroll 0% 0%; text-align: center; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">Cipher detail</th> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;"><a href="http://en.wikipedia.org/wiki/Key_size" title="Key size">Key sizes</a></th> <td class="" style="line-height: 1.2em; vertical-align: middle;">56 bits</td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;"><a href="http://en.wikipedia.org/wiki/Block_size_%28cryptography%29" title="Block size (cryptography)">Block sizes</a></th> <td class="" style="line-height: 1.2em; vertical-align: middle;">64 bits</td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">Structure</th> <td class="" style="line-height: 1.2em; vertical-align: middle;"><a href="http://en.wikipedia.org/wiki/Feistel_network" title="Feistel network" class="mw-redirect">Feistel network</a></td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">Rounds</th> <td class="" style="line-height: 1.2em; vertical-align: middle;">16</td> </tr> <tr> <th colspan="2" style="background: lightsteelblue none repeat scroll 0% 0%; text-align: center; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">Best public <a href="http://en.wikipedia.org/wiki/Cryptanalysis" title="Cryptanalysis">cryptanalysis</a></th> </tr> <tr> <td colspan="2" class="" style="text-align: center; line-height: 1.2em; vertical-align: middle;"> <div style="line-height: 1.25em; text-align: left;">DES is now considered insecure because a <a href="http://en.wikipedia.org/wiki/Brute_force_attack" title="Brute force attack">brute force attack</a> is possible (see <a href="http://en.wikipedia.org/wiki/EFF_DES_cracker" title="EFF DES cracker">EFF DES cracker</a>). As of 2008, the best analytical attack is <a href="http://en.wikipedia.org/wiki/Linear_cryptanalysis" title="Linear cryptanalysis">linear cryptanalysis</a>, which requires 2<sup>43</sup> <a href="http://en.wikipedia.org/wiki/Known_plaintext" title="Known plaintext" class="mw-redirect">known plaintexts</a> and has a time complexity of 2<sup>39–43</sup> (Junod, 2001); under a <a href="http://en.wikipedia.org/wiki/Chosen-plaintext" title="Chosen-plaintext" class="mw-redirect">chosen-plaintext</a> assumption, the data complexity can be reduced by a factor of four (Knudsen and Mathiassen, 2000).</div> </td> </tr> </tbody></table> <p>The <b>Data Encryption Standard</b> (<b>DES</b>) is a <a href="http://en.wikipedia.org/wiki/Cipher" title="Cipher">cipher</a> (a method for <a href="http://en.wikipedia.org/wiki/Encrypt" title="Encrypt" class="mw-redirect">encrypting</a> information) selected by <a href="http://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology" title="National Institute of Standards and Technology">NBS</a> as an official <a href="http://en.wikipedia.org/wiki/Federal_Information_Processing_Standard" title="Federal Information Processing Standard">Federal Information Processing Standard</a> (FIPS) for the <a href="http://en.wikipedia.org/wiki/United_States" title="United States">United States</a> in 1976 and which has subsequently enjoyed widespread use internationally. The <a href="http://en.wikipedia.org/wiki/Algorithm" title="Algorithm">algorithm</a> was initially controversial with <a href="http://en.wikipedia.org/wiki/Classified_information" title="Classified information">classified</a> design elements, a relatively short <a href="http://en.wikipedia.org/wiki/Key_length" title="Key length" class="mw-redirect">key length</a>, and suspicions about a <a href="http://en.wikipedia.org/wiki/National_Security_Agency" title="National Security Agency">National Security Agency</a> (NSA) <a href="http://en.wikipedia.org/wiki/Backdoor_%28computing%29" title="Backdoor (computing)">backdoor</a>. DES consequently came under intense academic scrutiny which motivated the modern understanding of <a href="http://en.wikipedia.org/wiki/Block_cipher" title="Block cipher">block ciphers</a> and their <a href="http://en.wikipedia.org/wiki/Cryptanalysis" title="Cryptanalysis">cryptanalysis</a>.</p> <p>DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit key size being too small; in January, 1999, <a href="http://en.wikipedia.org/wiki/Distributed.net" title="Distributed.net">distributed.net</a> and the <a href="http://en.wikipedia.org/wiki/Electronic_Frontier_Foundation" title="Electronic Frontier Foundation">Electronic Frontier Foundation</a> collaborated to publicly break a DES key in 22 hours and 15 minutes (see <a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#Chronology" title="Data Encryption Standard">chronology</a>). There are also some analytical results which demonstrate theoretical weaknesses in the cipher, although they are unfeasible to mount in practice. The algorithm is believed to be practically secure in the form of <a href="http://en.wikipedia.org/wiki/Triple_DES" title="Triple DES">Triple DES</a>, although there are theoretical attacks. In recent years, the cipher has been superseded by the <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard" title="Advanced Encryption Standard">Advanced Encryption Standard</a> (AES).</p> <p>In some documentation, a distinction is made between DES as a standard and DES the algorithm which is referred to as the <b>DEA</b> (the <b>Data Encryption Algorithm</b>). When spoken, "DES" is either spelled out (<small>IPA</small>: <span title="Pronunciation in IPA" class="IPA"><a href="http://en.wikipedia.org/wiki/Help:IPA_for_English" title="Help:IPA for English" class="mw-redirect">/diː iː ɛs/</a></span>) as an <a href="http://en.wikipedia.org/wiki/Abbreviation" title="Abbreviation">abbreviation</a> or pronounced as a single syllable (<small>IPA</small>: <span title="Pronunciation in IPA" class="IPA"><a href="http://en.wikipedia.org/wiki/Help:IPA_for_English" title="Help:IPA for English" class="mw-redirect">/dɛs/</a></span>) <a href="http://en.wikipedia.org/wiki/Acronym" title="Acronym" class="mw-redirect">acronym</a>.</p> <table id="toc" class="toc" summary="Contents"> <tbody><tr> <td> <div id="toctitle"> <h2>Contents</h2> <span class="toctoggle"><br /></span></div> <ul><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#History_of_DES"><span class="tocnumber">1</span> <span class="toctext">History of DES</span></a> <ul><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#NSA.27s_involvement_in_the_design"><span class="tocnumber">1.1</span> <span class="toctext">NSA's involvement in the design</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#The_algorithm_as_a_standard"><span class="tocnumber">1.2</span> <span class="toctext">The algorithm as a standard</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#Chronology"><span class="tocnumber">1.3</span> <span class="toctext">Chronology</span></a></li></ul> </li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#Replacement_algorithms"><span class="tocnumber">2</span> <span class="toctext">Replacement algorithms</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#Description"><span class="tocnumber">3</span> <span class="toctext">Description</span></a> <ul><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#Overall_structure"><span class="tocnumber">3.1</span> <span class="toctext">Overall structure</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#The_Feistel_.28F.29_function"><span class="tocnumber">3.2</span> <span class="toctext">The Feistel (F) function</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#Key_schedule"><span class="tocnumber">3.3</span> <span class="toctext">Key schedule</span></a></li></ul> </li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#Security_and_cryptanalysis"><span class="tocnumber">4</span> <span class="toctext">Security and cryptanalysis</span></a> <ul><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#Brute_force_attack"><span class="tocnumber">4.1</span> <span class="toctext">Brute force attack</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#Attacks_faster_than_brute-force"><span class="tocnumber">4.2</span> <span class="toctext">Attacks faster than brute-force</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#Minor_cryptanalytic_properties"><span class="tocnumber">4.3</span> <span class="toctext">Minor cryptanalytic properties</span></a></li></ul> </li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#See_also"><span class="tocnumber">5</span> <span class="toctext">See also</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#References"><span class="tocnumber">6</span> <span class="toctext">References</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#Notes"><span class="tocnumber">7</span> <span class="toctext">Notes</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#External_links"><span class="tocnumber">8</span> <span class="toctext">External links</span></a></li></ul> </td> </tr> </tbody></table> <script type="text/javascript"> //<![CDATA[ if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); } //]]> </script> <p><a name="History_of_DES" id="History_of_DES"></a></p> <h2><span class="editsection">[<a href="http://en.wikipedia.org/w/index.php?title=Data_Encryption_Standard&action=edit&section=1" title="Edit section: History of DES">edit</a>]</span> <span class="mw-headline">History of DES</span></h2> <p>The origins of DES go back to the early 1970s. In 1972, after concluding a study on the US government's <a href="http://en.wikipedia.org/wiki/Computer_security" title="Computer security">computer security</a> needs, the US standards body <a href="http://en.wikipedia.org/wiki/NBS" title="NBS">NBS</a> (National Bureau of Standards) — now named <a href="http://en.wikipedia.org/wiki/NIST" title="NIST" class="mw-redirect">NIST</a> (National Institute of Standards and Technology) — identified a need for a government-wide standard for encrypting unclassified, sensitive information.<sup id="cite_ref-0" class="reference"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_note-0" title="">[1]</a></sup> Accordingly, on 15 May 1973, after consulting with the NSA, NBS solicited proposals for a cipher that would meet rigorous design criteria. None of the submissions, however, turned out to be suitable. A second request was issued on 27 August 1974. This time, <a href="http://en.wikipedia.org/wiki/International_Business_Machines" title="International Business Machines" class="mw-redirect">IBM</a> submitted a candidate which was deemed acceptable — a cipher developed during the period 1973–1974 based on an earlier algorithm, <a href="http://en.wikipedia.org/wiki/Horst_Feistel" title="Horst Feistel">Horst Feistel</a>'s <a href="http://en.wikipedia.org/wiki/Lucifer_%28cipher%29" title="Lucifer (cipher)">Lucifer</a> cipher. The team at IBM involved in cipher design and analysis included Feistel, <a href="http://en.wikipedia.org/wiki/Walter_Tuchman" title="Walter Tuchman">Walter Tuchman</a>, <a href="http://en.wikipedia.org/wiki/Don_Coppersmith" title="Don Coppersmith">Don Coppersmith</a>, Alan Konheim, Carl Meyer, Mike Matyas, Roy Adler, <a href="http://en.wikipedia.org/wiki/Edna_Grossman" title="Edna Grossman">Edna Grossman</a>, Bill Notz, Lynn Smith, and <a href="http://en.wikipedia.org/wiki/Bryant_Tuckerman" title="Bryant Tuckerman">Bryant Tuckerman</a>.</p> <p><a name="NSA.27s_involvement_in_the_design" id="NSA.27s_involvement_in_the_design"></a></p> <h3><span class="editsection">[<a href="http://en.wikipedia.org/w/index.php?title=Data_Encryption_Standard&action=edit&section=2" title="Edit section: NSA's involvement in the design">edit</a>]</span> <span class="mw-headline">NSA's involvement in the design</span></h3> <p>On 17 March 1975, the proposed DES was published in the <i><a href="http://en.wikipedia.org/wiki/Federal_Register" title="Federal Register">Federal Register</a></i>. Public comments were requested, and in the following year two open workshops were held to discuss the proposed standard. There was some criticism from various parties, including from <a href="http://en.wikipedia.org/wiki/Public-key_cryptography" title="Public-key cryptography">public-key cryptography</a> pioneers <a href="http://en.wikipedia.org/wiki/Martin_Hellman" title="Martin Hellman">Martin Hellman</a> and <a href="http://en.wikipedia.org/wiki/Whitfield_Diffie" title="Whitfield Diffie">Whitfield Diffie</a>, citing a shortened <a href="http://en.wikipedia.org/wiki/Key_length" title="Key length" class="mw-redirect">key length</a> and the mysterious "<a href="http://en.wikipedia.org/wiki/Substitution_box" title="Substitution box">S-boxes</a>" as evidence of improper interference from the NSA. The suspicion was that the algorithm had been covertly weakened by the intelligence agency so that they — but no-one else — could easily read encrypted messages.<sup class="noprint Template-Fact"><span title="This claim needs references to reliable sources since April 2008" style="white-space: nowrap;">[<i><a href="http://en.wikipedia.org/wiki/Wikipedia:Citation_needed" title="Wikipedia:Citation needed">citation needed</a></i>]</span></sup> Alan Konheim (one of the designers of DES) commented, "We sent the S-boxes off to Washington. They came back and were all different."<sup id="cite_ref-1" class="reference"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_note-1" title="">[2]</a></sup> The <a href="http://en.wikipedia.org/wiki/United_States_Senate_Select_Committee_on_Intelligence" title="United States Senate Select Committee on Intelligence">United States Senate Select Committee on Intelligence</a> reviewed the NSA's actions to determine whether there had been any improper involvement. In the unclassified summary of their findings, published in 1978, the Committee wrote:</p> <dl><dd>"In the development of DES, NSA convinced <a href="http://en.wikipedia.org/wiki/IBM" title="IBM">IBM</a> that a reduced key size was sufficient; indirectly assisted in the development of the S-box structures; and certified that the final DES algorithm was, to the best of their knowledge, free from any statistical or mathematical weakness."<sup id="cite_ref-2" class="reference"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_note-2" title="">[3]</a></sup></dd></dl> <p>However, it also found that</p> <dl><dd>"NSA did not tamper with the design of the algorithm in any way. IBM invented and designed the algorithm, made all pertinent decisions regarding it, and concurred that the agreed upon key size was more than adequate for all commercial applications for which the DES was intended."<sup id="cite_ref-3" class="reference"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_note-3" title="">[4]</a></sup></dd></dl> <p>Another member of the DES team, Walter Tuchman, is quoted as saying, "We developed the DES algorithm entirely within IBM using IBMers. The NSA did not dictate a single wire!"<sup id="cite_ref-4" class="reference"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_note-4" title="">[5]</a></sup></p> <p>Some of the suspicions about hidden weaknesses in the S-boxes were allayed in 1990, with the independent discovery and open publication by <a href="http://en.wikipedia.org/wiki/Eli_Biham" title="Eli Biham">Eli Biham</a> and <a href="http://en.wikipedia.org/wiki/Adi_Shamir" title="Adi Shamir">Adi Shamir</a> of <a href="http://en.wikipedia.org/wiki/Differential_cryptanalysis" title="Differential cryptanalysis">differential cryptanalysis</a>, a general method for breaking block ciphers. The S-boxes of DES were much more resistant to the attack than if they had been chosen at random, strongly suggesting that IBM knew about the technique back in the 1970s. This was indeed the case — in 1994, Don Coppersmith published the original design criteria for the S-boxes. According to <a href="http://en.wikipedia.org/wiki/Steven_Levy" title="Steven Levy">Steven Levy</a>, IBM Watson researchers discovered differential cryptanalytic attacks in 1974 and were asked by the NSA to keep the technique secret.<sup id="cite_ref-5" class="reference"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_note-5" title="">[6]</a></sup> Coppersmith explains IBM's secrecy decision by saying, "that was because [differential cryptanalysis] can be a very powerful tool, used against many schemes, and there was concern that such information in the public domain could adversely affect national security." Levy quotes Walter Tuchman: "[t]hey asked us to stamp all our documents confidential... We actually put a number on each one and locked them up in safes, because they were considered U.S. government classified. They said do it. So I did it".<sup id="cite_ref-6" class="reference"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_note-6" title="">[7]</a></sup> Shamir himself commented, "I would say that, contrary to what some people believe, there is no evidence of tampering with the DES so that the basic design was weakened."<sup class="noprint Template-Fact"><span title="This claim needs references to reliable sources since February 2007" style="white-space: nowrap;">[<i><a href="http://en.wikipedia.org/wiki/Wikipedia:Citation_needed" title="Wikipedia:Citation needed">citation needed</a></i>]</span></sup></p> <p>The other criticism — that the key length was too short — was supported by the fact that the reason given by the NSA for reducing the key length from 64 bits to 56 was that the other 8 bits could serve as <a href="http://en.wikipedia.org/wiki/Parity" title="Parity">parity</a> bits, which seemed somewhat specious.<sup class="noprint Template-Fact"><span title="This claim needs references to reliable sources since February 2007" style="white-space: nowrap;">[<i><a href="http://en.wikipedia.org/wiki/Wikipedia:Citation_needed" title="Wikipedia:Citation needed">citation needed</a></i>]</span></sup> It was widely believed that NSA's decision was motivated by the possibility that they would be able to <a href="http://en.wikipedia.org/wiki/Brute_force_attack" title="Brute force attack">brute force attack</a> a 56 bit key several years before the rest of the world would.<sup class="noprint Template-Fact"><span title="This claim needs references to reliable sources since February 2007" style="white-space: nowrap;">[<i><a href="http://en.wikipedia.org/wiki/Wikipedia:Citation_needed" title="Wikipedia:Citation needed">citation needed</a></i>]</span></sup></p> <p><a name="The_algorithm_as_a_standard" id="The_algorithm_as_a_standard"></a></p> <h3><span class="editsection"></span><span class="mw-headline">The algorithm as a standard</span></h3> <p>Despite the criticisms, DES was approved as a federal standard in November 1976, and published on 15 January 1977 as <b>FIPS PUB 46</b>, authorized for use on all unclassified data. It was subsequently reaffirmed as the standard in 1983, 1988 (revised as <b>FIPS-46-1</b>), 1993 (<b>FIPS-46-2</b>), and again in 1999 (<b>FIPS-46-3</b>), the latter prescribing "<a href="http://en.wikipedia.org/wiki/Triple_DES" title="Triple DES">Triple DES</a>" (see below). On 26 May 2002, DES was finally superseded by <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard" title="Advanced Encryption Standard">AES</a>, the Advanced Encryption Standard, following a public competition (see <a href="http://en.wikipedia.org/wiki/AES_process" title="AES process" class="mw-redirect">AES process</a>). On 19 May 2005, FIPS 46-3 was officially withdrawn, but <a href="http://en.wikipedia.org/wiki/NIST" title="NIST" class="mw-redirect">NIST</a> has approved <a href="http://en.wikipedia.org/wiki/Triple_DES" title="Triple DES">Triple DES</a> through the year 2030 for sensitive government information.<sup id="cite_ref-7" class="reference"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_note-7" title="">[8]</a></sup></p> <p>Another theoretical attack, <a href="http://en.wikipedia.org/wiki/Linear_cryptanalysis" title="Linear cryptanalysis">linear cryptanalysis</a>, was published in 1994, but it was a <a href="http://en.wikipedia.org/wiki/Brute_force_attack" title="Brute force attack">brute force attack</a> in 1998 that demonstrated that DES could be attacked very practically, and highlighted the need for a replacement algorithm. These and other methods of <a href="http://en.wikipedia.org/wiki/Cryptanalysis" title="Cryptanalysis">cryptanalysis</a> are discussed in more detail later in the article.</p> <p>The introduction of DES is considered to have been a catalyst for the academic study of cryptography, particularly of methods to crack block ciphers. According to a NIST retrospective about DES,</p> <dl><dd>The DES can be said to have "jump started" the nonmilitary study and development of encryption algorithms. In the 1970s there were very few cryptographers, except for those in military or intelligence organizations, and little academic study of cryptography. There are now many active academic cryptologists, mathematics departments with strong programs in cryptography, and commercial information security companies and consultants. A generation of cryptanalysts has cut its teeth analyzing (that is trying to "crack") the DES algorithm. In the words of cryptographer <a href="http://en.wikipedia.org/wiki/Bruce_Schneier" title="Bruce Schneier">Bruce Schneier</a> [9],<sup id="cite_ref-8" class="reference"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_note-8" title="">[9]</a></sup> "DES did more to galvanize the field of cryptanalysis than anything else. Now there was an algorithm to study." An astonishing share of the open literature in cryptography in the 1970s and 1980s dealt with the DES, and the DES is the standard against which every symmetric key algorithm since has been compared.<sup id="cite_ref-9" class="reference"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_note-9" title="">[10]</a></sup></dd></dl> <p><a name="Chronology" id="Chronology"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Chronology</span></h3> <table class="wikitable" style="font-size: 85%;"> <tbody><tr> <th>Date</th> <th>Year</th> <th>Event</th> </tr> <tr> <td>15 May</td> <td>1973</td> <td>NBS publishes a first request for a standard encryption algorithm</td> </tr> <tr> <td>27 August</td> <td>1974</td> <td>NBS publishes a second request for encryption algorithms</td> </tr> <tr> <td>17 March</td> <td>1975</td> <td>DES is published in the <i>Federal Register</i> for comment</td> </tr> <tr> <td>August</td> <td>1976</td> <td>First workshop on DES</td> </tr> <tr> <td>September</td> <td>1976</td> <td>Second workshop, discussing mathematical foundation of DES</td> </tr> <tr> <td>November</td> <td>1976</td> <td>DES is approved as a standard</td> </tr> <tr> <td>15 January</td> <td>1977</td> <td>DES is published as a FIPS standard FIPS PUB 46</td> </tr> <tr> <td><br /></td> <td>1983</td> <td>DES is reaffirmed for the first time</td> </tr> <tr> <td><br /></td> <td>1986</td> <td><a href="http://en.wikipedia.org/wiki/Videocipher" title="Videocipher">Videocipher</a> II, a TV satellite scrambling system based upon DES begins use by HBO</td> </tr> <tr> <td>22 January</td> <td>1988</td> <td>DES is reaffirmed for the second time as FIPS 46-1, superseding FIPS PUB 46</td> </tr> <tr> <td>July</td> <td>1990</td> <td>Biham and Shamir rediscover <a href="http://en.wikipedia.org/wiki/Differential_cryptanalysis" title="Differential cryptanalysis">differential cryptanalysis</a>, and apply it to a 15-round DES-like cryptosystem.</td> </tr> <tr> <td><br /></td> <td>1992</td> <td>Biham and Shamir report the first theoretical attack with less complexity than brute force: <a href="http://en.wikipedia.org/wiki/Differential_cryptanalysis" title="Differential cryptanalysis">differential cryptanalysis</a>. However, it requires an unrealistic 2<sup>47</sup> <a href="http://en.wikipedia.org/wiki/Chosen_plaintext" title="Chosen plaintext" class="mw-redirect">chosen plaintexts</a>.</td> </tr> <tr> <td><a href="http://en.wikipedia.org/wiki/30_December" title="30 December" class="mw-redirect">30 December</a></td> <td>1993</td> <td>DES is reaffirmed for the third time as FIPS 46-2</td> </tr> <tr> <td><br /></td> <td>1994</td> <td>The first experimental cryptanalysis of DES is performed using <a href="http://en.wikipedia.org/wiki/Linear_cryptanalysis" title="Linear cryptanalysis">linear cryptanalysis</a> (Matsui, 1994).</td> </tr> <tr> <td>June</td> <td>1997</td> <td>The <a href="http://en.wikipedia.org/wiki/DESCHALL_Project" title="DESCHALL Project">DESCHALL Project</a> breaks a message encrypted with DES for the first time in public.</td> </tr> <tr> <td>July</td> <td>1998</td> <td>The <a href="http://en.wikipedia.org/wiki/Electronic_Frontier_Foundation" title="Electronic Frontier Foundation">EFF</a>'s <a href="http://en.wikipedia.org/wiki/EFF_DES_cracker" title="EFF DES cracker">DES cracker</a> (Deep Crack) breaks a DES key in 56 hours.</td> </tr> <tr> <td>January</td> <td>1999</td> <td>Together, <a href="http://en.wikipedia.org/wiki/Deep_Crack" title="Deep Crack" class="mw-redirect">Deep Crack</a> and <a href="http://en.wikipedia.org/wiki/Distributed.net" title="Distributed.net">distributed.net</a> break a DES key in 22 hours and 15 minutes.</td> </tr> <tr> <td>25 October</td> <td>1999</td> <td>DES is reaffirmed for the fourth time as FIPS 46-3, which specifies the preferred use of <a href="http://en.wikipedia.org/wiki/Triple_DES" title="Triple DES">Triple DES</a>, with single DES permitted only in legacy systems.</td> </tr> <tr> <td><a href="http://en.wikipedia.org/wiki/26_November" title="26 November" class="mw-redirect">26 November</a></td> <td>2001</td> <td>The <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard" title="Advanced Encryption Standard">Advanced Encryption Standard</a> is published in FIPS 197</td> </tr> <tr> <td>26 May</td> <td>2002</td> <td>The AES standard becomes effective</td> </tr> <tr> <td>26 July</td> <td>2004</td> <td>The withdrawal of FIPS 46-3 (and a couple of related standards) is proposed in the <i>Federal Register</i><sup id="cite_ref-10" class="reference"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_note-10" title="">[11]</a></sup></td> </tr> <tr> <td>19 May</td> <td>2005</td> <td>NIST withdraws FIPS 46-3 (see <a href="http://csrc.nist.gov/publications/fips/05-9945-DES-Withdrawl.pdf" class="external text" title="http://csrc.nist.gov/publications/fips/05-9945-DES-Withdrawl.pdf" rel="nofollow">Federal Register vol 70, number 96</a>)</td> </tr> <tr> <td>15 March</td> <td>2007</td> <td>The FPGA based parallel machine <a href="http://en.wikipedia.org/wiki/Custom_hardware_attack#History" title="Custom hardware attack">COPACOBANA</a> of the University of Bochum and Kiel, Germany, breaks DES in 6.4 days at $10,000 hardware cost</td> </tr> </tbody></table> <p><a name="Replacement_algorithms" id="Replacement_algorithms"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Replacement algorithms</span></h2> <p>Concerns about security and the relatively slow operation of DES in <a href="http://en.wikipedia.org/wiki/Software" title="Software" class="mw-redirect">software</a> motivated researchers to propose a variety of alternative <a href="http://en.wikipedia.org/wiki/Block_cipher" title="Block cipher">block cipher</a> designs, which started to appear in the late 1980s and early 1990s: examples include <a href="http://en.wikipedia.org/wiki/RC5" title="RC5">RC5</a>, <a href="http://en.wikipedia.org/wiki/Blowfish_%28cipher%29" title="Blowfish (cipher)">Blowfish</a>, <a href="http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm" title="International Data Encryption Algorithm">IDEA</a>, <a href="http://en.wikipedia.org/wiki/NewDES" title="NewDES">NewDES</a>, <a href="http://en.wikipedia.org/wiki/SAFER" title="SAFER">SAFER</a>, <a href="http://en.wikipedia.org/wiki/CAST5" title="CAST5" class="mw-redirect">CAST5</a> and <a href="http://en.wikipedia.org/wiki/FEAL" title="FEAL">FEAL</a>. Most of these designs kept the 64-bit block size of DES, and could act as a "drop-in" replacement, although they typically used a 64-bit or 128-bit key. In the <a href="http://en.wikipedia.org/wiki/USSR" title="USSR" class="mw-redirect">USSR</a> the <a href="http://en.wikipedia.org/wiki/GOST_28147-89" title="GOST 28147-89" class="mw-redirect">GOST 28147-89</a> algorithm was introduced, with a 64-bit block size and a 256-bit key, which was also used in <a href="http://en.wikipedia.org/wiki/Russia" title="Russia">Russia</a> later.</p> <p>DES itself can be adapted and reused in a more secure scheme. Many former DES users now use <a href="http://en.wikipedia.org/wiki/Triple_DES" title="Triple DES">Triple DES</a> (TDES) which was described and analysed by one of DES's patentees (see <a href="http://en.wikipedia.org/wiki/Federal_Information_Processing_Standard" title="Federal Information Processing Standard">FIPS</a> Pub 46-3); it involves applying DES three times with two (2TDES) or three (3TDES) different keys. TDES is regarded as adequately secure, although it is quite slow. A less computationally expensive alternative is <a href="http://en.wikipedia.org/wiki/DES-X" title="DES-X">DES-X</a>, which increases the key size by XORing extra key material before and after DES. <a href="http://en.wikipedia.org/wiki/GDES" title="GDES">GDES</a> was a DES variant proposed as a way to speed up encryption, but it was shown to be susceptible to differential cryptanalysis.</p> <p>In 2001, after an international competition, NIST selected a new cipher, the <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard" title="Advanced Encryption Standard">Advanced Encryption Standard</a> (AES), as a replacement. The algorithm which was selected as the AES was submitted by its designers under the name <a href="http://en.wikipedia.org/wiki/Rijndael" title="Rijndael" class="mw-redirect">Rijndael</a>. Other finalists in the NIST <a href="http://en.wikipedia.org/wiki/AES_competition" title="AES competition" class="mw-redirect">AES competition</a> included <a href="http://en.wikipedia.org/wiki/RC6" title="RC6">RC6</a>, <a href="http://en.wikipedia.org/wiki/Serpent_%28cipher%29" title="Serpent (cipher)">Serpent</a>, <a href="http://en.wikipedia.org/wiki/MARS_%28cryptography%29" title="MARS (cryptography)">MARS</a> and <a href="http://en.wikipedia.org/wiki/Twofish" title="Twofish">Twofish</a>.</p> <p><a name="Description" id="Description"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Description</span></h2> <div class="thumb tright"> <div class="thumbinner" style="width: 252px;"><a href="http://en.wikipedia.org/wiki/Image:DES-main-network.png" class="image" title="Figure 1 — The overall Feistel structure of DES"><img alt="Figure 1 — The overall Feistel structure of DES" src="http://upload.wikimedia.org/wikipedia/commons/thumb/6/6a/DES-main-network.png/250px-DES-main-network.png" class="thumbimage" width="250" border="0" height="674" /></a> <div class="thumbcaption"> <div class="magnify"><a href="http://en.wikipedia.org/wiki/Image:DES-main-network.png" class="internal" title="Enlarge"><img src="http://en.wikipedia.org/skins-1.5/common/images/magnify-clip.png" alt="" width="15" height="11" /></a></div> <i>Figure 1</i> — The overall Feistel structure of DES</div> </div> </div> <dl><dd><i>For brevity, the following description omits the exact transformations and permutations which specify the algorithm; for reference, the details can be found in <a href="http://en.wikipedia.org/wiki/DES_supplementary_material" title="DES supplementary material">DES supplementary material</a>.</i></dd></dl> <p>DES is the <a href="http://en.wikipedia.org/wiki/Archetypal" title="Archetypal" class="mw-redirect">archetypal</a> <a href="http://en.wikipedia.org/wiki/Block_cipher" title="Block cipher">block cipher</a> — an algorithm that takes a fixed-length string of <a href="http://en.wikipedia.org/wiki/Plaintext" title="Plaintext">plaintext</a> bits and transforms it through a series of complicated operations into another <a href="http://en.wikipedia.org/wiki/Ciphertext" title="Ciphertext" class="mw-redirect">ciphertext</a> bitstring of the same length. In the case of DES, the <a href="http://en.wikipedia.org/wiki/Block_size_%28cryptography%29" title="Block size (cryptography)">block size</a> is 64 bits. DES also uses a <a href="http://en.wikipedia.org/wiki/Key_%28cryptography%29" title="Key (cryptography)">key</a> to customize the transformation, so that decryption can supposedly only be performed by those who know the particular key used to encrypt. The key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. Eight bits are used solely for checking <a href="http://en.wikipedia.org/wiki/Parity" title="Parity">parity</a>, and are thereafter discarded. Hence the effective <a href="http://en.wikipedia.org/wiki/Key_length" title="Key length" class="mw-redirect">key length</a> is 56 bits, and it is usually quoted as such.</p> <p>Like other block ciphers, DES by itself is not a secure means of encryption but must instead be used in a <a href="http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation" title="Block cipher mode of operation" class="mw-redirect">mode of operation</a>. FIPS-81 specifies several modes for use with DES.<sup id="cite_ref-11" class="reference"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_note-11" title="">[12]</a></sup> Further comments on the usage of DES are contained in FIPS-74.<sup id="cite_ref-12" class="reference"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_note-12" title="">[13]</a></sup></p> <p><a name="Overall_structure" id="Overall_structure"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Overall structure</span></h3> <p>The algorithm's overall structure is shown in Figure 1: there are 16 identical stages of processing, termed <i>rounds</i>. There is also an initial and final <a href="http://en.wikipedia.org/wiki/Permutation" title="Permutation">permutation</a>, termed <i>IP</i> and <i>FP</i>, which are <a href="http://en.wikipedia.org/wiki/Inverse_%28function%29" title="Inverse (function)" class="mw-redirect">inverses</a> (IP "undoes" the action of FP, and vice versa). IP and FP have almost no cryptographic significance, but were apparently included in order to facilitate loading blocks in and out of mid-1970s hardware, as well as to make DES run slower in software.</p> <p>Before the main rounds, the block is divided into two 32-bit halves and processed alternately; this criss-crossing is known as the <a href="http://en.wikipedia.org/wiki/Feistel_scheme" title="Feistel scheme" class="mw-redirect">Feistel scheme</a>. The Feistel structure ensures that decryption and encryption are very similar processes — the only difference is that the subkeys are applied in the reverse order when decrypting. The rest of the algorithm is identical. This greatly simplifies implementation, particularly in hardware, as there is no need for separate encryption and decryption algorithms.</p> <p>The red ⊕ symbol denotes the <a href="http://en.wikipedia.org/wiki/XOR" title="XOR" class="mw-redirect">exclusive-OR</a> (XOR) operation. The <i>F-function</i> scrambles half a block together with some of the key. The output from the F-function is then combined with the other half of the block, and the halves are swapped before the next round. After the final round, the halves are not swapped; this is a feature of the Feistel structure which makes encryption and decryption similar processes.</p> <p><a name="The_Feistel_.28F.29_function" id="The_Feistel_.28F.29_function"></a></p> <h3><span class="editsection">[<a href="http://en.wikipedia.org/w/index.php?title=Data_Encryption_Standard&action=edit&section=8" title="Edit section: The Feistel (F) function">edit</a>]</span> <span class="mw-headline">The Feistel (F) function</span></h3> <p>The F-function, depicted in Figure 2, operates on half a block (32 bits) at a time and consists of four stages:</p> <div class="thumb tleft"> <div class="thumbinner" style="width: 272px;"><a href="http://en.wikipedia.org/wiki/Image:DES-f-function.png" class="image" title="Figure 2 —The Feistel function (F-function) of DES"><img alt="Figure 2 —The Feistel function (F-function) of DES" src="http://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/DES-f-function.png/270px-DES-f-function.png" class="thumbimage" width="270" border="0" height="260" /></a> <div class="thumbcaption"> <div class="magnify"><a href="http://en.wikipedia.org/wiki/Image:DES-f-function.png" class="internal" title="Enlarge"><img src="http://en.wikipedia.org/skins-1.5/common/images/magnify-clip.png" alt="" width="15" height="11" /></a></div> <i>Figure 2</i> —The Feistel function (F-function) of DES</div> </div> </div> <ol><li><i>Expansion</i> — the 32-bit half-block is expanded to 48 bits using the <i>expansion permutation</i>, denoted <i>E</i> in the diagram, by duplicating some of the bits.</li><li><i>Key mixing</i> — the result is combined with a <i>subkey</i> using an XOR operation. Sixteen 48-bit subkeys — one for each round — are derived from the main key using the <i><a href="http://en.wikipedia.org/wiki/Key_schedule" title="Key schedule">key schedule</a></i> (described below).</li><li><i>Substitution</i> — after mixing in the subkey, the block is divided into eight 6-bit pieces before processing by the <i><a href="http://en.wikipedia.org/wiki/Substitution_box" title="Substitution box">S-boxes</a></i>, or <i>substitution boxes</i>. Each of the eight S-boxes replaces its six input bits with four output bits according to a non-linear transformation, provided in the form of a <a href="http://en.wikipedia.org/wiki/Lookup_table" title="Lookup table">lookup table</a>. The S-boxes provide the core of the security of DES — without them, the cipher would be linear, and trivially breakable.</li><li><i>Permutation</i> — finally, the 32 outputs from the S-boxes are rearranged according to a fixed <a href="http://en.wikipedia.org/wiki/Permutation" title="Permutation">permutation</a>, the <i>P-box</i>.</li></ol> <p>The alternation of substitution from the S-boxes, and permutation of bits from the P-box and E-expansion provides so-called "<a href="http://en.wikipedia.org/wiki/Confusion_and_diffusion" title="Confusion and diffusion">confusion and diffusion</a>" respectively, a concept identified by <a href="http://en.wikipedia.org/wiki/Claude_Shannon" title="Claude Shannon">Claude Shannon</a> in the 1940s as a necessary condition for a secure yet practical cipher.</p> <p><a name="Key_schedule" id="Key_schedule"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Key schedule</span></h3> <div class="thumb tright"> <div class="thumbinner" style="width: 222px;"><a href="http://en.wikipedia.org/wiki/Image:DES-key-schedule.png" class="image" title="Figure 3 — The key-schedule of DES"><img alt="Figure 3 — The key-schedule of DES" src="http://upload.wikimedia.org/wikipedia/commons/thumb/0/06/DES-key-schedule.png/220px-DES-key-schedule.png" class="thumbimage" width="220" border="0" height="360" /></a> <div class="thumbcaption"> <div class="magnify"><a href="http://en.wikipedia.org/wiki/Image:DES-key-schedule.png" class="internal" title="Enlarge"><img src="http://en.wikipedia.org/skins-1.5/common/images/magnify-clip.png" alt="" width="15" height="11" /></a></div> <i>Figure 3</i> — The key-schedule of DES</div> </div> </div> <p>Figure 3 illustrates the <i>key schedule</i> for encryption — the algorithm which generates the subkeys. Initially, 56 bits of the key are selected from the initial 64 by <i>Permuted Choice 1</i> (<i>PC-1</i>) — the remaining eight bits are either discarded or used as <a href="http://en.wikipedia.org/wiki/Parity" title="Parity">parity</a> check bits. The 56 bits are then divided into two 28-bit halves; each half is thereafter treated separately. In successive rounds, both halves are rotated left by one or two bits (specified for each round), and then 48 subkey bits are selected by <i>Permuted Choice 2</i> (<i>PC-2</i>) — 24 bits from the left half, and 24 from the right. The rotations (denoted by "<<<" in the diagram) mean that a different set of bits is used in each subkey; each bit is used in approximately 14 out of the 16 subkeys.</p> <p>The key schedule for decryption is similar — the subkeys are in reverse order compared to encryption. Apart from that change, the process is the same as for encryption.</p> <p><a name="Security_and_cryptanalysis" id="Security_and_cryptanalysis"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Security and cryptanalysis</span></h2> <p>Although more information has been published on the cryptanalysis of DES than any other block cipher, the most practical attack to date is still a brute force approach. Various minor cryptanalytic properties are known, and three theoretical attacks are possible which, while having a theoretical complexity less than a brute force attack, require an unrealistic amount of <a href="http://en.wikipedia.org/wiki/Known_plaintext" title="Known plaintext" class="mw-redirect">known</a> or <a href="http://en.wikipedia.org/wiki/Chosen_plaintext" title="Chosen plaintext" class="mw-redirect">chosen plaintext</a> to carry out, and are not a concern in practice.</p> <p><a name="Brute_force_attack" id="Brute_force_attack"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Brute force attack</span></h3> <p>For any cipher, the most basic method of attack is <a href="http://en.wikipedia.org/wiki/Brute_force_attack" title="Brute force attack">brute force</a> — trying every possible key in turn. The <a href="http://en.wikipedia.org/wiki/Key_length" title="Key length" class="mw-redirect">length of the key</a> determines the number of possible keys, and hence the feasibility of this approach. For DES, questions were raised about the adequacy of its key size early on, even before it was adopted as a standard, and it was the small key size, rather than theoretical cryptanalysis, which dictated a need for a replacement algorithm. It is known that the NSA encouraged, if not persuaded, IBM to reduce the key size from 128 to 64 bits, and from there to 56 bits; this is often taken as an indication that the NSA thought it would be able to break keys of this length even in the mid-1970s.</p> <div class="thumb tright"> <div class="thumbinner" style="width: 262px;"><a href="http://en.wikipedia.org/wiki/Image:Board300.jpg" class="image" title="The EFF's US$250,000 DES cracking machine contained 1,536 custom chips and could brute force a DES key in a matter of days — the photo shows a DES Cracker circuit board fitted with several Deep Crack chips."><img alt="The EFF's US$250,000 DES cracking machine contained 1,536 custom chips and could brute force a DES key in a matter of days — the photo shows a DES Cracker circuit board fitted with several Deep Crack chips." src="http://upload.wikimedia.org/wikipedia/commons/thumb/b/bd/Board300.jpg/260px-Board300.jpg" class="thumbimage" width="260" border="0" height="272" /></a> <div class="thumbcaption"> <div class="magnify"><a href="http://en.wikipedia.org/wiki/Image:Board300.jpg" class="internal" title="Enlarge"><img src="http://en.wikipedia.org/skins-1.5/common/images/magnify-clip.png" alt="" width="15" height="11" /></a></div> The <a href="http://en.wikipedia.org/wiki/Electronic_Frontier_Foundation" title="Electronic Frontier Foundation">EFF</a>'s US$250,000 <a href="http://en.wikipedia.org/wiki/EFF_DES_cracker" title="EFF DES cracker">DES cracking machine</a> contained 1,536 custom chips and could brute force a DES key in a matter of days — the photo shows a DES Cracker circuit board fitted with several Deep Crack chips.</div> </div> </div> <p>In academia, various proposals for a DES-cracking machine were advanced. In 1977, Diffie and Hellman proposed a machine costing an estimated US$20 million which could find a DES key in a single day. By 1993, Wiener had proposed a key-search machine costing US$1 million which would find a key within 7 hours. However, none of these early proposals were ever implemented—or, at least, no implementations were publicly acknowledged. The vulnerability of DES was practically demonstrated in the late 1990s. In 1997, <a href="http://en.wikipedia.org/wiki/RSA_Security" title="RSA Security">RSA Security</a> sponsored a series of contests, offering a $10,000 prize to the first team that broke a message encrypted with DES for the contest. That contest was won by the <a href="http://en.wikipedia.org/wiki/DESCHALL_Project" title="DESCHALL Project">DESCHALL Project</a>, led by Rocke Verser, <a href="http://en.wikipedia.org/wiki/Matt_Curtin" title="Matt Curtin">Matt Curtin</a>, and Justin Dolske, using idle cycles of thousands of computers across the Internet. The feasibility of cracking DES quickly was demonstrated in 1998 when a custom DES-cracker was built by the <a href="http://en.wikipedia.org/wiki/Electronic_Frontier_Foundation" title="Electronic Frontier Foundation">Electronic Frontier Foundation</a> (EFF), a cyberspace civil rights group, at the cost of approximately US$250,000 (see <a href="http://en.wikipedia.org/wiki/EFF_DES_cracker" title="EFF DES cracker">EFF DES cracker</a>). Their motivation was to show that DES was breakable in practice as well as in theory: "<i>There are many people who will not believe a truth until they can see it with their own eyes. Showing them a physical machine that can crack DES in a few days is the only way to convince some people that they really cannot trust their security to DES.</i>" The machine brute-forced a key in a little more than 2 days' search; at about the same time at least one attorney from the US Justice Department was announcing that DES was unbreakable.<sup class="noprint Template-Fact"><span title="This claim needs references to reliable sources since February 2007" style="white-space: nowrap;">[<i><a href="http://en.wikipedia.org/wiki/Wikipedia:Citation_needed" title="Wikipedia:Citation needed">citation needed</a></i>]</span></sup></p> <div class="thumb tleft"> <div class="thumbinner" style="width: 252px;"><a href="http://en.wikipedia.org/wiki/Image:Copacobana.jpg" class="image" title="The COPACOBANA machine, built for US$10,000 by the Universities of Bochum and Kiel, Germany, contains 120 low-cost FPGAs and can perform an exhaustive key search on DES in 6.4 days on average. The photo shows the backplane of the machine with the FPGAs."><img alt="The COPACOBANA machine, built for US$10,000 by the Universities of Bochum and Kiel, Germany, contains 120 low-cost FPGAs and can perform an exhaustive key search on DES in 6.4 days on average. The photo shows the backplane of the machine with the FPGAs." src="http://upload.wikimedia.org/wikipedia/en/thumb/5/59/Copacobana.jpg/250px-Copacobana.jpg" class="thumbimage" width="250" border="0" height="167" /></a> <div class="thumbcaption"> <div class="magnify"><a href="http://en.wikipedia.org/wiki/Image:Copacobana.jpg" class="internal" title="Enlarge"><img src="http://en.wikipedia.org/skins-1.5/common/images/magnify-clip.png" alt="" width="15" height="11" /></a></div> The COPACOBANA machine, built for US$10,000 by the <a href="http://en.wikipedia.org/wiki/Ruhr_University" title="Ruhr University" class="mw-redirect">Universities of Bochum</a> and <a href="http://en.wikipedia.org/wiki/University_of_Kiel" title="University of Kiel">Kiel</a>, <a href="http://en.wikipedia.org/wiki/Germany" title="Germany">Germany</a>, contains 120 low-cost FPGAs and can perform an exhaustive key search on DES in 6.4 days on average. The photo shows the backplane of the machine with the FPGAs.</div> </div> </div> <p>The only other confirmed DES cracker was the <a href="http://www.copacobana.org/" class="external text" title="http://www.copacobana.org/" rel="nofollow">COPACOBANA</a> machine (abbreviation of cost-optimized parallel code breaker) built more recently by teams of the <a href="http://en.wikipedia.org/wiki/Ruhr_University" title="Ruhr University" class="mw-redirect">Universities of Bochum</a> and <a href="http://en.wikipedia.org/wiki/University_of_Kiel" title="University of Kiel">Kiel</a>, both in <a href="http://en.wikipedia.org/wiki/Germany" title="Germany">Germany</a>. Unlike the EFF machine, COPACOBANA consist of commercially available, reconfigurable integrated circuits. 120 of these FPGAs of type XILINX Spartan3-1000 run in parallel. They are grouped in 20 DIMM modules, each containing 6 FPGAs. The use of reconfigurable hardware makes the machine applicable to other code breaking tasks as well. The figure shows a full-sized COPACOBANA. One of the more interesting aspects of COPACOBANA is its cost factor. One machine can be built for approximately $10,000. The cost decrease by roughly a factor of 25 over the EFF machine is an impressive example for the continuous improvement of digital hardware. Adjusting for inflation over 8 years yields an even higher improvement of about 30x. Interestingly <a href="http://en.wikipedia.org/wiki/Moore%27s_law" title="Moore's law">Moore's law</a> predicts an improvement of about 32, since about 8 years have passed between the design of the two machines, which allows for about five doublings of computer power (or 5 reductions by 50% of the cost for doing the same computation).</p> <p><a name="Attacks_faster_than_brute-force" id="Attacks_faster_than_brute-force"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Attacks faster than brute-force</span></h3> <p>There are three attacks known that can break the full sixteen rounds of DES with less complexity than a brute-force search: <a href="http://en.wikipedia.org/wiki/Differential_cryptanalysis" title="Differential cryptanalysis">differential cryptanalysis</a> (DC), <a href="http://en.wikipedia.org/wiki/Linear_cryptanalysis" title="Linear cryptanalysis">linear cryptanalysis</a> (LC), and <a href="http://en.wikipedia.org/wiki/Davies%27_attack" title="Davies' attack">Davies' attack</a>. However, the attacks are theoretical and are unfeasible to mount in practice; these types of attack are sometimes termed <a href="http://en.wikipedia.org/w/index.php?title=Certificational_weakness&action=edit&redlink=1" class="new" title="Certificational weakness (page does not exist)">certificational weaknesses</a>.</p> <ul><li><i>Differential cryptanalysis</i> was rediscovered in the late 1980s by <a href="http://en.wikipedia.org/wiki/Eli_Biham" title="Eli Biham">Eli Biham</a> and <a href="http://en.wikipedia.org/wiki/Adi_Shamir" title="Adi Shamir">Adi Shamir</a>; it was known earlier to both IBM and the NSA and kept secret. To break the full 16 rounds, differential cryptanalysis requires 2<sup>47</sup> <a href="http://en.wikipedia.org/wiki/Chosen_plaintext" title="Chosen plaintext" class="mw-redirect">chosen plaintexts</a>. DES was designed to be resistant to DC.</li><li><i>Linear cryptanalysis</i> was discovered by <a href="http://en.wikipedia.org/wiki/Mitsuru_Matsui" title="Mitsuru Matsui">Mitsuru Matsui</a>, and needs 2<sup>43</sup> <a href="http://en.wikipedia.org/wiki/Known_plaintext" title="Known plaintext" class="mw-redirect">known plaintexts</a> (Matsui, 1993); the method was implemented (Matsui, 1994), and was the first experimental cryptanalysis of DES to be reported. There is no evidence that DES was tailored to be resistant to this type of attack. A generalisation of LC — <i>multiple linear cryptanalysis</i> — was suggested in 1994 (Kaliski and Robshaw), and was further refined by Biryukov et al (2004); their analysis suggests that multiple linear approximations could be used to reduce the data requirements of the attack by at least a factor of 4 (i.e. 2<sup>41</sup> instead of 2<sup>43</sup>). A similar reduction in data complexity can be obtained in a chosen-plaintext variant of linear cryptanalysis (Knudsen and Mathiassen, 2000). Junod (2001) performed several experiments to determine the actual time complexity of linear cryptanalysis, and reported that it was somewhat faster than predicted, requiring time equivalent to 2<sup>39</sup>–2<sup>41</sup> DES evaluations.</li><li><i>Improved Davies' attack</i>: while linear and differential cryptanalysis are general techniques and can be applied to a number of schemes, Davies' attack is a specialised technique for DES, first suggested by <a href="http://en.wikipedia.org/wiki/Donald_Davies" title="Donald Davies">Donald Davies</a> in the eighties, and improved by Biham and <a href="http://en.wikipedia.org/wiki/Alex_Biryukov" title="Alex Biryukov">Biryukov</a> (1997). The most powerful form of the attack requires 2<sup>50</sup> <a href="http://en.wikipedia.org/wiki/Known_plaintext" title="Known plaintext" class="mw-redirect">known plaintexts</a>, has a computational complexity of 2<sup>50</sup>, and has a 51% success rate.</li></ul> <p>There have also been attacks proposed against reduced-round versions of the cipher, i.e. versions of DES with fewer than sixteen rounds. Such analysis gives an insight into how many rounds are needed for safety, and how much of a "security margin" the full version retains. <a href="http://en.wikipedia.org/wiki/Differential-linear_cryptanalysis" title="Differential-linear cryptanalysis" class="mw-redirect">Differential-linear cryptanalysis</a> was proposed by Langford and Hellman in 1994, and combines differential and linear cryptanalysis into a single attack. An enhanced version of the attack can break 9-round DES with 2<sup>15.8</sup> known plaintexts and has a 2<sup>29.2</sup> time complexity (Biham et al, 2002).</p> <p><a name="Minor_cryptanalytic_properties" id="Minor_cryptanalytic_properties"></a></p> <h3><span class="editsection">[<a href="http://en.wikipedia.org/w/index.php?title=Data_Encryption_Standard&action=edit&section=13" title="Edit section: Minor cryptanalytic properties">edit</a>]</span> <span class="mw-headline">Minor cryptanalytic properties</span></h3> <p>DES exhibits the <a href="http://en.wikipedia.org/w/index.php?title=Complementation_property&action=edit&redlink=1" class="new" title="Complementation property (page does not exist)">complementation property</a>, namely that</p> <dl><dd><img class="tex" alt="E_K(P)=C \Leftrightarrow E_\overline{K}(\overline{P})=\overline{C}" src="http://upload.wikimedia.org/math/4/8/9/4898f4933aa323c7c10780be6a553ed0.png" /></dd></dl> <p>where <img class="tex" alt="\overline{x}" src="http://upload.wikimedia.org/math/4/d/8/4d8a563baa616b3bd56826256c46d50e.png" /> is the bitwise <a href="http://en.wikipedia.org/wiki/Complement" title="Complement">complement</a> of <span class="texhtml"><i>x</i>.</span> <span class="texhtml"><i>E</i><sub><i>K</i></sub></span> denotes encryption with key <span class="texhtml"><i>K</i>.</span> <span class="texhtml"><i>P</i></span> and <span class="texhtml"><i>C</i></span> denote plaintext and ciphertext blocks respectively. The complementation property means that the work for a <a href="http://en.wikipedia.org/wiki/Brute_force_attack" title="Brute force attack">brute force attack</a> could be reduced by a factor of 2 (or a single bit) under a <a href="http://en.wikipedia.org/wiki/Chosen-plaintext_attack" title="Chosen-plaintext attack">chosen-plaintext</a> assumption.</p> <p>DES also has four so-called <i><a href="http://en.wikipedia.org/wiki/Weak_key" title="Weak key">weak keys</a></i>. Encryption (<i>E</i>) and decryption (<i>D</i>) under a weak key have the same effect (see <a href="http://en.wikipedia.org/wiki/Involution" title="Involution">involution</a>):</p> <dl><dd><span class="texhtml"><i>E</i><sub><i>K</i></sub>(<i>E</i><sub><i>K</i></sub>(<i>P</i>)) = <i>P</i></span> or equivalently, <span class="texhtml"><i>E</i><sub><i>K</i></sub> = <i>D</i><sub><i>K</i></sub></span></dd></dl> <p>There are also six pairs of <i>semi-weak keys</i>. Encryption with one of the pair of semiweak keys, <span class="texhtml"><i>K</i><sub>1</sub></span>, operates identically to decryption with the other, <span class="texhtml"><i>K</i><sub>2</sub></span>:</p> <dl><dd><img class="tex" alt="E_{K_1}(E_{K_2}(P)) = P" src="http://upload.wikimedia.org/math/9/1/6/91613ccd4a9fa648eff4600a5ed7cda0.png" /> or equivalently, <img class="tex" alt="E_{K_2} = D_{K_1}." src="http://upload.wikimedia.org/math/5/1/d/51d2f33209d7751d7a4cd241d0cffa46.png" /></dd></dl> <p>It is easy enough to avoid the weak and semiweak keys in an implementation, either by testing for them explicitly, or simply by choosing keys randomly; the odds of picking a weak or semiweak key by chance are negligible. The keys are not really any weaker than any other keys anyway, as they do not give an attack any advantage.</p> <p>DES has also been proved not to be a <a href="http://en.wikipedia.org/wiki/Group_%28mathematics%29" title="Group (mathematics)">group</a>, or more precisely, the set <span class="texhtml">{<i>E</i><sub><i>K</i></sub>}</span> (for all possible keys <span class="texhtml"><i>K</i></span>) under <a href="http://en.wikipedia.org/wiki/Functional_composition" title="Functional composition" class="mw-redirect">functional composition</a> is not a group, nor "close" to being a group (Campbell and Wiener, 1992). This was an open question for some time, and if it had been the case, it would have been possible to break DES, and multiple encryption modes such as Triple DES would not increase the security.</p> <p>It is known that the maximum cryptographic security of DES is limited to about 64 bits, even when independently choosing all round subkeys instead of deriving them from a key, which would otherwise permit a security of 768 bits.</p> <p><a name="See_also" id="See_also"></a></p> <h2><span class="editsection"></span><span class="mw-headline">See also</span></h2> <div style="border: 1px solid rgb(170, 170, 170); margin: 0pt 0pt 1em 1em; padding: 1ex; background: rgb(249, 249, 249) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; font-size: 90%;" class="tright"> <table style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" width="120" border="0"> <tbody><tr> <td><a href="http://en.wikipedia.org/wiki/Image:Crypto_key.svg" class="image" title="Crypto key.svg"><img alt="" src="http://upload.wikimedia.org/wikipedia/commons/thumb/6/65/Crypto_key.svg/49px-Crypto_key.svg.png" width="49" border="0" height="25" /></a></td> <td><i><b><a href="http://en.wikipedia.org/wiki/Portal:Cryptography" title="Portal:Cryptography">Cryptography Portal</a></b></i></td> </tr> </tbody></table> </div> <ul><li><a href="http://en.wikipedia.org/wiki/DES_supplementary_material" title="DES supplementary material">DES supplementary material</a></li><li><a href="http://en.wikipedia.org/wiki/Symmetric_key_algorithm" title="Symmetric key algorithm" class="mw-redirect">Symmetric key algorithm</a></li><li><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard" title="Advanced Encryption Standard">Advanced Encryption Standard</a></li><li><a href="http://en.wikipedia.org/wiki/Skipjack_%28cipher%29" title="Skipjack (cipher)">Skipjack</a></li></ul> <p><a name="References" id="References"></a></p> <h2><span class="editsection"></span><span class="mw-headline">References</span></h2> <div class="references-small"> <ul><li>Ehrsam et al., Product Block Cipher System for Data Security, <span class="plainlinks"><a href="http://patft.uspto.gov/netacgi/nph-Parser?patentnumber=3962539" class="external text" title="http://patft.uspto.gov/netacgi/nph-Parser?patentnumber=3962539" rel="nofollow">U.S. Patent 3,962,539</a></span><span class="PDFlink noprint"><a href="http://www.pat2pdf.org/pat2pdf/foo.pl?number=3962539" class="external text" title="http://www.pat2pdf.org/pat2pdf/foo.pl?number=3962539" rel="nofollow"> </a></span>, Filed February 24, 1975</li><li><cite style="font-style: normal;"><a href="http://en.wikipedia.org/wiki/Eli_Biham" title="Eli Biham">Eli Biham</a>, <a href="http://en.wikipedia.org/wiki/Adi_Shamir" title="Adi Shamir">Adi Shamir</a> (1991). "<a href="http://www.springerlink.com/content/k54h077np8714058/" class="external text" title="http://www.springerlink.com/content/k54h077np8714058/" rel="nofollow">Differential Cryptanalysis of DES-like Cryptosystems</a>". <i><a href="http://en.wikipedia.org/wiki/Journal_of_Cryptology" title="Journal of Cryptology">Journal of Cryptology</a></i> <b>4</b> (1): 3-72. <a href="http://en.wikipedia.org/wiki/Digital_object_identifier" title="Digital object identifier">doi</a>:<span class="neverexpand"><a href="http://dx.doi.org/10.1007%2FBF00630563" class="external text" title="http://dx.doi.org/10.1007%2FBF00630563" rel="nofollow">10.1007/BF00630563</a></span>.</cite><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Differential+Cryptanalysis+of+DES-like+Cryptosystems&rft.jtitle=%5B%5BJournal+of+Cryptology%5D%5D&rft.date=1991&rft.volume=4&rft.issue=1&rft.au=%5B%5BEli+Biham%5D%5D%2C+%5B%5BAdi+Shamir%5D%5D&rft.pages=3-72&rft_id=info:doi/10.1007%2FBF00630563&rft_id=http%3A%2F%2Fwww.springerlink.com%2Fcontent%2Fk54h077np8714058%2F"><span style="display: none;"> </span></span> (<a href="http://nfotemple.free.fr/site_cryptokg/site_roy/differential%20cryptanalysis%20of%20des-like%20cryptosystems.pdf" class="external text" title="http://nfotemple.free.fr/site_cryptokg/site_roy/differential%20cryptanalysis%20of%20des-like%20cryptosystems.pdf" rel="nofollow">preprint</a>)</li><li><a href="http://en.wikipedia.org/wiki/Eli_Biham" title="Eli Biham">Eli Biham</a>, <a href="http://en.wikipedia.org/wiki/Adi_Shamir" title="Adi Shamir">Adi Shamir</a>, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. <a href="http://en.wikipedia.org/wiki/Special:BookSources/0387979301" class="internal">ISBN 0-387-97930-1</a>, <a href="http://en.wikipedia.org/wiki/Special:BookSources/3540979301" class="internal">ISBN 3-540-97930-1</a>.</li><li>Eli Biham, <a href="http://en.wikipedia.org/wiki/Alex_Biryukov" title="Alex Biryukov">Alex Biryukov</a>: An Improvement of Davies' Attack on DES. J. Cryptology 10(3): 195–206 (1997)</li><li>Eli Biham, <a href="http://en.wikipedia.org/w/index.php?title=Orr_Dunkelman&action=edit&redlink=1" class="new" title="Orr Dunkelman (page does not exist)">Orr Dunkelman</a>, Nathan Keller: Enhancing Differential-Linear Cryptanalysis. <a href="http://en.wikipedia.org/wiki/ASIACRYPT" title="ASIACRYPT" class="mw-redirect">ASIACRYPT</a> 2002: pp254–266</li><li>Eli Biham: A Fast New DES Implementation in Software <a href="http://cryptome.org/cracking-des/cracking-des.htm" class="external text" title="http://cryptome.org/cracking-des/cracking-des.htm" rel="nofollow">Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design</a>, <a href="http://en.wikipedia.org/wiki/Electronic_Frontier_Foundation" title="Electronic Frontier Foundation">Electronic Frontier Foundation</a></li><li><cite style="font-style: normal;">A.Biryukov, C.De Canniere, M.Quisquater (2004). "<a href="http://www.springerlink.com/content/16udaqwwl9ffrtxt/" class="external text" title="http://www.springerlink.com/content/16udaqwwl9ffrtxt/" rel="nofollow">On Multiple Linear Approximations</a>". <i><a href="http://en.wikipedia.org/wiki/Lecture_Notes_in_Computer_Science" title="Lecture Notes in Computer Science">Lecture Notes in Computer Science</a></i> <b>3152</b>: 1-22. <a href="http://en.wikipedia.org/wiki/Digital_object_identifier" title="Digital object identifier">doi</a>:<span class="neverexpand"><a href="http://dx.doi.org/10.1007%2Fb99099" class="external text" title="http://dx.doi.org/10.1007%2Fb99099" rel="nofollow">10.1007/b99099</a></span>.</cite><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=On+Multiple+Linear+Approximations&rft.jtitle=%5B%5BLecture+Notes+in+Computer+Science%5D%5D&rft.date=2004&rft.volume=3152&rft.au=A.Biryukov%2C+C.De+Canniere%2C+M.Quisquater&rft.pages=1-22&rft_id=info:doi/10.1007%2Fb99099&rft_id=http%3A%2F%2Fwww.springerlink.com%2Fcontent%2F16udaqwwl9ffrtxt%2F"><span style="display: none;"> </span></span> (<a href="http://www.esat.kuleuven.ac.be/%7Eabiryuko/mla.pdf" class="external text" title="http://www.esat.kuleuven.ac.be/~abiryuko/mla.pdf" rel="nofollow">preprint</a>).</li><li>Keith W. Campbell, Michael J. Wiener: DES is not a Group. CRYPTO 1992: pp512–520</li><li><a href="http://en.wikipedia.org/wiki/Don_Coppersmith" title="Don Coppersmith">Don Coppersmith</a>. (1994). The data encryption standard (DES) and its strength against attacks. <i>IBM Journal of Research and Development</i>, <b>38</b>(3), 243–250. <a href="http://www.research.ibm.com/journal/rd/383/coppersmith.pdf" class="external autonumber" title="http://www.research.ibm.com/journal/rd/383/coppersmith.pdf" rel="nofollow">[1]</a></li><li><a href="http://en.wikipedia.org/wiki/Whitfield_Diffie" title="Whitfield Diffie">Whitfield Diffie</a>, <a href="http://en.wikipedia.org/wiki/Martin_Hellman" title="Martin Hellman">Martin Hellman</a>, "Exhaustive Cryptanalysis of the NBS Data Encryption Standard" IEEE Computer 10(6), June 1977, pp74–84</li><li><a href="http://en.wikipedia.org/wiki/John_Gilmore_%28activist%29" title="John Gilmore (activist)">John Gilmore</a>, "Cracking DES: Secrets of Encryption Research, Wiretap Politics and Chip Design", 1998, O'Reilly, <a href="http://en.wikipedia.org/wiki/Special:BookSources/1565925203" class="internal">ISBN 1-56592-520-3</a>.</li><li>Pascal Junod, <a href="http://crypto.junod.info/sac01.html" class="external text" title="http://crypto.junod.info/sac01.html" rel="nofollow">"On the Complexity of Matsui's Attack."</a> <a href="http://en.wikipedia.org/wiki/Selected_Areas_in_Cryptography" title="Selected Areas in Cryptography">Selected Areas in Cryptography</a>, 2001, pp199–211.</li><li><a href="http://en.wikipedia.org/wiki/Burt_Kaliski" title="Burt Kaliski">Burton S. Kaliski Jr.</a>, <a href="http://en.wikipedia.org/wiki/Matt_Robshaw" title="Matt Robshaw">Matthew J. B. Robshaw</a>: Linear Cryptanalysis Using Multiple Approximations. CRYPTO 1994: pp26–39</li><li><a href="http://en.wikipedia.org/wiki/Lars_R._Knudsen" title="Lars R. Knudsen" class="mw-redirect">Lars R. Knudsen</a>, John Erik Mathiassen: A Chosen-Plaintext Linear Attack on DES. <a href="http://en.wikipedia.org/wiki/Fast_Software_Encryption" title="Fast Software Encryption">Fast Software Encryption</a> - FSE 2000: pp262–272</li><li>Susan K. Langford, Martin E. Hellman: Differential-Linear Cryptanalysis. CRYPTO 1994: 17–25</li><li><a href="http://en.wikipedia.org/wiki/Steven_Levy" title="Steven Levy">Steven Levy</a>, <a href="http://en.wikipedia.org/wiki/Crypto:_How_the_Code_Rebels_Beat_the_Government_Saving_Privacy_in_the_Digital_Age" title="Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age">Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age</a>, 2001, <a href="http://en.wikipedia.org/wiki/Special:BookSources/0140244328" class="internal">ISBN 0-14-024432-8</a>.</li><li><cite style="font-style: normal;">Mitsuru Matsui (1994). "<a href="http://www.springerlink.com/content/92509p5l4ravyn62/" class="external text" title="http://www.springerlink.com/content/92509p5l4ravyn62/" rel="nofollow">Linear Cryptanalysis Method for DES Cipher</a>". <i><a href="http://en.wikipedia.org/wiki/Lecture_Notes_in_Computer_Science" title="Lecture Notes in Computer Science">Lecture Notes in Computer Science</a></i> <b>765</b>: 386–397. <a href="http://en.wikipedia.org/wiki/Digital_object_identifier" title="Digital object identifier">doi</a>:<span class="neverexpand"><a href="http://dx.doi.org/10.1007%2F3-540-48285-7" class="external text" title="http://dx.doi.org/10.1007%2F3-540-48285-7" rel="nofollow">10.1007/3-540-48285-7</a></span>.</cite><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Linear+Cryptanalysis+Method+for+DES+Cipher&rft.jtitle=%5B%5BLecture+Notes+in+Computer+Science%5D%5D&rft.date=1994&rft.volume=765&rft.au=Mitsuru+Matsui&rft.pages=386%E2%80%93397&rft_id=info:doi/10.1007%2F3-540-48285-7&rft_id=http%3A%2F%2Fwww.springerlink.com%2Fcontent%2F92509p5l4ravyn62%2F"><span style="display: none;"> </span></span> (<a href="http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.50.8472" class="external text" title="http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.50.8472" rel="nofollow">preprint</a>)</li><li><cite style="font-style: normal;">Mitsuru Matsui (1994). "<a href="http://www.springerlink.com/content/vrteugmt7erqqbw1/" class="external text" title="http://www.springerlink.com/content/vrteugmt7erqqbw1/" rel="nofollow">The First Experimental Cryptanalysis of the Data Encryption Standard</a>". <i><a href="http://en.wikipedia.org/wiki/Lecture_Notes_in_Computer_Science" title="Lecture Notes in Computer Science">Lecture Notes in Computer Science</a></i> <b>839</b>: 1-11. <a href="http://en.wikipedia.org/wiki/Digital_object_identifier" title="Digital object identifier">doi</a>:<span class="neverexpand"><a href="http://dx.doi.org/10.1007%2F3-540-48658-5_1" class="external text" title="http://dx.doi.org/10.1007%2F3-540-48658-5_1" rel="nofollow">10.1007/3-540-48658-5_1</a></span>.</cite><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=The+First+Experimental+Cryptanalysis+of+the+Data+Encryption+Standard&rft.jtitle=%5B%5BLecture+Notes+in+Computer+Science%5D%5D&rft.date=1994&rft.volume=839&rft.au=Mitsuru+Matsui&rft.pages=1-11&rft_id=info:doi/10.1007%2F3-540-48658-5_1&rft_id=http%3A%2F%2Fwww.springerlink.com%2Fcontent%2Fvrteugmt7erqqbw1%2F"><span style="display: none;"> </span></span></li><li>National Bureau of Standards, Data Encryption Standard, FIPS-Pub.46. National Bureau of Standards, U.S. Department of Commerce, Washington D.C., January 1977.</li></ul> </div> <p><a name="Notes" id="Notes"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Notes</span></h2> <div class="references-small"> <ol class="references"><li id="cite_note-0"><b><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_ref-0" title="">^</a></b> <cite style="font-style: normal;">Walter Tuchman (1997). "A brief history of the data encryption standard". <i>Internet besieged: countering cyberspace scofflaws</i>: 275-280, ACM Press/Addison-Wesley Publishing Co. New York, NY, USA.</cite><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.btitle=Internet+besieged%3A+countering+cyberspace+scofflaws&rft.atitle=A+brief+history+of+the+data+encryption+standard&rft.au=Walter+Tuchman&rft.date=1997&rft.pub=ACM+Press%2FAddison-Wesley+Publishing+Co.++New+York%2C+NY%2C+USA&rft.pages=275-280"><span style="display: none;"> </span></span></li><li id="cite_note-1"><b><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_ref-1" title="">^</a></b> <cite class="book" style="font-style: normal;">Schneier. <i>Applied Cryptography</i>, 2nd ed., 280.</cite><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Applied+Cryptography&rft.aulast=Schneier&rft.edition=2nd+ed.&rft.pages=280"><span style="display: none;"> </span></span></li><li id="cite_note-2"><b><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_ref-2" title="">^</a></b> <cite class="book" style="font-style: normal;" id="Reference-Davies-1989">Davies, D.W.; W.L. Price (1989). <i>Security for computer networks, 2nd ed.</i>. John Wiley & Sons.</cite><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Security+for+computer+networks%2C+2nd+ed.&rft.aulast=Davies&rft.aufirst=D.W.&rft.date=1989&rft.pub=John+Wiley+%26+Sons"><span style="display: none;"> </span></span></li><li id="cite_note-3"><b><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_ref-3" title="">^</a></b> <cite style="font-style: normal;">Robert Sugarman (editor) (July 1979). "On foiling computer crime". <i>IEEE Spectrum</i>. <a href="http://en.wikipedia.org/wiki/IEEE" title="IEEE" class="mw-redirect">IEEE</a>.</cite><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=On+foiling+computer+crime&rft.jtitle=IEEE+Spectrum&rft.date=July+1979&rft.au=Robert+Sugarman+%28editor%29"><span style="display: none;"> </span></span></li><li id="cite_note-4"><b><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_ref-4" title="">^</a></b> <cite style="font-style: normal;">P. Kinnucan (October 1978). "Data Encryption Gurus: Tuchman and Meyer". <i>Cryptologia</i> <b>2</b> (4).</cite><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Data+Encryption+Gurus%3A+Tuchman+and+Meyer&rft.jtitle=Cryptologia&rft.date=October+1978&rft.volume=2&rft.issue=4&rft.au=P.+Kinnucan"><span style="display: none;"> </span></span></li><li id="cite_note-5"><b><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_ref-5" title="">^</a></b> Levy, <i>Crypto</i>, p. 55</li><li id="cite_note-6"><b><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_ref-6" title="">^</a></b> Levy, p. 55</li><li id="cite_note-7"><b><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_ref-7" title="">^</a></b> <a href="http://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdf" class="external free" title="http://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdf" rel="nofollow">http://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdf</a></li><li id="cite_note-8"><b><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_ref-8" title="">^</a></b> Bruce Schneier, Applied Cryptography, Protocols, Algorithms, and Source Code in C, Second edition, John Wiley and Sons, New York (1996) p. 267</li><li id="cite_note-9"><b><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_ref-9" title="">^</a></b> William E. Burr, "Data Encryption Standard", in NIST's anthology "A Century of Excellence in Measurements, Standards, and Technology: A Chronicle of Selected NBS/NIST Publications, 1901–2000. <a href="http://nvl.nist.gov/pub/nistpubs/sp958-lide/html/250-253.html" class="external text" title="http://nvl.nist.gov/pub/nistpubs/sp958-lide/html/250-253.html" rel="nofollow">HTML</a> <a href="http://nvl.nist.gov/pub/nistpubs/sp958-lide/250-253.pdf" class="external text" title="http://nvl.nist.gov/pub/nistpubs/sp958-lide/250-253.pdf" rel="nofollow">PDF</a></li><li id="cite_note-10"><b><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_ref-10" title="">^</a></b> <a href="http://edocket.access.gpo.gov/2004/04-16894.htm" class="external text" title="http://edocket.access.gpo.gov/2004/04-16894.htm" rel="nofollow">FR Doc 04-16894</a></li><li id="cite_note-11"><b><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_ref-11" title="">^</a></b> <a href="http://www.itl.nist.gov/fipspubs/fip81.htm" class="external text" title="http://www.itl.nist.gov/fipspubs/fip81.htm" rel="nofollow">FIPS 81 - Des Modes of Operation</a></li><li id="cite_note-12"><b><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_ref-12" title="">^</a></b> <a href="http://www.itl.nist.gov/fipspubs/fip74.htm" class="external text" title="http://www.itl.nist.gov/fipspubs/fip74.htm" rel="nofollow">FIPS 74 - Guidelines for Implementing and Using the NBS Data</a></li></ol> </div> <p><a name="External_links" id="External_links"></a></p> <h2><span class="editsection"></span><span class="mw-headline">External links</span></h2> <ul><li><a href="http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf" class="external text" title="http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf" rel="nofollow">FIPS 46-3: The official document describing the DES standard</a> (PDF); <a href="http://www.itl.nist.gov/fipspubs/fip46-2.htm" class="external text" title="http://www.itl.nist.gov/fipspubs/fip46-2.htm" rel="nofollow">An older version in HTML.</a></li><li><a href="http://www.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/" class="external text" title="http://www.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/" rel="nofollow">The EFF DES cracker project</a></li><li><a href="http://www.copacobana.org/" class="external text" title="http://www.copacobana.org/" rel="nofollow">COPACOBANA, a $10,000 DES cracker based on FPGAs by the Universities of Bochum and Kiel</a></li><li><a href="http://research.cyber.ee/%7Elipmaa/crypto/link/block/des.php" class="external text" title="http://research.cyber.ee/~lipmaa/crypto/link/block/des.php" rel="nofollow">Helger Lipmaa's links for DES</a></li><li><a href="http://www.tropsoft.com/strongenc/des.htm" class="external text" title="http://www.tropsoft.com/strongenc/des.htm" rel="nofollow">Worked DES example</a></li><li><a href="http://people.eku.edu/styere/Encrypt/JS-DES.html" class="external text" title="http://people.eku.edu/styere/Encrypt/JS-DES.html" rel="nofollow">A Javascript DES calculator showing intermediate values</a></li><li><a href="http://dhost.info/pasjagor/des/index.html" class="external text" title="http://dhost.info/pasjagor/des/index.html" rel="nofollow">A step-by-step presentation of the DES scheme and a reliable message encrypting/decrypting application</a></li><li><a href="http://www.quadibloc.com/crypto/co0402.htm" class="external text" title="http://www.quadibloc.com/crypto/co0402.htm" rel="nofollow">John Savard's description of DES</a></li><li><a href="http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1997/CS/CS0891.ps" class="external text" title="http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1997/CS/CS0891.ps" rel="nofollow">A Fast New DES Implementation in Software - Biham</a></li><li><a href="http://www.darkside.com.au/bitslice/" class="external text" title="http://www.darkside.com.au/bitslice/" rel="nofollow">Bit slice implementation of DES</a></li><li><a href="http://eprint.iacr.org/2004/057.ps.gz" class="external text" title="http://eprint.iacr.org/2004/057.ps.gz" rel="nofollow">On Multiple Linear Approximations</a></li><li><a href="http://hardware-hacking.com/FPGA_DES_Cracking" class="external text" title="http://hardware-hacking.com/FPGA_DES_Cracking" rel="nofollow">FPGA DES Cracking</a> at <a href="http://hardware-hacking.com/" class="external text" title="http://hardware-hacking.com" rel="nofollow">hardware-hacking.com</a></li><li><a href="http://www.rfc-editor.org/rfc/rfc4772.txt" class="external text" title="http://www.rfc-editor.org/rfc/rfc4772.txt" rel="nofollow">RFC4772 : Security Implications of Using the Data Encryption Standard (DES)</a></li></ul> <table class="navbox" style="" cellspacing="0"> <tbody><tr> <td style="padding: 2px;"> <table class="nowraplinks" style="background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; color: inherit;" cellspacing="0"> <tbody><tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <th style="background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" colspan="2" class="navbox-title"> <div style="float: left; width: 6em; text-align: left;"> <div class="noprint plainlinksneverexpand" style="border: medium none ; padding: 0pt; background: rgb(204, 204, 255) none repeat scroll 0% 0%; white-space: nowrap; font-weight: normal; font-size: xx-small; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"><a href="http://en.wikipedia.org/wiki/Template:Crypto_block" title="Template:Crypto block"><span title="View this template" style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">v</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/wiki/Template_talk:Crypto_block" title="Template talk:Crypto block"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="Discussion about this template">d</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template:Crypto_block&action=edit" class="external text" title="http://en.wikipedia.org/w/index.php?title=Template:Crypto_block&action=edit" rel="nofollow"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="You can edit this template. Please use the preview button before saving.">e</span></a></div> </div> <div style="float: right; width: 6em;"> </div> <span style="font-size: 100%;"><a href="http://en.wikipedia.org/wiki/Block_cipher" title="Block cipher">Block ciphers</a></span></th> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Common algorithms:</b> <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard" title="Advanced Encryption Standard">AES</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Blowfish_%28cipher%29" title="Blowfish (cipher)">Blowfish</a> |</span> <span style="white-space: nowrap;"><strong class="selflink">DES</strong> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Triple_DES" title="Triple DES">Triple DES</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Serpent_%28cipher%29" title="Serpent (cipher)">Serpent</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Twofish" title="Twofish">Twofish</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Other algorithms:</b> <a href="http://en.wikipedia.org/wiki/3-Way" title="3-Way">3-Way</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/ABC_%28block_cipher%29" title="ABC (block cipher)">ABC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Akelarre_%28cipher%29" title="Akelarre (cipher)">Akelarre</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Anubis_%28cipher%29" title="Anubis (cipher)">Anubis</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/ARIA_%28cipher%29" title="ARIA (cipher)">ARIA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/BaseKing" title="BaseKing">BaseKing</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/BassOmatic" title="BassOmatic">BassOmatic</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/BATON" title="BATON">BATON</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/BEAR_and_LION_Cipher" title="BEAR and LION Cipher">BEAR and LION</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Cryptomeria_cipher" title="Cryptomeria cipher">C2</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Camellia_%28cipher%29" title="Camellia (cipher)">Camellia</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CAST-128" title="CAST-128">CAST-128</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CAST-256" title="CAST-256">CAST-256</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CIKS-1" title="CIKS-1">CIKS-1</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CIPHERUNICORN-A" title="CIPHERUNICORN-A">CIPHERUNICORN-A</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CIPHERUNICORN-E" title="CIPHERUNICORN-E">CIPHERUNICORN-E</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CLEFIA" title="CLEFIA">CLEFIA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Cellular_Message_Encryption_Algorithm" title="Cellular Message Encryption Algorithm">CMEA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Cobra_ciphers" title="Cobra ciphers">Cobra</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/COCONUT98" title="COCONUT98">COCONUT98</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Crab_%28cipher%29" title="Crab (cipher)">Crab</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CRYPTON" title="CRYPTON">CRYPTON</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CS-Cipher" title="CS-Cipher">CS-Cipher</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/DEAL" title="DEAL">DEAL</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/DES-X" title="DES-X">DES-X</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/DFC_%28cipher%29" title="DFC (cipher)">DFC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/E2_%28cipher%29" title="E2 (cipher)">E2</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/FEAL" title="FEAL">FEAL</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/FEA-M" title="FEA-M">FEA-M</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/FROG" title="FROG">FROG</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/G-DES" title="G-DES" class="mw-redirect">G-DES</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/GOST_%28block_cipher%29" title="GOST (block cipher)">GOST</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Grand_Cru_%28cipher%29" title="Grand Cru (cipher)">Grand Cru</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Hasty_Pudding_cipher" title="Hasty Pudding cipher">Hasty Pudding cipher</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Hierocrypt" title="Hierocrypt">Hierocrypt</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/ICE_%28cipher%29" title="ICE (cipher)">ICE</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm" title="International Data Encryption Algorithm">IDEA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Idea_NXT" title="Idea NXT">IDEA NXT</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Intel_Cascade_Cipher" title="Intel Cascade Cipher">Intel Cascade Cipher</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Iraqi_block_cipher" title="Iraqi block cipher">Iraqi</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/KASUMI_%28block_cipher%29" title="KASUMI (block cipher)">KASUMI</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/KeeLoq" title="KeeLoq">KeeLoq</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/KHAZAD" title="KHAZAD">KHAZAD</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Khufu_and_Khafre" title="Khufu and Khafre">Khufu and Khafre</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/KN-Cipher" title="KN-Cipher">KN-Cipher</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Ladder-DES" title="Ladder-DES">Ladder-DES</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Libelle_%28cipher%29" title="Libelle (cipher)">Libelle</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/LOKI97" title="LOKI97">LOKI97</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/LOKI" title="LOKI">LOKI89/91</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Lucifer_%28cipher%29" title="Lucifer (cipher)">Lucifer</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/M6_%28cipher%29" title="M6 (cipher)">M6</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/M8_%28cipher%29" title="M8 (cipher)">M8</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MacGuffin_%28cipher%29" title="MacGuffin (cipher)">MacGuffin</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Madryga" title="Madryga">Madryga</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MAGENTA" title="MAGENTA">MAGENTA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MARS_%28cryptography%29" title="MARS (cryptography)">MARS</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Mercy_%28cipher%29" title="Mercy (cipher)">Mercy</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MESH_%28cipher%29" title="MESH (cipher)">MESH</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MISTY1" title="MISTY1">MISTY1</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MMB" title="MMB">MMB</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MULTI2" title="MULTI2">MULTI2</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MultiSwap" title="MultiSwap">MultiSwap</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/New_Data_Seal" title="New Data Seal">New Data Seal</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NewDES" title="NewDES">NewDES</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Nimbus_%28cipher%29" title="Nimbus (cipher)">Nimbus</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NOEKEON" title="NOEKEON">NOEKEON</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NUSH" title="NUSH">NUSH</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Q_%28cipher%29" title="Q (cipher)">Q</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/RC2" title="RC2">RC2</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/RC5" title="RC5">RC5</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/RC6" title="RC6">RC6</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/REDOC" title="REDOC">REDOC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Red_Pike" title="Red Pike">Red Pike</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/S-1_block_cipher" title="S-1 block cipher">S-1</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SAFER" title="SAFER">SAFER</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SAVILLE" title="SAVILLE">SAVILLE</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SC2000" title="SC2000">SC2000</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SEED" title="SEED">SEED</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SHACAL" title="SHACAL">SHACAL</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SHARK" title="SHARK">SHARK</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Skipjack_%28cipher%29" title="Skipjack (cipher)">Skipjack</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SMS4" title="SMS4">SMS4</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Spectr-H64" title="Spectr-H64">Spectr-H64</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Square_%28cipher%29" title="Square (cipher)">Square</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SXAL/MBAL" title="SXAL/MBAL">SXAL/MBAL</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm" title="Tiny Encryption Algorithm">TEA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Treyfer" title="Treyfer">Treyfer</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/UES_%28cipher%29" title="UES (cipher)">UES</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Xenon_%28cipher%29" title="Xenon (cipher)">Xenon</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Xmx" title="Xmx">xmx</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/XTEA" title="XTEA">XTEA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/XXTEA" title="XXTEA">XXTEA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Zodiac_%28cipher%29" title="Zodiac (cipher)">Zodiac</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Design:</b> <a href="http://en.wikipedia.org/wiki/Feistel_cipher" title="Feistel cipher">Feistel network</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Key_schedule" title="Key schedule">Key schedule</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Product_cipher" title="Product cipher">Product cipher</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Substitution_box" title="Substitution box">S-box</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Substitution-permutation_network" title="Substitution-permutation network">SPN</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Attacks:</b> <a href="http://en.wikipedia.org/wiki/Brute_force_attack" title="Brute force attack">Brute force</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Linear_cryptanalysis" title="Linear cryptanalysis">Linear</a> / <a href="http://en.wikipedia.org/wiki/Differential_cryptanalysis" title="Differential cryptanalysis">Differential</a> / <a href="http://en.wikipedia.org/wiki/Integral_cryptanalysis" title="Integral cryptanalysis">Integral</a> <a href="http://en.wikipedia.org/wiki/Cryptanalysis" title="Cryptanalysis">cryptanalysis</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Mod_n_cryptanalysis" title="Mod n cryptanalysis">Mod <i>n</i></a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Related-key_attack" title="Related-key attack">Related-key</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Slide_attack" title="Slide attack">Slide</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/XSL_attack" title="XSL attack">XSL</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Standardization:</b> <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard_process" title="Advanced Encryption Standard process">AES process</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CRYPTREC" title="CRYPTREC">CRYPTREC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NESSIE" title="NESSIE">NESSIE</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Misc:</b> <a href="http://en.wikipedia.org/wiki/Avalanche_effect" title="Avalanche effect">Avalanche effect</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Block_size_%28cryptography%29" title="Block size (cryptography)">Block size</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Initialization_vector" title="Initialization vector">IV</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Key_size" title="Key size">Key size</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation" title="Block cipher modes of operation">Modes of operation</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Piling-up_lemma" title="Piling-up lemma">Piling-up lemma</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Weak_key" title="Weak key">Weak key</a></span></p> </div> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <th style="background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" colspan="2" class="navbox-title"> <div style="float: left; width: 6em; text-align: left;"> <div class="noprint plainlinksneverexpand" style="border: medium none ; padding: 0pt; background: rgb(204, 204, 255) none repeat scroll 0% 0%; white-space: nowrap; font-weight: normal; font-size: xx-small; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"><a href="http://en.wikipedia.org/wiki/Template:Crypto_navbox" title="Template:Crypto navbox"><span title="View this template" style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">v</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/wiki/Template_talk:Crypto_navbox" title="Template talk:Crypto navbox"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="Discussion about this template">d</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template:Crypto_navbox&action=edit" class="external text" title="http://en.wikipedia.org/w/index.php?title=Template:Crypto_navbox&action=edit" rel="nofollow"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="You can edit this template. Please use the preview button before saving.">e</span></a></div> </div> <div style="float: right; width: 6em;"> </div> <span style="font-size: 100%;"><a href="http://en.wikipedia.org/wiki/Cryptography" title="Cryptography">Cryptography</a></span></th> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"><a href="http://en.wikipedia.org/wiki/History_of_cryptography" title="History of cryptography">History of cryptography</a> | <a href="http://en.wikipedia.org/wiki/Cryptanalysis" title="Cryptanalysis">Cryptanalysis</a> | <a href="http://en.wikipedia.org/wiki/Portal:Cryptography" title="Portal:Cryptography">Cryptography portal</a> | <a href="http://en.wikipedia.org/wiki/Topics_in_cryptography" title="Topics in cryptography">Topics in cryptography</a></div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"><a href="http://en.wikipedia.org/wiki/Symmetric-key_algorithm" title="Symmetric-key algorithm">Symmetric-key algorithm</a> | <a href="http://en.wikipedia.org/wiki/Block_cipher" title="Block cipher">Block cipher</a> | <a href="http://en.wikipedia.org/wiki/Stream_cipher" title="Stream cipher">Stream cipher</a> | <a href="http://en.wikipedia.org/wiki/Public-key_cryptography" title="Public-key cryptography">Public-key cryptography</a> | <a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function" title="Cryptographic hash function">Cryptographic hash function</a> | <a href="http://en.wikipedia.org/wiki/Message_authentication_code" title="Message authentication code">Message authentication code</a> | <a href="http://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator" title="Cryptographically secure pseudorandom number generator">Random numbers</a> | <a href="http://en.wikipedia.org/wiki/Steganography" title="Steganography">Steganography</a></div> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </td> </tr> </tbody></table> <p><span id="interwiki-vi-fa"></span></p> <!-- NewPP limit report Preprocessor node count: 4621/1000000 Post-expand include size: 134567/2048000 bytes Template argument size: 131454/2048000 bytes Expensive parser function count: 5/500 --> <!-- Saved in parser cache with key enwiki:pcache:idhash:7978-0!1!0!default!!en!2 and timestamp 20080928151730 --> <div class="printfooter"> Retrieved from "<a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard">http://en.wikipedia.org/wiki/Data_Encryption_Standard</a>"</div> <div id="mw-normal-catlinks"><a href="http://en.wikipedia.org/wiki/Special:Categories" title="Special:Categories">Categories</a>: <span dir="ltr"><a href="http://en.wikipedia.org/wiki/Category:Featured_articles" title="Category:Featured articles">Featured articles</a></span> | <span dir="ltr"><a href="http://en.wikipedia.org/wiki/Category:Block_ciphers" title="Category:Block ciphers">Block ciphers</a></span> | <span dir="ltr"><a href="http://en.wikipedia.org/wiki/Category:Data_Encryption_Standard" title="Category:Data Encryption Standard">Data Encryption Standard</a></span></div>vineethv2http://www.blogger.com/profile/10203333517491088500noreply@blogger.com1tag:blogger.com,1999:blog-8266941125214387001.post-58885260253661878892008-09-30T07:24:00.000-07:002008-09-30T08:30:26.331-07:00Advanced Encryption Standard<div id="jump-to-nav"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#searchInput"><br /></a></div> <!-- start content --> <table class="infobox" style="text-align: left; line-height: 1.5em; width: 23em; font-size: 90%;" cellspacing="5"> <tbody><tr> <td colspan="2" class="" style="background: transparent none repeat scroll 0% 0%; text-align: center; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; font-size: larger; font-weight: bold;">AES</td> </tr> <tr> <td colspan="2" class="" style="padding-bottom: 1em; text-align: center;"> <div class="center"> <div class="floatnone"><span><a href="http://en.wikipedia.org/wiki/Image:AES-SubBytes.svg" class="image" title="AES-SubBytes.svg"><img alt="" src="http://upload.wikimedia.org/wikipedia/commons/thumb/a/a4/AES-SubBytes.svg/280px-AES-SubBytes.svg.png" width="280" border="0" height="145" /></a></span></div> </div><br /><div style="padding-top: 0.4em;"><span style="line-height: 1.2em; font-size: 80%;">The <tt>SubBytes</tt> step, one of four stages in a round of AES</span></div> </td> </tr> <tr> <th colspan="2" style="background: lightsteelblue none repeat scroll 0% 0%; text-align: center; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">General</th> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">Designers</th> <td class="" style="line-height: 1.2em; vertical-align: middle;"><a href="http://en.wikipedia.org/wiki/Vincent_Rijmen" title="Vincent Rijmen">Vincent Rijmen</a>, <a href="http://en.wikipedia.org/wiki/Joan_Daemen" title="Joan Daemen">Joan Daemen</a></td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">First published</th> <td class="" style="line-height: 1.2em; vertical-align: middle;">1998</td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">Derived from</th> <td class="" style="line-height: 1.2em; vertical-align: middle;"><a href="http://en.wikipedia.org/wiki/Square_%28cipher%29" title="Square (cipher)">Square</a></td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">Successors</th> <td class="" style="line-height: 1.2em; vertical-align: middle;"><a href="http://en.wikipedia.org/wiki/Anubis_%28cipher%29" title="Anubis (cipher)">Anubis</a>, <a href="http://en.wikipedia.org/wiki/Grand_Cru_%28cipher%29" title="Grand Cru (cipher)">Grand Cru</a></td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">Certification</th> <td class="" style="line-height: 1.2em; vertical-align: middle;"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard_process" title="Advanced Encryption Standard process">AES</a> winner, <a href="http://en.wikipedia.org/wiki/CRYPTREC" title="CRYPTREC">CRYPTREC</a>, <a href="http://en.wikipedia.org/wiki/NESSIE" title="NESSIE">NESSIE</a></td> </tr> <tr> <th colspan="2" style="background: lightsteelblue none repeat scroll 0% 0%; text-align: center; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">Cipher detail</th> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;"><a href="http://en.wikipedia.org/wiki/Key_size" title="Key size">Key sizes</a></th> <td class="" style="line-height: 1.2em; vertical-align: middle;">128, 192 or 256 bits<sup id="cite_ref-keysize_0-0" class="reference"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_note-keysize-0" title="">[1]</a></sup></td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;"><a href="http://en.wikipedia.org/wiki/Block_size_%28cryptography%29" title="Block size (cryptography)">Block sizes</a></th> <td class="" style="line-height: 1.2em; vertical-align: middle;">128 bits<sup id="cite_ref-blocksize_1-0" class="reference"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_note-blocksize-1" title="">[2]</a></sup></td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">Structure</th> <td class="" style="line-height: 1.2em; vertical-align: middle;"><a href="http://en.wikipedia.org/wiki/Substitution-permutation_network" title="Substitution-permutation network">Substitution-permutation network</a></td> </tr> <tr> <th style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; line-height: 1.2em;">Rounds</th> <td class="" style="line-height: 1.2em; vertical-align: middle;">10, 12 or 14 (depending on key size)</td> </tr> <tr> <th colspan="2" style="background: lightsteelblue none repeat scroll 0% 0%; text-align: center; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">Best public <a href="http://en.wikipedia.org/wiki/Cryptanalysis" title="Cryptanalysis">cryptanalysis</a></th> </tr> <tr> <td colspan="2" class="" style="text-align: center; line-height: 1.2em; vertical-align: middle;"> <div style="line-height: 1.25em; text-align: left;">A <a href="http://en.wikipedia.org/wiki/Related-key_attack" title="Related-key attack">related-key attack</a> can break up to 9 rounds of 256-bit AES. A <a href="http://en.wikipedia.org/wiki/Chosen-plaintext_attack" title="Chosen-plaintext attack">chosen-plaintext attack</a> can break 8 rounds of 192- and 256-bit AES, and 7 rounds of 128-bit AES. (Ferguson et al, 2000).</div> </td> </tr> </tbody></table> <p><br /></p><p>In <a href="http://en.wikipedia.org/wiki/Cryptography" title="Cryptography">cryptography</a>, the <b>Advanced Encryption Standard</b> (<b>AES</b>), also known as <b><a href="http://en.wikipedia.org/wiki/Rijndael_key_schedule" title="Rijndael key schedule">Rijndael</a></b>, is a <a href="http://en.wikipedia.org/wiki/Block_cipher" title="Block cipher">block cipher</a> adopted as an <a href="http://en.wikipedia.org/wiki/Encryption" title="Encryption">encryption</a> standard by the <a href="http://en.wikipedia.org/wiki/Federal_government_of_the_United_States" title="Federal government of the United States">U.S. government</a>. It has been analyzed extensively and is now used worldwide, as was the case with its predecessor,<sup id="cite_ref-2" class="reference"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_note-2" title="">[3]</a></sup> the <a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard" title="Data Encryption Standard">Data Encryption Standard</a> (DES). AES was announced by <a href="http://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology" title="National Institute of Standards and Technology">National Institute of Standards and Technology</a> (NIST) as U.S. <a href="http://en.wikipedia.org/wiki/Federal_Information_Processing_Standard" title="Federal Information Processing Standard">FIPS</a> PUB 197 (FIPS 197) on <a href="http://en.wikipedia.org/wiki/November_26" title="November 26">November 26</a>, <a href="http://en.wikipedia.org/wiki/2001" title="2001">2001</a> after a 5-year standardization process in which fifteen competing designs were presented and evaluated before Rijndael was selected as the most suitable (see <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard_process" title="Advanced Encryption Standard process">Advanced Encryption Standard process</a> for more details). It became effective as a standard <a href="http://en.wikipedia.org/wiki/May_26" title="May 26">May 26</a>, <a href="http://en.wikipedia.org/wiki/2002" title="2002">2002</a>. <a href="http://en.wikipedia.org/wiki/As_of_2006" title="As of 2006" class="mw-redirect">As of 2006</a>, AES is one of the most popular <a href="http://en.wikipedia.org/wiki/Algorithm" title="Algorithm">algorithms</a> used in <a href="http://en.wikipedia.org/wiki/Symmetric_key_algorithm" title="Symmetric key algorithm" class="mw-redirect">symmetric key cryptography</a>. It is available by choice in many different encryption packages. This marks the first time that the public has had access to a <a href="http://en.wikipedia.org/wiki/Cipher" title="Cipher">cipher</a> approved by <a href="http://en.wikipedia.org/wiki/National_Security_Agency" title="National Security Agency">NSA</a> for <a href="http://en.wikipedia.org/wiki/Top_secret" title="Top secret" class="mw-redirect">top secret</a> information (see <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security_of_AES" title="Advanced Encryption Standard">Security of AES</a>, below).</p> <p>The <a href="http://en.wikipedia.org/wiki/Cipher" title="Cipher">cipher</a> was developed by two <a href="http://en.wikipedia.org/wiki/Belgium" title="Belgium">Belgian</a> cryptographers, <a href="http://en.wikipedia.org/wiki/Joan_Daemen" title="Joan Daemen">Joan Daemen</a> and <a href="http://en.wikipedia.org/wiki/Vincent_Rijmen" title="Vincent Rijmen">Vincent Rijmen</a>, and submitted to the AES selection process under the name "Rijndael", a <a href="http://en.wikipedia.org/wiki/Portmanteau_word" title="Portmanteau word" class="mw-redirect">portmanteau</a> of the names of the inventors. (Rijndael is pronounced <span title="Pronunciation in the International Phonetic Alphabet (IPA)" class="IPA"><a href="http://en.wikipedia.org/wiki/Help:IPA" title="Help:IPA" class="mw-redirect">[rɛindaːl]</a></span>).<sup id="cite_ref-3" class="reference"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_note-3" title="">[4]</a></sup></p> <p>Unlike DES (the predecessor of AES), AES is a <a href="http://en.wikipedia.org/wiki/Substitution-permutation_network" title="Substitution-permutation network">substitution-permutation network</a>, not a <a href="http://en.wikipedia.org/wiki/Feistel_network" title="Feistel network" class="mw-redirect">Feistel network</a>. AES is fast in both <a href="http://en.wikipedia.org/wiki/Computer_software" title="Computer software">software</a> and <a href="http://en.wikipedia.org/wiki/Hardware" title="Hardware">hardware</a>, is relatively easy to implement, and requires little <a href="http://en.wikipedia.org/wiki/Computer_memory" title="Computer memory" class="mw-redirect">memory</a>. As a new encryption standard, it is currently being deployed on a large scale.</p> <table id="toc" class="toc" summary="Contents"> <tbody><tr> <td> <div id="toctitle"> <h2>Contents</h2> <span class="toctoggle"><br /></span></div> <ul><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Description_of_the_cipher"><span class="tocnumber">1</span> <span class="toctext">Description of the cipher</span></a> <ul><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#High-level_cipher_algorithm"><span class="tocnumber">1.1</span> <span class="toctext">High-level cipher algorithm</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#The_SubBytes_step"><span class="tocnumber">1.2</span> <span class="toctext">The SubBytes step</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#The_ShiftRows_step"><span class="tocnumber">1.3</span> <span class="toctext">The ShiftRows step</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#The_MixColumns_step"><span class="tocnumber">1.4</span> <span class="toctext">The MixColumns step</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#The_AddRoundKey_step"><span class="tocnumber">1.5</span> <span class="toctext">The AddRoundKey step</span></a></li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Optimization_of_the_cipher"><span class="tocnumber">1.6</span> <span class="toctext">Optimization of the cipher</span></a></li></ul> </li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security_of_AES"><span class="tocnumber">2</span> <span class="toctext">Security of AES</span></a> <ul><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Side_channel_attacks"><span class="tocnumber">2.1</span> <span class="toctext">Side channel attacks</span></a></li></ul> </li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#FIPS_Validation"><span class="tocnumber">3</span> <span class="toctext">FIPS Validation</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Test_Vectors"><span class="tocnumber">4</span> <span class="toctext">Test Vectors</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Implementations"><span class="tocnumber">5</span> <span class="toctext">Implementations</span></a> <ul><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Libraries"><span class="tocnumber">5.1</span> <span class="toctext">Libraries</span></a> <ul><li class="toclevel-3"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#C.2FASM_Library"><span class="tocnumber">5.1.1</span> <span class="toctext">C/ASM Library</span></a></li><li class="toclevel-3"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#C.2B.2B_Library"><span class="tocnumber">5.1.2</span> <span class="toctext">C++ Library</span></a></li><li class="toclevel-3"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#C.23_.2F.NET"><span class="tocnumber">5.1.3</span> <span class="toctext">C# /.NET</span></a></li><li class="toclevel-3"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Java"><span class="tocnumber">5.1.4</span> <span class="toctext">Java</span></a></li><li class="toclevel-3"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#JavaScript"><span class="tocnumber">5.1.5</span> <span class="toctext">JavaScript</span></a></li><li class="toclevel-3"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Delphi"><span class="tocnumber">5.1.6</span> <span class="toctext">Delphi</span></a></li><li class="toclevel-3"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Lisp"><span class="tocnumber">5.1.7</span> <span class="toctext">Lisp</span></a></li><li class="toclevel-3"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Other_Languages"><span class="tocnumber">5.1.8</span> <span class="toctext">Other Languages</span></a></li></ul> </li><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Applications"><span class="tocnumber">5.2</span> <span class="toctext">Applications</span></a> <ul><li class="toclevel-3"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Archive_and_compression_tools"><span class="tocnumber">5.2.1</span> <span class="toctext">Archive and compression tools</span></a></li><li class="toclevel-3"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Disk_encryption"><span class="tocnumber">5.2.2</span> <span class="toctext">Disk encryption</span></a></li><li class="toclevel-3"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Misc"><span class="tocnumber">5.2.3</span> <span class="toctext">Misc</span></a></li></ul> </li></ul> </li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#See_also"><span class="tocnumber">6</span> <span class="toctext">See also</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Notes"><span class="tocnumber">7</span> <span class="toctext">Notes</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#References"><span class="tocnumber">8</span> <span class="toctext">References</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#External_links"><span class="tocnumber">9</span> <span class="toctext">External links</span></a></li></ul> </td> </tr> </tbody></table> <script type="text/javascript"> //<![CDATA[ if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); } //]]> </script> <p><a name="Description_of_the_cipher" id="Description_of_the_cipher"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Description of the cipher</span></h2> <p>Strictly speaking, AES is not precisely Rijndael (although in practice they are used interchangeably) as Rijndael supports a larger range of <a href="http://en.wikipedia.org/wiki/Block_size_%28cryptography%29" title="Block size (cryptography)">block</a> and <a href="http://en.wikipedia.org/wiki/Key_size" title="Key size">key sizes</a>; AES has a fixed block size of 128 <a href="http://en.wikipedia.org/wiki/Bit" title="Bit">bits</a> and a key size of 128, 192, or 256 bits, whereas Rijndael can be specified with key and block sizes in any multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits.</p> <p>Since in computing 1 byte equals 8 bits, the fixed block size of 128 bits is normally 128 / 8 = 16 <a href="http://en.wikipedia.org/wiki/Byte" title="Byte">bytes</a>. AES operates on a 4×4 array of bytes, termed the <i>state</i> (versions of Rijndael with a larger block size have additional columns in the state). Most AES calculations are done in a special <a href="http://en.wikipedia.org/wiki/Finite_field_arithmetic" title="Finite field arithmetic">finite field</a>.</p> <p>The <a href="http://en.wikipedia.org/wiki/Cipher" title="Cipher">cipher</a> is specified in terms of repetitions of processing steps that are applied to make up rounds of keyed transformations between the input plain-text and the final output of cipher-text. A set of reverse rounds are applied to transform cipher-text back into the original plain-text using the same encryption key.</p> <p><a name="High-level_cipher_algorithm" id="High-level_cipher_algorithm"></a></p> <h3><span class="editsection"></span><span class="mw-headline">High-level cipher algorithm</span></h3> <ul><li>KeyExpansion using <a href="http://en.wikipedia.org/wiki/Rijndael_key_schedule" title="Rijndael key schedule">Rijndael's key schedule</a></li><li>Initial Round <ul><li>AddRoundKey</li></ul> </li><li>Rounds</li></ul> <ol><li><tt>SubBytes</tt>—a non-linear substitution step where each byte is replaced with another according to a <a href="http://en.wikipedia.org/wiki/Rijndael_S-box" title="Rijndael S-box">lookup table</a>.</li><li><tt>ShiftRows</tt>—a transposition step where each row of the state is shifted cyclically a certain number of steps.</li><li><tt>MixColumns</tt>—a mixing operation which operates on the columns of the state, combining the four bytes in each column</li><li><tt>AddRoundKey</tt>—each byte of the state is combined with the round key; each round key is derived from the cipher key using a <a href="http://en.wikipedia.org/wiki/Key_schedule" title="Key schedule">key schedule</a>.</li></ol> <ul><li>Final Round (no <tt>MixColumns</tt>)</li></ul> <ol><li><tt>SubBytes</tt></li><li><tt>ShiftRows</tt></li><li><tt>AddRoundKey</tt></li></ol> <p><a name="The_SubBytes_step" id="The_SubBytes_step"></a></p> <h3><span class="editsection"></span><span class="mw-headline">The <tt>SubBytes</tt> step</span></h3> <div class="thumb tright"> <div class="thumbinner" style="width: 322px;"><a href="http://en.wikipedia.org/wiki/Image:AES-SubBytes.svg" class="image" title="In the SubBytes step, each byte in the state is replaced with its entry in a fixed 8-bit lookup table, S; bij = S(aij)."><img alt="In the SubBytes step, each byte in the state is replaced with its entry in a fixed 8-bit lookup table, S; bij = S(aij)." src="http://upload.wikimedia.org/wikipedia/commons/thumb/a/a4/AES-SubBytes.svg/320px-AES-SubBytes.svg.png" class="thumbimage" width="320" border="0" height="166" /></a> <div class="thumbcaption"> <div class="magnify"><a href="http://en.wikipedia.org/wiki/Image:AES-SubBytes.svg" class="internal" title="Enlarge"><img src="http://en.wikipedia.org/skins-1.5/common/images/magnify-clip.png" alt="" width="15" height="11" /></a></div> In the <tt>SubBytes</tt> step, each byte in the state is replaced with its entry in a fixed 8-bit lookup table, <i>S</i>; <i>b<sub>ij</sub></i> = <i>S(a<sub>ij</sub>)</i>.</div> </div> </div> <p>In the <tt>SubBytes</tt> step, each byte in the array is updated using an 8-bit <a href="http://en.wikipedia.org/wiki/Substitution_box" title="Substitution box">substitution box</a>, the <a href="http://en.wikipedia.org/wiki/Rijndael_S-box" title="Rijndael S-box">Rijndael S-box</a>. This operation provides the non-linearity in the <a href="http://en.wikipedia.org/wiki/Cipher" title="Cipher">cipher</a>. The S-box used is derived from the <a href="http://en.wikipedia.org/wiki/Multiplicative_inverse" title="Multiplicative inverse">multiplicative inverse</a> over <b><a href="http://en.wikipedia.org/wiki/Finite_field" title="Finite field">GF</a></b>(<i>2<sup>8</sup></i>), known to have good non-linearity properties. To avoid attacks based on simple algebraic properties, the S-box is constructed by combining the inverse function with an invertible <a href="http://en.wikipedia.org/wiki/Affine_transformation" title="Affine transformation">affine transformation</a>. The S-box is also chosen to avoid any fixed points (and so is a <a href="http://en.wikipedia.org/wiki/Derangement" title="Derangement">derangement</a>), and also any opposite fixed points.</p> <p><a name="The_ShiftRows_step" id="The_ShiftRows_step"></a></p> <h3><span class="editsection">[<a href="http://en.wikipedia.org/w/index.php?title=Advanced_Encryption_Standard&action=edit&section=4" title="Edit section: The ShiftRows step">edit</a>]</span> <span class="mw-headline">The <tt>ShiftRows</tt> step</span></h3> <div class="thumb tright"> <div class="thumbinner" style="width: 322px;"><a href="http://en.wikipedia.org/wiki/Image:AES-ShiftRows.svg" class="image" title="In the ShiftRows step, bytes in each row of the state are shifted cyclically to the left. The number of places each byte is shifted differs for each row."><img alt="In the ShiftRows step, bytes in each row of the state are shifted cyclically to the left. The number of places each byte is shifted differs for each row." src="http://upload.wikimedia.org/wikipedia/commons/thumb/6/66/AES-ShiftRows.svg/320px-AES-ShiftRows.svg.png" class="thumbimage" width="320" border="0" height="119" /></a> <div class="thumbcaption"> <div class="magnify"><a href="http://en.wikipedia.org/wiki/Image:AES-ShiftRows.svg" class="internal" title="Enlarge"><img src="http://en.wikipedia.org/skins-1.5/common/images/magnify-clip.png" alt="" width="15" height="11" /></a></div> In the <tt>ShiftRows</tt> step, bytes in each row of the state are shifted cyclically to the left. The number of places each byte is shifted differs for each row.</div> </div> </div> <p>The <tt>ShiftRows</tt> step operates on the rows of the state; it cyclically shifts the bytes in each row by a certain <a href="http://en.wikipedia.org/wiki/Offset_%28computer_science%29" title="Offset (computer science)">offset</a>. For AES, the first row is left unchanged. Each byte of the second row is shifted one to the left. Similarly, the third and fourth rows are shifted by offsets of two and three respectively. For the block of size 128 bits and 192 bits the shifting pattern is the same. In this way, each column of the output state of the <tt>ShiftRows</tt> step is composed of bytes from each column of the input state. (Rijndael variants with a larger block size have slightly different offsets). In the case of the 256-bit block, the first row is unchanged and the shifting for second, third and fourth row is 1 byte, 3 bytes and 4 bytes respectively - although this change only applies for the Rijndael cipher when used with a 256-bit block, which is not used for AES.</p> <p><a name="The_MixColumns_step" id="The_MixColumns_step"></a></p> <h3><span class="editsection"></span><span class="mw-headline">The <tt>MixColumns</tt> step</span></h3> <div class="thumb tright"> <div class="thumbinner" style="width: 322px;"><a href="http://en.wikipedia.org/wiki/Image:AES-MixColumns.svg" class="image" title="In the MixColumns step, each column of the state is multiplied with a fixed polynomial c(x)."><img alt="In the MixColumns step, each column of the state is multiplied with a fixed polynomial c(x)." src="http://upload.wikimedia.org/wikipedia/commons/thumb/7/76/AES-MixColumns.svg/320px-AES-MixColumns.svg.png" class="thumbimage" width="320" border="0" height="170" /></a> <div class="thumbcaption"> <div class="magnify"><a href="http://en.wikipedia.org/wiki/Image:AES-MixColumns.svg" class="internal" title="Enlarge"><img src="http://en.wikipedia.org/skins-1.5/common/images/magnify-clip.png" alt="" width="15" height="11" /></a></div> In the <tt>MixColumns</tt> step, each column of the state is multiplied with a fixed polynomial <i>c(x)</i>.</div> </div> </div> <p>In the <tt>MixColumns</tt> step, the four bytes of each column of the state are combined using an invertible <a href="http://en.wikipedia.org/wiki/Linear_transformation" title="Linear transformation" class="mw-redirect">linear transformation</a>. The <tt>MixColumns</tt> function takes four bytes as input and outputs four bytes, where each input byte affects all four output bytes. Together with <tt>ShiftRows</tt>, <tt>MixColumns</tt> provides <a href="http://en.wikipedia.org/wiki/Diffusion_%28cryptography%29" title="Diffusion (cryptography)" class="mw-redirect">diffusion</a> in the cipher. Each column is treated as a polynomial over <b>GF</b>(<i>2<sup>8</sup></i>) and is then multiplied modulo <span class="texhtml"><i>x</i><sup>4</sup> + 1</span> with a fixed polynomial <span class="texhtml"><i>c</i>(<i>x</i>) = 3<i>x</i><sup>3</sup> + <i>x</i><sup>2</sup> + <i>x</i> + 2</span>. The <tt>MixColumns</tt> step can also be viewed as a multiplication by a particular <a href="http://en.wikipedia.org/wiki/MDS_matrix" title="MDS matrix">MDS matrix</a> in <a href="http://en.wikipedia.org/wiki/Finite_field_arithmetic" title="Finite field arithmetic">Rijndael's finite field</a>.</p> <p>This process is described further in the article <a href="http://en.wikipedia.org/wiki/Rijndael_mix_columns" title="Rijndael mix columns">Rijndael mix columns</a>.</p> <p><a name="The_AddRoundKey_step" id="The_AddRoundKey_step"></a></p> <h3><span class="editsection"></span><span class="mw-headline">The <tt>AddRoundKey</tt> step</span></h3> <div class="thumb tright"> <div class="thumbinner" style="width: 322px;"><a href="http://en.wikipedia.org/wiki/Image:AES-AddRoundKey.svg" class="image" title="In the AddRoundKey step, each byte of the state is combined with a byte of the round subkey using the XOR operation (⊕)."><img alt="In the AddRoundKey step, each byte of the state is combined with a byte of the round subkey using the XOR operation (⊕)." src="http://upload.wikimedia.org/wikipedia/commons/thumb/a/ad/AES-AddRoundKey.svg/320px-AES-AddRoundKey.svg.png" class="thumbimage" width="320" border="0" height="249" /></a> <div class="thumbcaption"> <div class="magnify"><a href="http://en.wikipedia.org/wiki/Image:AES-AddRoundKey.svg" class="internal" title="Enlarge"><img src="http://en.wikipedia.org/skins-1.5/common/images/magnify-clip.png" alt="" width="15" height="11" /></a></div> In the <tt>AddRoundKey</tt> step, each byte of the state is combined with a byte of the round subkey using the <a href="http://en.wikipedia.org/wiki/Exclusive_or" title="Exclusive or">XOR</a> operation (⊕).</div> </div> </div> <p>In the <tt>AddRoundKey</tt> step, the subkey is combined with the state. For each round, a subkey is derived from the main <a href="http://en.wikipedia.org/wiki/Key_%28cryptography%29" title="Key (cryptography)">key</a> using <a href="http://en.wikipedia.org/wiki/Rijndael_key_schedule" title="Rijndael key schedule">Rijndael's key schedule</a>; each subkey is the same size as the state. The subkey is added by combining each byte of the state with the corresponding byte of the subkey using bitwise <a href="http://en.wikipedia.org/wiki/Exclusive_or" title="Exclusive or">XOR</a>.</p> <p><a name="Optimization_of_the_cipher" id="Optimization_of_the_cipher"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Optimization of the cipher</span></h3> <p>On systems with 32-bit or larger words, it is possible to speed up execution of this cipher by combining <tt>SubBytes</tt> and <tt>ShiftRows</tt> with <tt>MixColumns</tt>, and transforming them into a sequence of table lookups. This requires four 256-entry 32-bit tables, which utilizes a total of four kilobytes (4096 bytes) of memory—one kilobyte for each table. A round can now be done with 16 table lookups and 12 32-bit exclusive-or operations, followed by four 32-bit exclusive-or operations in the <tt>AddRoundKey</tt> step.</p> <p>If the resulting four kilobyte table size is too large for a given target platform, the table lookup operation can be performed with a single 256-entry 32-bit table by the use of circular rotates.</p> <p>Using a byte-oriented approach it is possible to combine the <tt>SubBytes</tt>, <tt>ShiftRows</tt>, and <tt>MixColumns</tt> steps into a single round operation.</p> <p><a name="Security_of_AES" id="Security_of_AES"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Security of AES</span></h2> <p>As of 2006, the only successful attacks against AES implementations have been <a href="http://en.wikipedia.org/wiki/Side-channel_attack" title="Side-channel attack">side-channel attacks</a>. The <a href="http://en.wikipedia.org/wiki/National_Security_Agency" title="National Security Agency">National Security Agency</a> (NSA) reviewed all the AES finalists, including Rijndael, and stated that all of them were secure enough for <a href="http://en.wikipedia.org/wiki/US_Government" title="US Government" class="mw-redirect">US Government</a> non-classified data. In June 2003, the US Government announced that AES may be used for <a href="http://en.wikipedia.org/wiki/Classified_information" title="Classified information">classified information</a>:</p> <blockquote> <p>The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use."<sup id="cite_ref-4" class="reference"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_note-4" title="">[5]</a></sup></p> </blockquote> <p>Many public products use 128-bit secret keys by default; it is possible that NSA suspects a fundamental weakness in keys this short, or they may simply prefer a safety margin for top secret documents (which may require security decades into the future).</p> <p>The most common way to attack block ciphers is to try various attacks on versions of the cipher with a reduced number of rounds. AES has 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys. By 2006, the best known attacks were on 7 rounds for 128-bit keys, 8 rounds for 192-bit keys, and 9 rounds for 256-bit keys.<sup id="cite_ref-improved_5-0" class="reference"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_note-improved-5" title="">[6]</a></sup></p> <p>Some cryptographers worry about the security of AES. They feel that the margin between the number of rounds specified in the cipher and the best known attacks is too small for comfort. There is a risk that some way to improve such attacks might be found and then the cipher could be broken. In this meaning, a <a href="http://en.wikipedia.org/wiki/Cryptanalysis" title="Cryptanalysis">cryptographic</a> "break" is anything faster than an <a href="http://en.wikipedia.org/wiki/Brute_force_attack" title="Brute force attack">exhaustive search</a>, thus an attack against a 128-bit-key AES requiring 'only' 2<sup>120</sup> operations (compared to 2<sup>128</sup> possible keys) would be considered a break even though it would be, at present, quite infeasible. In practical application, any break of AES which is only that "good" would be irrelevant. At present, such concerns can be ignored. The largest successful publicly-known <a href="http://en.wikipedia.org/wiki/Brute_force_attack" title="Brute force attack">brute force attack</a> has been against a 64-bit <a href="http://en.wikipedia.org/wiki/RC5" title="RC5">RC5</a> key by <a href="http://en.wikipedia.org/wiki/Distributed.net" title="Distributed.net">distributed.net</a>.</p> <p>Other debates center around the <a href="http://en.wikipedia.org/wiki/Mathematics" title="Mathematics">mathematical</a> structure of AES. Unlike most other block ciphers, AES has a very neat <a href="http://en.wikipedia.org/wiki/Algebra" title="Algebra">algebraic</a> description.<sup id="cite_ref-6" class="reference"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_note-6" title="">[7]</a></sup> This has not yet led to any attacks, but some researchers feel that basing a cipher on a new hardness assumption is risky. This has led Ferguson, Schroeppel, and Whiting to write, "...we are concerned about the use of Rijndael [AES] in security-critical applications."<sup id="cite_ref-rijndael-algebraic_7-0" class="reference"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_note-rijndael-algebraic-7" title="">[8]</a></sup></p> <p>In 2002, a theoretical attack, termed the "<a href="http://en.wikipedia.org/wiki/XSL_attack" title="XSL attack">XSL attack</a>", was announced by <a href="http://en.wikipedia.org/wiki/Nicolas_Courtois" title="Nicolas Courtois">Nicolas Courtois</a> and <a href="http://en.wikipedia.org/wiki/Josef_Pieprzyk" title="Josef Pieprzyk">Josef Pieprzyk</a>, showing a potential weakness in the AES algorithm.<sup id="cite_ref-8" class="reference"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_note-8" title="">[9]</a></sup> Several cryptography experts have found problems in the underlying mathematics of the proposed attack, suggesting that the authors may have made a mistake in their estimates. Whether this line of attack can be made to work against AES remains an open question. At present, the XSL attack against AES appears speculative; it is unlikely that the current attack could be carried out in practice.</p> <p><a name="Side_channel_attacks" id="Side_channel_attacks"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Side channel attacks</span></h3> <p><a href="http://en.wikipedia.org/wiki/Side_channel_attack" title="Side channel attack" class="mw-redirect">Side channel attacks</a> do not attack the underlying cipher and so have nothing to do with its security as described here, but attack implementations of the cipher on systems which inadvertently leak data. There are several such known attacks on certain implementations of AES.</p> <p>In April 2005, <a href="http://en.wikipedia.org/wiki/Daniel_J._Bernstein" title="Daniel J. Bernstein">D.J. Bernstein</a> announced a cache timing attack that he used to break a custom server that used <a href="http://en.wikipedia.org/wiki/OpenSSL" title="OpenSSL">OpenSSL</a>'s AES encryption.<sup id="cite_ref-9" class="reference"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_note-9" title="">[10]</a></sup> The custom server was designed to give out as much timing information as possible (the server reports back the number of machine cycles taken by the encryption operation), and the attack required over 200 million chosen plaintexts. Some say the attack is not practical over the internet with a distance of one or more hops;<sup id="cite_ref-10" class="reference"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_note-10" title="">[11]</a></sup> <a href="http://en.wikipedia.org/wiki/Bruce_Schneier" title="Bruce Schneier">Bruce Schneier</a> called the research a "nice timing attack."<sup id="cite_ref-11" class="reference"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_note-11" title="">[12]</a></sup></p> <p>In October 2005, Dag Arne Osvik, <a href="http://en.wikipedia.org/wiki/Adi_Shamir" title="Adi Shamir">Adi Shamir</a> and Eran Tromer presented a paper demonstrating several cache timing attacks against AES.<sup id="cite_ref-12" class="reference"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_note-12" title="">[13]</a></sup> One attack was able to obtain an entire AES key after only 800 operations triggering encryptions, in a total of 65 milliseconds. This attack requires the attacker to be able to run programs on the same system that is performing AES.</p> <p>Tadayoshi Kohno wrote a paper entitled "Attacking and Repairing the WinZip Encryption Scheme"<sup id="cite_ref-13" class="reference"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_note-13" title="">[14]</a></sup> showing possible attacks against the <a href="http://en.wikipedia.org/wiki/WinZip" title="WinZip">WinZip</a> implementation (the zip archive's metadata isn't encrypted).</p> <p><a name="FIPS_Validation" id="FIPS_Validation"></a></p> <h2><span class="editsection"></span><span class="mw-headline">FIPS Validation</span></h2> <div class="thumb tright"> <div class="thumbinner" style="width: 302px;"><a href="http://en.wikipedia.org/wiki/Image:Cbccfb.jpg" class="image" title="AES-CBC vs AES-CFB in time trials with a 128 bit block."><img alt="AES-CBC vs AES-CFB in time trials with a 128 bit block." src="http://upload.wikimedia.org/wikipedia/en/thumb/5/51/Cbccfb.jpg/300px-Cbccfb.jpg" class="thumbimage" width="300" border="0" height="210" /></a> <div class="thumbcaption"> <div class="magnify"><a href="http://en.wikipedia.org/wiki/Image:Cbccfb.jpg" class="internal" title="Enlarge"><img src="http://en.wikipedia.org/skins-1.5/common/images/magnify-clip.png" alt="" width="15" height="11" /></a></div> AES-CBC vs AES-CFB in time trials with a 128 bit block.</div> </div> </div> <p>The <a href="http://en.wikipedia.org/wiki/CMVP" title="CMVP" class="mw-redirect">Cryptographic Module Validation Program</a> (CMVP) is operated jointly by the United States Government's <a href="http://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology" title="National Institute of Standards and Technology">National Institute of Standards and Technology</a> (NIST) Computer Security Division and the <a href="http://en.wikipedia.org/wiki/Communications_Security_Establishment" title="Communications Security Establishment" class="mw-redirect">Communications Security Establishment</a> (CSE) of the Government of Canada. The use of validated cryptographic modules is required by the United States Government for all unclassified uses of cryptography. The Government of Canada also recommends the use of <a href="http://en.wikipedia.org/wiki/FIPS_140" title="FIPS 140">FIPS 140</a> validated cryptographic modules in unclassified applications of its departments.</p> <p>Although NIST publication 197 ("FIPS 197") is the unique document that covers the AES algorithm, vendors typically approach the CMVP under FIPS 140 and ask to have several algorithms (such as <a href="http://en.wikipedia.org/wiki/Triple_DES" title="Triple DES">Triple DES</a> or <a href="http://en.wikipedia.org/wiki/SHA1" title="SHA1" class="mw-redirect">SHA1</a>) validated at the same time. Therefore, it is rare to find cryptographic modules that are uniquely FIPS 197 validated and NIST itself does not generally take the time to list FIPS 197 validated modules separately on its public web site. Instead, FIPS 197 validation is typically just listed as an "FIPS approved: AES" notation (with a specific FIPS 197 certificate number) in the current list of FIPS 140 validated cryptographic modules.</p> <p>FIPS validation is challenging to achieve both technically and fiscally. There is a standardized battery of tests as well as an element of source code review that must be passed over a period of several days. The cost to perform these tests through an approved laboratory can be significant (e.g., well over $10,000 US) and does not include the time it takes to write, test, document and prepare a module for validation. After validation, modules must be resubmitted and reevaluated if they are changed in any way.</p> <p><a name="Test_Vectors" id="Test_Vectors"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Test Vectors</span></h2> <p>Test Vectors are a set of known ciphers for a given input and Key. For example for a 128-bit key "00010203050607080A0B0C0D0F101112" (16 Bytes represented as two <a href="http://en.wikipedia.org/wiki/Hexadecimal" title="Hexadecimal">hexadecimal</a> characters per byte), and an input "506812A45F08C889B97F5980038B8359" the cipher should be "D8F532538289EF7D06B506A4FD5BE9C9".</p> <p><a name="Implementations" id="Implementations"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Implementations</span></h2> <p><a name="Libraries" id="Libraries"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Libraries</span></h3> <div class="thumb tright"> <div class="thumbinner" style="width: 302px;"><a href="http://en.wikipedia.org/wiki/Image:Cbc128192256.jpg" class="image" title="AES Speed at 128, 192 and 256 bit key sizes."><img alt="AES Speed at 128, 192 and 256 bit key sizes." src="http://upload.wikimedia.org/wikipedia/en/thumb/5/5e/Cbc128192256.jpg/300px-Cbc128192256.jpg" class="thumbimage" width="300" border="0" height="210" /></a> <div class="thumbcaption"> <div class="magnify"><a href="http://en.wikipedia.org/wiki/Image:Cbc128192256.jpg" class="internal" title="Enlarge"><img src="http://en.wikipedia.org/skins-1.5/common/images/magnify-clip.png" alt="" width="15" height="11" /></a></div> AES Speed at 128, 192 and 256 bit key sizes.</div> </div> </div> <p>Rijndael is free for any use public or private, commercial or non-commercial. The authors of Rijndael used to provide a homepage <sup id="cite_ref-14" class="reference"><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_note-14" title="">[15]</a></sup> for the algorithm. Care should be taken when implementing AES in software. Like most encryption algorithms, Rijndael was designed on <a href="http://en.wikipedia.org/wiki/Endianness#Big-endian" title="Endianness">big-endian</a> systems. For this reason, <a href="http://en.wikipedia.org/wiki/Endianness#Little-endian" title="Endianness">little-endian</a> systems return correct test vector results only through considerable byte-swapping, with efficiency reduced as a result.</p> <p>The algorithm operates on plaintext blocks of 16 bytes. Encryption of shorter blocks is possible only by <a href="http://en.wikipedia.org/wiki/Padding" title="Padding">padding</a> the source bytes, usually with <a href="http://en.wikipedia.org/wiki/Null_character" title="Null character">null bytes</a>. This can be accomplished via several methods, the simplest of them assumes that the final byte of the cipher identifies the number of Null bytes of padding added.</p> <p>Careful choice must be made in selecting the <a href="http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation" title="Block cipher modes of operation">mode of operation</a> of the cipher. The simplest mode encrypts and decrypts each 128-bit block separately. This mode, called "electronic code book (ECB)", blocks that are identical will be encrypted identically. This will make some of the plaintext structure visible in the ciphertext. Selecting other modes, such as empressing a sequential counter over the block prior to encryption (CTR mode) and removing it after decryption avoids this problem.</p> <ul><li><a href="http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html" class="external text" title="http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html" rel="nofollow">Current list of FIPS 197 validated cryptographic modules (hosted by NIST)</a></li><li><a href="http://csrc.nist.gov/cryptval/140-1/140val-all.htm" class="external text" title="http://csrc.nist.gov/cryptval/140-1/140val-all.htm" rel="nofollow">Current list of FIPS 140 validated cryptographic modules with validated AES implementations (hosted by NIST)</a> - Most of these involve a commercial implementation of AES algorithms. Look for "FIPS-approved algorithms" entry in the "Level / Description" column followed by "AES" and then a specific certificate number.</li></ul> <p><a name="C.2FASM_Library" id="C.2FASM_Library"></a></p> <h4><span class="editsection"></span><span class="mw-headline">C/ASM Library</span></h4> <ul><li><a href="http://www.lysator.liu.se/%7Enisse/nettle/" class="external text" title="http://www.lysator.liu.se/~nisse/nettle/" rel="nofollow">GPL-licensed Nettle library also includes an AES implementation</a></li><li><a href="http://xyssl.org/code/source/aes/" class="external text" title="http://xyssl.org/code/source/aes/" rel="nofollow">LGPL-licensed written in C</a></li><li><a href="http://www.literatecode.com/2007/11/11/aes256/" class="external text" title="http://www.literatecode.com/2007/11/11/aes256/" rel="nofollow">A compact byte-oriented AES-256 implementation (C, OpenBSD license)</a></li><li><a href="http://geocities.com/malbrain/aestable_c.html" class="external text" title="http://geocities.com/malbrain/aestable_c.html" rel="nofollow">A byte-oriented public domain in C</a></li><li><a href="http://fp.gladman.plus.com/cryptography_technology/rijndael/" class="external text" title="http://fp.gladman.plus.com/cryptography_technology/rijndael/" rel="nofollow">BSD licensed from Brian Gladman</a></li><li><a href="http://cr.yp.to/mac.html" class="external text" title="http://cr.yp.to/mac.html" rel="nofollow">Public-domain from D.J. Bernstein</a></li><li><a href="http://www.efgh.com/software/rijndael.htm" class="external text" title="http://www.efgh.com/software/rijndael.htm" rel="nofollow">Public domain C from Philip J. Erdelsky</a></li><li><a href="http://en.wikipedia.org/wiki/Cryptographic_Application_Programming_Interface" title="Cryptographic Application Programming Interface" class="mw-redirect">Cryptographic Application Programming Interface</a> or CAPI, Microsoft's Cryptography API</li><li><a href="http://www.hoozi.com/Articles/AESEncryption.htm" class="external text" title="http://www.hoozi.com/Articles/AESEncryption.htm" rel="nofollow">A simple commented implementation in C/C++ aimed at beginners</a></li></ul> <p><a name="C.2B.2B_Library" id="C.2B.2B_Library"></a></p> <h4><span class="editsection"></span><span class="mw-headline">C++ Library</span></h4> <ul><li><a href="http://en.wikipedia.org/wiki/Botan" title="Botan">Botan</a> has implemented Rijndael since its very first release in 2001</li><li><a href="http://sourceforge.net/projects/cryptopp/" class="external text" title="http://sourceforge.net/projects/cryptopp/" rel="nofollow">Crypto++</a> A comprehensive C++ semi-public-domain implementation of encryption and hash algorithms. FIPS validated</li><li><a href="http://www.lomont.org/Software/Misc/AES/AES.php" class="external text" title="http://www.lomont.org/Software/Misc/AES/AES.php" rel="nofollow">Chris Lomont's version of AES under the zlib License</a></li></ul> <p><a name="C.23_.2F.NET" id="C.23_.2F.NET"></a></p> <h4><span class="editsection"></span><span class="mw-headline">C# /.NET</span></h4> <ul><li><a href="http://msdn2.microsoft.com/en-us/magazine/cc164055.aspx" class="external text" title="http://msdn2.microsoft.com/en-us/magazine/cc164055.aspx" rel="nofollow">"Keep Your Data Secure with the New Advanced Encryption Standard"</a> A detailed explanation with C# implementation by <a href="http://en.wikipedia.org/wiki/James_D._McCaffrey" title="James D. McCaffrey">James D. McCaffrey</a>.</li><li>As of version 3.5 of the <a href="http://en.wikipedia.org/wiki/.NET_Framework" title=".NET Framework">.NET Framework</a>, the <a href="http://msdn.microsoft.com/en-us/library/system.security.cryptography.aspx" class="external text" title="http://msdn.microsoft.com/en-us/library/system.security.cryptography.aspx" rel="nofollow">System.Security.Cryptography</a> namespace contains both a <a href="http://msdn.microsoft.com/en-us/library/system.security.cryptography.aesmanaged.aspx" class="external text" title="http://msdn.microsoft.com/en-us/library/system.security.cryptography.aesmanaged.aspx" rel="nofollow">fully managed</a> implementation of AES and a <a href="http://msdn.microsoft.com/en-us/library/system.security.cryptography.aescryptoserviceprovider.aspx" class="external text" title="http://msdn.microsoft.com/en-us/library/system.security.cryptography.aescryptoserviceprovider.aspx" rel="nofollow">managed wrapper</a> around the <a href="http://en.wikipedia.org/wiki/Cryptographic_Application_Programming_Interface" title="Cryptographic Application Programming Interface" class="mw-redirect">CAPI</a> AES implementation.</li><li><a href="http://en.wikipedia.org/wiki/Bouncy_castle_%28cryptography%29" title="Bouncy castle (cryptography)" class="mw-redirect">Bouncy Castle Crypto Library</a></li></ul> <p><a name="Java" id="Java"></a></p> <h4><span class="editsection"></span><span class="mw-headline">Java</span></h4> <ul><li><a href="http://en.wikipedia.org/w/index.php?title=Java_Cryptography_Extension&action=edit&redlink=1" class="new" title="Java Cryptography Extension (page does not exist)">Java Cryptography Extension</a>, integrated in the <a href="http://en.wikipedia.org/wiki/JRE" title="JRE" class="mw-redirect">Java Runtime Environment</a> since version 1.4.2 (see <a href="http://java.sun.com/developer/technicalArticles/Security/AES/AES_v1.html" class="external text" title="http://java.sun.com/developer/technicalArticles/Security/AES/AES_v1.html" rel="nofollow">example code</a>)</li><li><a href="http://en.wikipedia.org/wiki/Bouncy_castle_%28cryptography%29" title="Bouncy castle (cryptography)" class="mw-redirect">Bouncy Castle Crypto Library</a></li></ul> <p><a name="JavaScript" id="JavaScript"></a></p> <h4><span class="editsection"></span><span class="mw-headline">JavaScript</span></h4> <ul><li><a href="http://code.google.com/p/clipperz" class="external text" title="http://code.google.com/p/clipperz" rel="nofollow">Clipperz Crypto Library</a>, includes an efficient implementation.</li><li><a href="http://www.movable-type.co.uk/scripts/AES.html" class="external text" title="http://www.movable-type.co.uk/scripts/AES.html" rel="nofollow">Direct implementation of standard</a> transparently coded, with counter mode of operation</li><li><a href="http://people.eku.edu/styere/Encrypt/JS-AES.html" class="external text" title="http://people.eku.edu/styere/Encrypt/JS-AES.html" rel="nofollow">Calculator showing intermediate values</a></li><li><a href="http://www.hanewin.net/encrypt/aes/aes-test.htm" class="external text" title="http://www.hanewin.net/encrypt/aes/aes-test.htm" rel="nofollow">Simple 128/192/256-bit AES with hexadecimal inputs</a></li></ul> <p><a name="Delphi" id="Delphi"></a></p> <h4><span class="editsection"></span><span class="mw-headline">Delphi</span></h4> <ul><li><a href="http://www.dsplayer.de/dspweb/public_downloads/BTAES_0.3.zip" class="external text" title="http://www.dsplayer.de/dspweb/public_downloads/BTAES_0.3.zip" rel="nofollow">Martin Offenwanger's GPL-licensed AES source code written in Delphi</a></li><li><a href="http://bouchez.info/delphi-crypto.html" class="external text" title="http://bouchez.info/delphi-crypto.html" rel="nofollow">Arnaud Bouchez's another AES source code written in Delphi</a></li><li>David Barton's implementation in Delphi, as part of a suite of hashes and ciphers called <a href="http://www.cityinthesky.co.uk/cryptography.html" class="external text" title="http://www.cityinthesky.co.uk/cryptography.html" rel="nofollow">DCPcrypt</a>: OIS-Certified open source</li></ul> <p><a name="Lisp" id="Lisp"></a></p> <h4><span class="editsection"></span><span class="mw-headline">Lisp</span></h4> <ul><li><a href="http://method-combination.net/lisp/ironclad/" class="external text" title="http://method-combination.net/lisp/ironclad/" rel="nofollow">ironclad</a>, Common Lisp cryptography library.</li><li><a href="http://folk.uio.no/jornv/aes/aes.html" class="external text" title="http://folk.uio.no/jornv/aes/aes.html" rel="nofollow">Common Lisp AES implementations</a> using 8 and 32 bits arithmetic.</li><li><a href="http://josefsson.org/aes/" class="external text" title="http://josefsson.org/aes/" rel="nofollow">Emacs Lisp</a></li></ul> <p><a name="Other_Languages" id="Other_Languages"></a></p> <h4><span class="editsection"></span><span class="mw-headline">Other Languages</span></h4> <ul><li><a href="http://www.phpclasses.org/browse/package/3650.html" class="external text" title="http://www.phpclasses.org/browse/package/3650.html" rel="nofollow">LGPL 128bit Implementation in PHP</a> (Registration required)</li><li><a href="http://www.formaestudio.com/rijndaelinspector/" class="external text" title="http://www.formaestudio.com/rijndaelinspector/" rel="nofollow">Rijndael Inspector</a> Program made in Flash to encrypt/decrypt using AES-128.</li><li><a href="http://www.codearchive.com/dl.php?dlid=1517" class="external text" title="http://www.codearchive.com/dl.php?dlid=1517" rel="nofollow">AES CryptText</a> A VB5/6 Source-Code (cls) implementation of the AES-Rijndael Block Cipher.</li><li><a href="http://search.cpan.org/%7Ebdfoy/Crypt-Rijndael/Rijndael.pm" class="external text" title="http://search.cpan.org/~bdfoy/Crypt-Rijndael/Rijndael.pm" rel="nofollow">Crypt::Rijndael</a> for Perl</li></ul> <p><a name="Applications" id="Applications"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Applications</span></h3> <p><a name="Archive_and_compression_tools" id="Archive_and_compression_tools"></a></p> <h4><span class="editsection"></span><span class="mw-headline">Archive and compression tools</span></h4> <ul><li><a href="http://en.wikipedia.org/wiki/7z" title="7z">7z</a></li><li><a href="http://en.wikipedia.org/wiki/WinZip" title="WinZip">WinZip</a></li><li><a href="http://en.wikipedia.org/wiki/PKZIP" title="PKZIP">PKZIP</a></li></ul> <p><a name="Disk_encryption" id="Disk_encryption"></a></p> <h4><span class="editsection"></span><span class="mw-headline">Disk encryption</span></h4> <ul><li><a href="http://en.wikipedia.org/wiki/FreeOTFE" title="FreeOTFE">FreeOTFE</a></li><li><a href="http://en.wikipedia.org/wiki/TrueCrypt" title="TrueCrypt">TrueCrypt</a></li></ul> <p><a name="Misc" id="Misc"></a></p> <h4><span class="editsection"></span><span class="mw-headline">Misc</span></h4> <ul><li><a href="http://en.wikipedia.org/wiki/OpenSSL" title="OpenSSL">OpenSSL</a> includes AES cipher support as of version 0.9.7 (released in 2002) and is dual-licensed under the terms of the OpenSSL License and the original SSLeay license. FIPS validated via IBM</li><li><a href="http://ccrypt.sourceforge.net/" class="external text" title="http://ccrypt.sourceforge.net/" rel="nofollow">Peter Selingers ccrypt file encryption utility for UNIX, GPL-licensed</a></li><li><a href="http://en.wikipedia.org/wiki/GNU_Privacy_Guard" title="GNU Privacy Guard">GPG</a>, GPL-licensed, includes AES, AES-192, and AES-256 as options.</li><li><a href="http://www.wizards-toolkit.org/" class="external text" title="http://www.wizards-toolkit.org/" rel="nofollow">The Wizard's Toolkit, ImageMagick license</a></li><li><a href="http://www.smartftp.com/support/kb/file-encryption-f2605.html/" class="external text" title="http://www.smartftp.com/support/kb/file-encryption-f2605.html/" rel="nofollow">SmartFTP's AES CTR Encryption Tool, Free</a></li><li><a href="http://en.wikipedia.org/w/index.php?title=IronKey&action=edit&redlink=1" class="new" title="IronKey (page does not exist)">IronKey</a> Uses AES Encrypton</li></ul> <p><a name="See_also" id="See_also"></a></p> <h2><span class="editsection"></span><span class="mw-headline">See also</span></h2> <ul><li><a href="http://en.wikipedia.org/wiki/Cold_Boot_Attack" title="Cold Boot Attack" class="mw-redirect">Cold Boot Attack</a></li><li><a href="http://en.wikipedia.org/wiki/Full_Disk_Encryption" title="Full Disk Encryption" class="mw-redirect">Full Disk Encryption</a></li><li><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard" title="Data Encryption Standard">Data Encryption Standard</a> (DES) - AES has replaced this standard</li><li><a href="http://en.wikipedia.org/wiki/Triple_DES" title="Triple DES">Triple DES</a> - AES has replaced this standard</li><li><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard_process" title="Advanced Encryption Standard process">Advanced Encryption Standard process</a></li><li><a href="http://en.wikipedia.org/wiki/Whirlpool_%28cryptography%29" title="Whirlpool (cryptography)">Whirlpool</a> - hash function also co-created by Vincent Rijmen</li></ul> <p><a name="Notes" id="Notes"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Notes</span></h2> <div class="references-small"> <ol class="references"><li id="cite_note-keysize-0"><b><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_ref-keysize_0-0" title="">^</a></b> Key sizes of 128, 160, 192, 224, and 256 bits are supported by the Rijndael algorithm, but only the 128, 192, and 256-bit key sizes are specified in the AES standard.</li><li id="cite_note-blocksize-1"><b><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_ref-blocksize_1-0" title="">^</a></b> Block sizes of 128, 160, 192, 224, and 256 bits are supported by the Rijndael algorithm, but only the 128-bit block size is specified in the AES standard.</li><li id="cite_note-2"><b><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_ref-2" title="">^</a></b> "<a href="http://www.findarticles.com/p/articles/mi_m0IKZ/is_3_107?pnum=2&opg=90984479" class="external text" title="http://www.findarticles.com/p/articles/mi_m0IKZ/is_3_107?pnum=2&opg=90984479" rel="nofollow">NIST reports measurable success of Advanced Encryption Standard</a>".</li><li id="cite_note-3"><b><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_ref-3" title="">^</a></b> "<a href="http://rijndael.info/audio/rijndael_pronunciation.wav" class="external text" title="http://rijndael.info/audio/rijndael_pronunciation.wav" rel="nofollow">'Rijndael' pronunciation</a>".</li><li id="cite_note-4"><b><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_ref-4" title="">^</a></b> <a href="http://www.cnss.gov/Assets/pdf/cnssp_15_fs.pdf" class="external text" title="http://www.cnss.gov/Assets/pdf/cnssp_15_fs.pdf" rel="nofollow">National Policy on the Use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Se</a></li><li id="cite_note-improved-5"><b><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_ref-improved_5-0" title="">^</a></b> <a href="http://en.wikipedia.org/wiki/John_Kelsey_%28cryptanalyst%29" title="John Kelsey (cryptanalyst)">John Kelsey</a>, <a href="http://en.wikipedia.org/wiki/Stefan_Lucks" title="Stefan Lucks">Stefan Lucks</a>, <a href="http://en.wikipedia.org/wiki/Bruce_Schneier" title="Bruce Schneier">Bruce Schneier</a>, <a href="http://en.wikipedia.org/w/index.php?title=Mike_Stay&action=edit&redlink=1" class="new" title="Mike Stay (page does not exist)">Mike Stay</a>, <a href="http://en.wikipedia.org/wiki/David_Wagner" title="David Wagner">David Wagner</a>, and <a href="http://en.wikipedia.org/w/index.php?title=Doug_Whiting&action=edit&redlink=1" class="new" title="Doug Whiting (page does not exist)">Doug Whiting</a>, <i>Improved Cryptanalysis of Rijndael</i>, <a href="http://en.wikipedia.org/wiki/Fast_Software_Encryption" title="Fast Software Encryption">Fast Software Encryption</a>, 2000 pp213–230 <a href="http://www.schneier.com/paper-rijndael.html" class="external autonumber" title="http://www.schneier.com/paper-rijndael.html" rel="nofollow">[1]</a></li><li id="cite_note-6"><b><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_ref-6" title="">^</a></b> <a href="http://www.isg.rhul.ac.uk/%7Esean/" class="external text" title="http://www.isg.rhul.ac.uk/~sean/" rel="nofollow">Sean Murphy</a></li><li id="cite_note-rijndael-algebraic-7"><b><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_ref-rijndael-algebraic_7-0" title="">^</a></b> <cite style="font-style: normal;"><a href="http://en.wikipedia.org/wiki/Niels_Ferguson" title="Niels Ferguson">Niels Ferguson</a>, <a href="http://en.wikipedia.org/wiki/Richard_Schroeppel" title="Richard Schroeppel">Richard Schroeppel</a>, Doug Whiting (2001). "<a href="http://www.macfergus.com/pub/rdalgeq.html" class="external text" title="http://www.macfergus.com/pub/rdalgeq.html" rel="nofollow">A simple algebraic representation of Rijndael</a>" (<a href="http://en.wikipedia.org/wiki/PDF" title="PDF" class="mw-redirect">PDF</a>/<a href="http://en.wikipedia.org/wiki/PostScript" title="PostScript">PostScript</a>). <i>Proceedings of <a href="http://en.wikipedia.org/wiki/Selected_Areas_in_Cryptography" title="Selected Areas in Cryptography">Selected Areas in Cryptography</a>, 2001, Lecture Notes in Computer Science</i>: pp. 103–111, <a href="http://en.wikipedia.org/wiki/Springer-Verlag" title="Springer-Verlag" class="mw-redirect">Springer-Verlag</a>. <span class="reference-accessdate">Retrieved on <a href="http://en.wikipedia.org/wiki/2006" title="2006">2006</a>-<a href="http://en.wikipedia.org/wiki/October_6" title="October 6">10-06</a></span>.</cite><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.btitle=Proceedings+of+%5B%5BSelected+Areas+in+Cryptography%5D%5D%2C+2001%2C+Lecture+Notes+in+Computer+Science&rft.atitle=A+simple+algebraic+representation+of+Rijndael&rft.au=%5B%5BNiels+Ferguson%5D%5D%2C+%5B%5BRichard+Schroeppel%5D%5D%2C+Doug+Whiting&rft.date=2001&rft.pub=%5B%5BSpringer-Verlag%5D%5D&rft.pages=pp.+103%26ndash%3B111&rft_id=http%3A%2F%2Fwww.macfergus.com%2Fpub%2Frdalgeq.html"><span style="display: none;"> </span></span></li><li id="cite_note-8"><b><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_ref-8" title="">^</a></b> Bruce Schneier. "<a href="http://www.schneier.com/crypto-gram-0209.html" class="external text" title="http://www.schneier.com/crypto-gram-0209.html" rel="nofollow">AES News, Crypto-Gram Newsletter,</a> <a href="http://en.wikipedia.org/wiki/September_15" title="September 15">September 15</a>, <a href="http://en.wikipedia.org/wiki/2002" title="2002">2002</a>". Retrieved on <a href="http://en.wikipedia.org/wiki/2007" title="2007">2007</a>-<a href="http://en.wikipedia.org/wiki/July_27" title="July 27">07-27</a>.</li><li id="cite_note-9"><b><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_ref-9" title="">^</a></b> <a href="http://cr.yp.to/papers.html#cachetiming" class="external free" title="http://cr.yp.to/papers.html#cachetiming" rel="nofollow">http://cr.yp.to/papers.html#cachetiming</a></li><li id="cite_note-10"><b><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_ref-10" title="">^</a></b> Louis Scheffer (2005-04-16). "<i><a href="news:42620794@news.cadence.com" class="external text" title="news:42620794@news.cadence.com" rel="nofollow">Re: Successful remote AES key extraction</a></i>". <a href="news:sci.crypt" class="external text" title="news:sci.crypt" rel="nofollow">sci.crypt</a>. <a href="http://groups.google.com/group/sci.crypt/msg/40d0f6fb6143de1a" class="external text" title="http://groups.google.com/group/sci.crypt/msg/40d0f6fb6143de1a" rel="nofollow">(Web link)</a>.</li><li id="cite_note-11"><b><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_ref-11" title="">^</a></b> Bruce Schneier. "<a href="http://www.schneier.com/blog/archives/2005/05/aes_timing_atta_1.html" class="external text" title="http://www.schneier.com/blog/archives/2005/05/aes_timing_atta_1.html" rel="nofollow">AES Timing Attack</a>". Retrieved on <a href="http://en.wikipedia.org/wiki/2007" title="2007">2007</a>-<a href="http://en.wikipedia.org/wiki/March_17" title="March 17">03-17</a>.</li><li id="cite_note-12"><b><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_ref-12" title="">^</a></b> <a href="http://www.wisdom.weizmann.ac.il/%7Etromer/papers/cache.pdf" class="external free" title="http://www.wisdom.weizmann.ac.il/~tromer/papers/cache.pdf" rel="nofollow">http://www.wisdom.weizmann.ac.il/~tromer/papers/cache.pdf</a></li><li id="cite_note-13"><b><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_ref-13" title="">^</a></b> <a href="http://www.cs.washington.edu/homes/yoshi/papers/WinZip/winzip.pdf" class="external free" title="http://www.cs.washington.edu/homes/yoshi/papers/WinZip/winzip.pdf" rel="nofollow">http://www.cs.washington.edu/homes/yoshi/papers/WinZip/winzip.pdf</a></li><li id="cite_note-14"><b><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#cite_ref-14" title="">^</a></b> <a href="http://www.esat.kuleuven.ac.be/%7Erijmen/rijndael" class="external text" title="http://www.esat.kuleuven.ac.be/~rijmen/rijndael" rel="nofollow">Original homepage</a> and <a href="http://web.archive.org/web/20070503005400rn_1/homes.esat.kuleuven.be/%7Erijmen/rijndael/" class="external text" title="http://web.archive.org/web/20070503005400rn_1/homes.esat.kuleuven.be/~rijmen/rijndael/" rel="nofollow">archived copy</a></li></ol> </div> <p><a name="References" id="References"></a></p> <h2><span class="editsection"></span><span class="mw-headline">References</span></h2> <ul><li>Nicolas Courtois, Josef Pieprzyk, "Cryptanalysis of Block Ciphers with Overdefined Systems of Equations". pp267–287, <a href="http://en.wikipedia.org/wiki/ASIACRYPT" title="ASIACRYPT" class="mw-redirect">ASIACRYPT</a> 2002.</li><li>Joan Daemen and Vincent Rijmen, "The Design of Rijndael: AES - The Advanced Encryption Standard." Springer-Verlag, 2002. <a href="http://en.wikipedia.org/wiki/Special:BookSources/3540425802" class="internal">ISBN 3-540-42580-2</a>.</li></ul> <p><a name="External_links" id="External_links"></a></p> <h2><span class="editsection"></span><span class="mw-headline">External links</span></h2> <ul><li><a href="http://www.iaik.tu-graz.ac.at/research/krypto/AES/old/%7Erijmen/rijndael/" class="external text" title="http://www.iaik.tu-graz.ac.at/research/krypto/AES/old/%7Erijmen/rijndael/" rel="nofollow">The Rijndael Page (old version)</a></li><li><a href="http://www.iaik.tu-graz.ac.at/research/krypto/AES/" class="external text" title="http://www.iaik.tu-graz.ac.at/research/krypto/AES/" rel="nofollow">Literature survey on AES</a></li><li><a href="http://www.hardware-ciphers.com/en/aes/" class="external text" title="http://www.hardware-ciphers.com/en/aes/" rel="nofollow">Survey on 78 different implementations of AES in FPGA and ASIC hardware technologies</a></li><li><a href="http://rijndael.info/audio/rijndael_pronunciation.wav" class="external text" title="http://rijndael.info/audio/rijndael_pronunciation.wav" rel="nofollow">Recordings of the pronunciation of "Rijndael"</a> (85 KB <a href="http://en.wikipedia.org/wiki/Wav" title="Wav" class="mw-redirect">wav</a> file)</li><li><a href="http://csrc.nist.gov/encryption/aes/" class="external text" title="http://csrc.nist.gov/encryption/aes/" rel="nofollow">The archive of the old official AES website</a></li><li><a href="http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf" class="external text" title="http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf" rel="nofollow">FIPS PUB 197: the official AES standard</a> (<a href="http://en.wikipedia.org/wiki/Portable_Document_Format" title="Portable Document Format">PDF</a> file)</li><li><a href="http://www.quadibloc.com/crypto/co040401.htm" class="external text" title="http://www.quadibloc.com/crypto/co040401.htm" rel="nofollow">John Savard's description of the AES algorithm</a></li><li><a href="http://www.cs.bc.edu/%7Estraubin/cs381-05/blockciphers/rijndael_ingles2004.swf" class="external text" title="http://www.cs.bc.edu/~straubin/cs381-05/blockciphers/rijndael_ingles2004.swf" rel="nofollow">Animation of the 128-bit AES encryption process</a> <a href="http://www.formaestudio.com/rijndaelinspector/" class="external text" title="http://www.formaestudio.com/rijndaelinspector/" rel="nofollow">AES animation v.4</a></li><li><a href="http://www.progressive-coding.com/tutorial.php?id=0" class="external text" title="http://www.progressive-coding.com/tutorial.php?id=0" rel="nofollow">Very detailed AES tutorial with implementation in C</a></li><li><a href="http://csrc.nist.gov/archive/aes/rijndael/wsdindex.html" class="external text" title="http://csrc.nist.gov/archive/aes/rijndael/wsdindex.html" rel="nofollow">AES Algorithm (Rijndael) Information</a> and Test Vectors</li><li><a href="http://www.mediatronix.com/examples/Rijndael-3.htm" class="external text" title="http://www.mediatronix.com/examples/Rijndael-3.htm" rel="nofollow">Implementation for a small 8-bit processor (Picoblaze)</a></li></ul> <table class="navbox" style="" cellspacing="0"> <tbody><tr> <td style="padding: 2px;"> <table class="nowraplinks" style="background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; color: inherit;" cellspacing="0"> <tbody><tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <th style="background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" colspan="2" class="navbox-title"> <div style="float: left; width: 6em; text-align: left;"> <div class="noprint plainlinksneverexpand" style="border: medium none ; padding: 0pt; background: rgb(204, 204, 255) none repeat scroll 0% 0%; white-space: nowrap; font-weight: normal; font-size: xx-small; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"><a href="http://en.wikipedia.org/wiki/Template:Crypto_block" title="Template:Crypto block"><span title="View this template" style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">v</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/wiki/Template_talk:Crypto_block" title="Template talk:Crypto block"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="Discussion about this template">d</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template:Crypto_block&action=edit" class="external text" title="http://en.wikipedia.org/w/index.php?title=Template:Crypto_block&action=edit" rel="nofollow"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="You can edit this template. Please use the preview button before saving.">e</span></a></div> </div> <div style="float: right; width: 6em;"> </div> <span style="font-size: 100%;"><a href="http://en.wikipedia.org/wiki/Block_cipher" title="Block cipher">Block ciphers</a></span></th> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Common algorithms:</b> <strong class="selflink">AES</strong> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Blowfish_%28cipher%29" title="Blowfish (cipher)">Blowfish</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Data_Encryption_Standard" title="Data Encryption Standard">DES</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Triple_DES" title="Triple DES">Triple DES</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Serpent_%28cipher%29" title="Serpent (cipher)">Serpent</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Twofish" title="Twofish">Twofish</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Other algorithms:</b> <a href="http://en.wikipedia.org/wiki/3-Way" title="3-Way">3-Way</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/ABC_%28block_cipher%29" title="ABC (block cipher)">ABC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Akelarre_%28cipher%29" title="Akelarre (cipher)">Akelarre</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Anubis_%28cipher%29" title="Anubis (cipher)">Anubis</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/ARIA_%28cipher%29" title="ARIA (cipher)">ARIA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/BaseKing" title="BaseKing">BaseKing</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/BassOmatic" title="BassOmatic">BassOmatic</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/BATON" title="BATON">BATON</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/BEAR_and_LION_Cipher" title="BEAR and LION Cipher">BEAR and LION</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Cryptomeria_cipher" title="Cryptomeria cipher">C2</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Camellia_%28cipher%29" title="Camellia (cipher)">Camellia</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CAST-128" title="CAST-128">CAST-128</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CAST-256" title="CAST-256">CAST-256</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CIKS-1" title="CIKS-1">CIKS-1</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CIPHERUNICORN-A" title="CIPHERUNICORN-A">CIPHERUNICORN-A</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CIPHERUNICORN-E" title="CIPHERUNICORN-E">CIPHERUNICORN-E</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CLEFIA" title="CLEFIA">CLEFIA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Cellular_Message_Encryption_Algorithm" title="Cellular Message Encryption Algorithm">CMEA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Cobra_ciphers" title="Cobra ciphers">Cobra</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/COCONUT98" title="COCONUT98">COCONUT98</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Crab_%28cipher%29" title="Crab (cipher)">Crab</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CRYPTON" title="CRYPTON">CRYPTON</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CS-Cipher" title="CS-Cipher">CS-Cipher</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/DEAL" title="DEAL">DEAL</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/DES-X" title="DES-X">DES-X</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/DFC_%28cipher%29" title="DFC (cipher)">DFC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/E2_%28cipher%29" title="E2 (cipher)">E2</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/FEAL" title="FEAL">FEAL</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/FEA-M" title="FEA-M">FEA-M</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/FROG" title="FROG">FROG</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/G-DES" title="G-DES" class="mw-redirect">G-DES</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/GOST_%28block_cipher%29" title="GOST (block cipher)">GOST</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Grand_Cru_%28cipher%29" title="Grand Cru (cipher)">Grand Cru</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Hasty_Pudding_cipher" title="Hasty Pudding cipher">Hasty Pudding cipher</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Hierocrypt" title="Hierocrypt">Hierocrypt</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/ICE_%28cipher%29" title="ICE (cipher)">ICE</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm" title="International Data Encryption Algorithm">IDEA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Idea_NXT" title="Idea NXT">IDEA NXT</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Intel_Cascade_Cipher" title="Intel Cascade Cipher">Intel Cascade Cipher</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Iraqi_block_cipher" title="Iraqi block cipher">Iraqi</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/KASUMI_%28block_cipher%29" title="KASUMI (block cipher)">KASUMI</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/KeeLoq" title="KeeLoq">KeeLoq</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/KHAZAD" title="KHAZAD">KHAZAD</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Khufu_and_Khafre" title="Khufu and Khafre">Khufu and Khafre</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/KN-Cipher" title="KN-Cipher">KN-Cipher</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Ladder-DES" title="Ladder-DES">Ladder-DES</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Libelle_%28cipher%29" title="Libelle (cipher)">Libelle</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/LOKI97" title="LOKI97">LOKI97</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/LOKI" title="LOKI">LOKI89/91</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Lucifer_%28cipher%29" title="Lucifer (cipher)">Lucifer</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/M6_%28cipher%29" title="M6 (cipher)">M6</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/M8_%28cipher%29" title="M8 (cipher)">M8</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MacGuffin_%28cipher%29" title="MacGuffin (cipher)">MacGuffin</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Madryga" title="Madryga">Madryga</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MAGENTA" title="MAGENTA">MAGENTA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MARS_%28cryptography%29" title="MARS (cryptography)">MARS</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Mercy_%28cipher%29" title="Mercy (cipher)">Mercy</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MESH_%28cipher%29" title="MESH (cipher)">MESH</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MISTY1" title="MISTY1">MISTY1</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MMB" title="MMB">MMB</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MULTI2" title="MULTI2">MULTI2</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MultiSwap" title="MultiSwap">MultiSwap</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/New_Data_Seal" title="New Data Seal">New Data Seal</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NewDES" title="NewDES">NewDES</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Nimbus_%28cipher%29" title="Nimbus (cipher)">Nimbus</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NOEKEON" title="NOEKEON">NOEKEON</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NUSH" title="NUSH">NUSH</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Q_%28cipher%29" title="Q (cipher)">Q</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/RC2" title="RC2">RC2</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/RC5" title="RC5">RC5</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/RC6" title="RC6">RC6</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/REDOC" title="REDOC">REDOC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Red_Pike" title="Red Pike">Red Pike</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/S-1_block_cipher" title="S-1 block cipher">S-1</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SAFER" title="SAFER">SAFER</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SAVILLE" title="SAVILLE">SAVILLE</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SC2000" title="SC2000">SC2000</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SEED" title="SEED">SEED</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SHACAL" title="SHACAL">SHACAL</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SHARK" title="SHARK">SHARK</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Skipjack_%28cipher%29" title="Skipjack (cipher)">Skipjack</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SMS4" title="SMS4">SMS4</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Spectr-H64" title="Spectr-H64">Spectr-H64</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Square_%28cipher%29" title="Square (cipher)">Square</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SXAL/MBAL" title="SXAL/MBAL">SXAL/MBAL</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm" title="Tiny Encryption Algorithm">TEA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Treyfer" title="Treyfer">Treyfer</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/UES_%28cipher%29" title="UES (cipher)">UES</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Xenon_%28cipher%29" title="Xenon (cipher)">Xenon</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Xmx" title="Xmx">xmx</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/XTEA" title="XTEA">XTEA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/XXTEA" title="XXTEA">XXTEA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Zodiac_%28cipher%29" title="Zodiac (cipher)">Zodiac</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Design:</b> <a href="http://en.wikipedia.org/wiki/Feistel_cipher" title="Feistel cipher">Feistel network</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Key_schedule" title="Key schedule">Key schedule</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Product_cipher" title="Product cipher">Product cipher</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Substitution_box" title="Substitution box">S-box</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Substitution-permutation_network" title="Substitution-permutation network">SPN</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Attacks:</b> <a href="http://en.wikipedia.org/wiki/Brute_force_attack" title="Brute force attack">Brute force</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Linear_cryptanalysis" title="Linear cryptanalysis">Linear</a> / <a href="http://en.wikipedia.org/wiki/Differential_cryptanalysis" title="Differential cryptanalysis">Differential</a> / <a href="http://en.wikipedia.org/wiki/Integral_cryptanalysis" title="Integral cryptanalysis">Integral</a> <a href="http://en.wikipedia.org/wiki/Cryptanalysis" title="Cryptanalysis">cryptanalysis</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Mod_n_cryptanalysis" title="Mod n cryptanalysis">Mod <i>n</i></a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Related-key_attack" title="Related-key attack">Related-key</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Slide_attack" title="Slide attack">Slide</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/XSL_attack" title="XSL attack">XSL</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Standardization:</b> <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard_process" title="Advanced Encryption Standard process">AES process</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CRYPTREC" title="CRYPTREC">CRYPTREC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NESSIE" title="NESSIE">NESSIE</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Misc:</b> <a href="http://en.wikipedia.org/wiki/Avalanche_effect" title="Avalanche effect">Avalanche effect</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Block_size_%28cryptography%29" title="Block size (cryptography)">Block size</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Initialization_vector" title="Initialization vector">IV</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Key_size" title="Key size">Key size</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation" title="Block cipher modes of operation">Modes of operation</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Piling-up_lemma" title="Piling-up lemma">Piling-up lemma</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Weak_key" title="Weak key">Weak key</a></span></p> </div> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <th style="background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" colspan="2" class="navbox-title"> <div style="float: left; width: 6em; text-align: left;"> <div class="noprint plainlinksneverexpand" style="border: medium none ; padding: 0pt; background: rgb(204, 204, 255) none repeat scroll 0% 0%; white-space: nowrap; font-weight: normal; font-size: xx-small; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"><a href="http://en.wikipedia.org/wiki/Template:Crypto_navbox" title="Template:Crypto navbox"><span title="View this template" style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">v</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/wiki/Template_talk:Crypto_navbox" title="Template talk:Crypto navbox"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="Discussion about this template">d</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template:Crypto_navbox&action=edit" class="external text" title="http://en.wikipedia.org/w/index.php?title=Template:Crypto_navbox&action=edit" rel="nofollow"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="You can edit this template. Please use the preview button before saving.">e</span></a></div> </div> <div style="float: right; width: 6em;"> </div> <span style="font-size: 100%;"><a href="http://en.wikipedia.org/wiki/Cryptography" title="Cryptography">Cryptography</a></span></th> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"><a href="http://en.wikipedia.org/wiki/History_of_cryptography" title="History of cryptography">History of cryptography</a> | <a href="http://en.wikipedia.org/wiki/Cryptanalysis" title="Cryptanalysis">Cryptanalysis</a> | <a href="http://en.wikipedia.org/wiki/Portal:Cryptography" title="Portal:Cryptography">Cryptography portal</a> | <a href="http://en.wikipedia.org/wiki/Topics_in_cryptography" title="Topics in cryptography">Topics in cryptography</a></div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"><a href="http://en.wikipedia.org/wiki/Symmetric-key_algorithm" title="Symmetric-key algorithm">Symmetric-key algorithm</a> | <a href="http://en.wikipedia.org/wiki/Block_cipher" title="Block cipher">Block cipher</a> | <a href="http://en.wikipedia.org/wiki/Stream_cipher" title="Stream cipher">Stream cipher</a> | <a href="http://en.wikipedia.org/wiki/Public-key_cryptography" title="Public-key cryptography">Public-key cryptography</a> | <a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function" title="Cryptographic hash function">Cryptographic hash function</a> | <a href="http://en.wikipedia.org/wiki/Message_authentication_code" title="Message authentication code">Message authentication code</a> | <a href="http://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator" title="Cryptographically secure pseudorandom number generator">Random numbers</a> | <a href="http://en.wikipedia.org/wiki/Steganography" title="Steganography">Steganography</a></div> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </td> </tr> </tbody></table> <!-- NewPP limit report Preprocessor node count: 3213/1000000 Post-expand include size: 119878/2048000 bytes Template argument size: 127014/2048000 bytes Expensive parser function count: 0/500 --> <!-- Saved in parser cache with key enwiki:pcache:idhash:1260-0!1!0!default!!en!2 and timestamp 20080929120953 --> <div class="printfooter"> Retrieved from "<a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard">http://en.wikipedia.org/wiki/Advanced_Encryption_Standard</a>"</div> <div id="catlinks" class="catlinks"><div id="mw-normal-catlinks"><a href="http://en.wikipedia.org/wiki/Special:Categories" title="Special:Categories">Categories</a>: <span dir="ltr"><a href="http://en.wikipedia.org/wiki/Category:Block_ciphers" title="Category:Block ciphers">Block ciphers</a></span> | <span dir="ltr"><a href="http://en.wikipedia.org/wiki/Category:Advanced_Encryption_Standard" title="Category:Advanced Encryption Standard">Advanced Encryption Standard</a></span></div></div>vineethv2http://www.blogger.com/profile/10203333517491088500noreply@blogger.com1tag:blogger.com,1999:blog-8266941125214387001.post-1474746892200792502008-09-30T04:51:00.001-07:002008-09-30T05:33:01.838-07:00TACACS+<p>In <a href="http://en.wikipedia.org/wiki/Computer_network" title="Computer network">computer networking</a>, <b>TACACS+</b> (Terminal Access Controller Access-Control System Plus) is a protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. TACACS+ provides separate authentication, authorization and accounting services.</p> <table id="toc" class="toc" summary="Contents"> <tbody><tr> <td> <div id="toctitle"> <h2>Contents</h2> <span class="toctoggle"><br /></span></div> <ul><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/TACACS%2B#History"><span class="tocnumber">1</span> <span class="toctext">History</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/TACACS%2B#Authentication.2C_Authorization_and_Accounting_.28AAA.29"><span class="tocnumber">2</span> <span class="toctext">Authentication, Authorization and Accounting (AAA)</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/TACACS%2B#Protocol_details"><span class="tocnumber">3</span> <span class="toctext">Protocol details</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/TACACS%2B#See_also"><span class="tocnumber">4</span> <span class="toctext">See also</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/TACACS%2B#References"><span class="tocnumber">5</span> <span class="toctext">References</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/TACACS%2B#External_links"><span class="tocnumber">6</span> <span class="toctext">External links</span></a></li></ul> </td> </tr> </tbody></table> <script type="text/javascript"> //<![CDATA[ if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); } //]]> </script> <p><a name="History" id="History"></a></p> <h2><span class="editsection"></span><span class="mw-headline">History</span></h2> <p>TACACS+ is based on <a href="http://en.wikipedia.org/wiki/TACACS" title="TACACS">TACACS</a>, but, in spite of its name, it is an entirely new protocol which is incompatible with any previous version of TACACS. TACACS+ and <a href="http://en.wikipedia.org/wiki/RADIUS" title="RADIUS">RADIUS</a> have generally replaced the earlier protocols in more recently built or updated networks, although TACACS and XTACACS are still running on many older systems.</p> <p><a name="Authentication.2C_Authorization_and_Accounting_.28AAA.29" id="Authentication.2C_Authorization_and_Accounting_.28AAA.29"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Authentication, Authorization and Accounting (AAA)</span></h2> <p>Whereas RADIUS combines authentication and authorization in a user profile, TACACS+ separates the two operations. Another difference is that TACACS+ uses the <a href="http://en.wikipedia.org/wiki/Transmission_Control_Protocol" title="Transmission Control Protocol">Transmission Control Protocol</a> (TCP) while RADIUS uses the <a href="http://en.wikipedia.org/wiki/User_Datagram_Protocol" title="User Datagram Protocol">User Datagram Protocol</a> (UDP). Most administrators recommend using TACACS+ because TCP is seen as a more reliable protocol.</p> <p>The extensions to the TACACS+ protocol provide for more types of authentication requests and more types of response codes than were in the original specification.</p> <p><a name="Protocol_details" id="Protocol_details"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Protocol details</span></h2> <p>TACACS+ utilizes <a href="http://en.wikipedia.org/wiki/Transmission_control_protocol" title="Transmission control protocol" class="mw-redirect">TCP</a> port 49. It consists of three separate protocols, which can, if desired, be implemented on separate servers.<sup id="cite_ref-0" class="reference"><a href="http://en.wikipedia.org/wiki/TACACS%2B#cite_note-0" title="">[1]</a></sup></p> <p>TACACS+ offers multiprotocol support, such as IP and AppleTalk. Normal operation fully encrypts the body of the packet for more secure communications. It is a Cisco proprietary enhancement to the original TACACS protocol.</p> <p>TACACS+ uses APPLE and NETBIOS for operation.</p> <p><a name="See_also" id="See_also"></a></p> <h2><span class="editsection"></span><span class="mw-headline">See also</span></h2> <ul><li><a href="http://en.wikipedia.org/wiki/Kerberos_%28protocol%29" title="Kerberos (protocol)">Kerberos</a></li><li><a href="http://en.wikipedia.org/wiki/RADIUS" title="RADIUS">RADIUS</a></li><li><a href="http://en.wikipedia.org/wiki/Diameter_%28protocol%29" title="Diameter (protocol)">DIAMETER</a></li></ul> <p><a name="References" id="References"></a></p> <h2><span class="editsection"></span><span class="mw-headline">References</span></h2> <div class="references-small"> <ol class="references"><li id="cite_note-0"><b><a href="http://en.wikipedia.org/wiki/TACACS%2B#cite_ref-0" title="">^</a></b> <a href="http://www.cisco.com/warp/public/614/7.html" class="external text" title="http://www.cisco.com/warp/public/614/7.html" rel="nofollow">Cisco - TACACS+</a></li></ol> </div> <p><a name="External_links" id="External_links"></a></p> <h2><span class="editsection"></span><span class="mw-headline">External links</span></h2> <ul><li><a href="http://tools.ietf.org/html/draft-grant-tacacs-02" class="external text" title="http://tools.ietf.org/html/draft-grant-tacacs-02" rel="nofollow">Cisco's TACACS+ RFC draft</a></li><li><a href="http://www.shrubbery.net/tac_plus/" class="external free" title="http://www.shrubbery.net/tac_plus/" rel="nofollow">http://www.shrubbery.net/tac_plus/</a></li><li><a href="http://www.gazi.edu.tr/tacacs" class="external free" title="http://www.gazi.edu.tr/tacacs" rel="nofollow">http://www.gazi.edu.tr/tacacs</a> Database supported tacacs+</li><li><a href="http://rubyforge.org/projects/tacacs-plus/" class="external free" title="http://rubyforge.org/projects/tacacs-plus/" rel="nofollow">http://rubyforge.org/projects/tacacs-plus/</a> A pure Ruby implementation of TACACS+</li></ul><br /><h1>Single-User Network Access Security TACACS+</h1> <hr /> <ul><p> </p><li><b><a href="http://www.cisco.com/warp/public/558/42.html">TACACS+ Software 10.3(3) Product Announcement</a></b> </li><li><b><a href="http://www.cisco.com/warp/public/146/187.html">PR: "TACACS+ -- New Version of Cisco's Server-Based Security Protocol"</a></b> </li></ul><p> </p><hr /> <h2>Overview</h2> A major paradigm shift in remote network access is the shift from terminal access to LAN access. Single users are connecting to the corporate network with computers (notebooks or PCs from home) that can sustain complete network connections. These users no longer connect as unfriendly terminals but connect in the same way they do at work: as a LAN user. <p> Companies are moving to the remote node, remote LAN, and remote access server paradigm because it increases user productivity. Remote node technology gives users access to the same corporate network from home or while traveling as they do at work. Connecting to the network means connecting to a NetWare file server or AppleShare. Users are not required to become experts on terminal services and login prompts. </p><p> Since the network is now readily available through remote node technology, network access security has become increasingly important. Host security was adequate for terminal access, but network access security is needed for remotely connected users or remote nodes. </p><p> </p><h2>General Network Access Security Requirements</h2> Network Access Security (NAS) is evolving from user needs. Network managers are now concerned with three sets of requirements for their NASs: authentication, authorization, and accounting services. <p> </p><h2>Authentication</h2> Authentication is who is allowed to gain access to the LAN. Simple authorization methods use a database of username and passwords on the terminal server or access server. More advanced authorization systems use methods such as TACACS (a centralized Token card systems) and Kerberos. <p> However, once users are authenticated to use the LAN, they may still need to apply a username password for access to specific services such as UNIX hosts, NetWare, or AppleShare. A good NAS server supports a variety of authentication options. </p><p> </p><h2>Authorization</h2> Authorization, the ability to limit network services to different users, is a dynamically applied access list (sometimes called a user profile) based on the username/password pair. This feature is useful for two primary reasons: it helps to limit the exposure of the internal network to outside callers and simplifies the view of the network for the less technical remote access user. <p> Authorization allows users to be mobile. Mobile and temporary users (portable users with modems in hotels and telecommuters with modems or ISDN connections at home) want to connect to the closest local connection and still have the same access privileges of their local networks. </p><p> The network administrator must be able to limit network access to users for all access protocols and services (Telnet, IP, IPX, and AppleTalk) while users dial in through the same modem pool. Per-user access list authorization is not limited to specific interfaces but is dynamically assigned to the specific port to which a user attaches. For example, when user A connects to port 1, she can see subnets 1, 2, 3 and AppleTalk zones <i>bldg D</i>, <i>bldg E</i>, and <i>bldg F</i>. When user B connects to port 1, his profile limits him to subnet 1 and AppleTalk zone <i>bldg D</i>. </p><p> Since a NAS supports many more remote users than its physical lines, each user or group of users can dial into the same phone rotary and receive access to the network. The access list is based on username and, as such, each NAS, and can support thousands of users in its username and password database. </p><p> </p><h2>Accounting</h2> Accounting is the third major requirement in a security system. Network administrators may want to bill departments or customers for connection time. Accounting also provides the ability to track suspicious connection attempts into the network. <p> </p><h2>General Cisco Network Access Security Features</h2> Following are the general network access security features that are currently available on Cisco Access Servers. These features can be internally stored on an access server or centralized database using TACACS. <pre>-----------------------------------------------------------------------------<br />FEATURE FUNCTION<br />=============================================================================<br />Username and password Basic NAS security<br /><p><br />Per-user access Basic authentication<br />lists for IP<br /></p><p><br />Callback Reverses phone charges, extra security for<br /> telecommuters<br /></p><p><br />PAP and CHAP Translates PAP or CHAP to TACACS<br /></p><p><br />Logging Sends start and stop times to external logging server<br /></p><p><br />Absolute time out Limits the time a user can be connected to connect<br /> session limit<br /></p><p><br />Inactivity time out Cisco supports session timeout, which disconnects a<br /> user after a specified time of inactivity. After a<br /> session timeout, another person cannot use the<br /> connection.<br /></p><p><br />Autocommand A user can automatically execute a command<br /> (if it is available in the internal database).<br /></p><p><br />System script Automatically connects a user to a specific host or<br /> other script capabilities<br /></p><p><br />Autoselect Automatically provides users with the service they<br /> need to connect to the access server. Autoselect<br /> supports Telnet, TN3270, SLIP, PPP (for IP or IPX)<br /> and ARA. Autoselect limits the user's access to<br /> services by automatically providing the appropriate<br /> service. For example, a Macintosh user can be<br /> automatically dropped into ARA without an exec<br /> terminal session. This is both a security and ease-<br /> of-use feature.<br />-----------------------------------------------------------------------------<br /></p></pre> <h2>Manual Service Selection: EXEC</h2> EXEC allows users to connect to the access server "shell," then select services. <p> Users connected to EXEC may specify various services: UUCP, PPP, SLIP, ARA, TN3270, Telnet, or EXEC to manage the router itself. </p><p> Connecting to EXEC allows users to manage the access server or router if they have the appropriate privileges. </p><p> </p><h2>Internal or Centrally Managed NAS</h2> All of the security features mentioned can be set up and administered internally on a Cisco access server or passed from a Cisco access server to a centralized database. To send the information to a central database and forward the response to the proper Cisco access server requires a specific protocol. <p> Cisco implemented the Terminal Access Controller Access System (TACACS) protocol for this exact reason. It was developed by BBN to support multiple communication servers' username/password authentication. It forwards the user's username and password information to a centralized database that also has the TACACS protocol. The centralized database looks up the information and sends back an accept or deny message, which either allows or denies the user access. The centralized database can be modified to control the authorization from either a simple or complex environment. </p><p> </p><h2>Centralized Database and TACACS</h2> A client/server (protocol and server) architecture places all security information on a single, central database, instead of being disbursed around a network in different devices. This is especially useful if there are thousands of users who are using thousands of access servers distributed around the network. <p> A security protocol and server are much more extendible and scalable for large enterprises. TACACS and other remote access security protocols are designed to support thousands of remote connections. In a large network, the user database is usually large, and is best kept on a centralized server. This saves memory in all the access devices and eliminates the need to update every access server when new users are added, or passwords are modified or changed. </p><p> </p><h3>TACACS</h3> TACACS is a an industry standard protocol specification, RFC 1492, that forwards username and password information to a centralized server. The centralized server can either be a TACACS database or a database like the UNIX password file with TACACS protocol support. For example, the UNIX server with TACACS passes requests to the UNIX database and sends the accept or reject message back to the access server. <p> </p><h3>XTACACS</h3> XTACACS defines the extensions that Cisco added to the TACACS protocol to support new and advanced features. <p> XTACACS supports: </p><ul><p> </p><li>Multiple TACACS servers <p> </p></li><li><i>syslog</i> -- Sends accounting information to a UNIX host <p> </p></li><li><i>connect</i> -- Where the user is authenticated into the access server "shell" and can Telnet or initiate slip or PPP or ARA after initial </li></ul><p> XTACACS is multiprotocol and can authorize connections with: </p><ul><p> </p><li>SLIP </li><li>enable </li><li>PPP (IP or IPX) </li><li>ARA </li><li>EXEC </li><li>Telnet </li></ul><p> </p><h2>TACACS+</h2> TACACS+ allows a separate access server (the TACACS+ server) to provide the services of authentication, authorization, and accounting independently. Each service can be tied into its own database or can use the other services available on that server or on the network. <p> <img alt="Bro_WP_TACACSp_fig1" src="http://www.cisco.com/images/Bro_WP_TACACSp_fig1.gif" width="336" height="136" /></p><p> <i>Figure 1: Control Access to Network Via Dial Up</i> </p><hr /> <p> TACACS+ will be supported by the Cisco family of routers and access servers as part of a maintenance of Cisco IOS Release 10.3. This protocol is a completely new version of the TACACS protocol referenced by RFC 1492. Cisco is presenting TACACS+ to the IETF working groups and will contribute to and adopt the emerging NAS protocol standard. </p><p> The overall design goal of TACACS+ is to define a standardmethod for managing dissimilar Network Access Servers (NASs) from a single set of management services such as a database. A NAS provides connections to a single user, to a network, or subnetwork, and interconnected networks. </p><p> TACACS+ has three major components: the protocol support within the access servers and routers, the protocol specification, and the centralized security database. Similar to an internal security database, TACACS+ supports the following three required features of a good security system. </p><p> <b><i>Authentication</i></b> </p><p> The TACACS+ protocol forwards many types of username password information. This information is encrypted over the network with MD5, an encryption algorithm. TACACS+ can forward the password types for ARA, SLIP, PAP, CHAP, and standard Telnet. This allows clients to use the same username password for different protocols. TACACS+ is extensible to support new password types like KCHAP. </p><p> TACACS+ authentication supports multiple challenge and response demands from the TACACS+ server. This allows token card vendors to provide advanced features like sending back a second token-generated number after the first one was manipulated by a security server. </p><p> <b><i>Authorization</i></b> </p><p> TACACS+ provides a mechanism to tell an access server which access list that a user connected to port 1 uses. The TACACS+ server and location of the username/password information identify the access list through which the user is filtered. The access list(s) reside on the access server. The TACACS server responds to a username with an accept and an Access List number which causes that list to be applied. </p><p> <b><i>Accounting</i></b> </p><p> TACACS+ provides accounting information to a database through TCP to insure a more secure and complete accounting log. </p><p> The accounting portion of the TACACS+ protocol contains the network address of the user, the username, the service attempted, protocol used, time and date, and the packet-filter module originating the log. For Telnet connections, it also contains source and destination port, action carried (communication accepted, rejected), log, and alert type. Formats are open and configurable. </p><p> The billing information includes connect time, user ID, location connected from, start time, and stop time. It identifies the protocol that the user is using and may contain commands being run if the users are connected through exec and Telnet. </p><p> Future TACACS+ accounting enhancements will provide connect time updates, which will send an update for current connect time to the accounting server every x minutes. This feature allows companies like Internet providers to bill a customer for an open session even if the access server restarts and loses the initial start time. Service providers can significantly minimize lost billing time. </p><p> The auditing information provides which commands + arguments, location connect from. </p><p> The protocol provides enough information so that a server can produce intruder detection routines, reporting statistics, number of packets, and number of bytes. </p><p> Users want servers to prevent multiple uses of the same username/password so that customers with flat rates do not share their account with others. Although the decision to give access is made on the server, the protocol is flexible enough to provide the necessary information to detect multiple passwords. </p><p> </p><h3>Third-Party Security Solutions</h3> TACACS is an open protocol and can be ported to any username or password database. Many users now want token card support for their remote dial-in access users. Many token card client server companies have ported the TACACS protocol to their central databases. This allows remote node users to connect to a network through a Cisco access server, while using a third-party database and token cards for the remote users. <p> <img alt="Bro_WP_TACACSp_fig2" src="http://www.cisco.com/images/Bro_WP_TACACSp_fig2.gif" width="328" height="263" /></p><p> <i>Figure 2: TACACS and Token Card Support</i> </p><hr /> <p> Companies that support this solution today include: </p><ul><p> </p><li>Enigma Logic </li><li>Security Dynamics </li><li>Digital Pathways </li></ul><p> Advantages of the TACACS+ Protocol: </p><ul><p> </p><li>TCP-based for more security <p> </p></li><li>Provide three separate protocol components, each of which can be implemented on separate servers </li></ul><p> Authentication provides complete server control of the authentication process, which includes: </p><ul><p> </p><li>login and password query </li><li>Challenge/response </li><li>Messaging support (any) </li><li>Encrypted in MD5 </li><li>Replaceable with Kerberos 5 </li></ul><p> Authorization allows "remote" access control and enhanced granularity. Features include: </p><ul><p> </p><li>One authentication </li><li>Authorization for each service </li><li>Per-user access list and user profile </li><li>Users can belong to groups </li><li>IP and Telnet support (IPX, ARA future) </li><li>Any access or command and permission or restrictions <ul><p> </p><li>Initial connection upon starting any command or service </li></ul><p> </p></li><li>Primary service <ul><p> </p><li>Exec or autoselected protocol </li></ul><p> </p></li><li>Secondary service <ul><p> </p><li>Commands from exec or control protocol like PPP NCP and based on connection location </li></ul></li></ul><p> </p><h2>Examples of the "AAA" Functionality</h2> The authorization component in TACACS+ allows greater levels of control over user actions and can be used to create separate administrative groups that are based on user functionality. For example, a network manager might want to restrict a user to perform certain functions on the access server or router. Within the access server, a user might be restricted to PPP or SLIP and only be permitted to connect to a specific host address. Another example of the flexibility of the authorization subsystem is forcing a user to connect to a particular host if an attempt is made to connect to a specific host. In the case of the router's command line user interface, a restriction might be placed on executing particular EXEC commands such as reload. <p> The authentication protocol can also generate an autocommand. Once a user is authenticated, this runs any command within the access server system and is very powerful for complete access management. Network managers can use the accounting component to track user activity for a security audit trail or to provide billing information. A report might be structured to provide: user identity, start and stop times, executed commands, number of packets, and number of bytes. </p><p> Password aging is another example of the capabilities that are now available with TACACS+. A server supporting TACACS+ can send a message back to users, telling them to change their passwords as part of the login sequence. They will not be allowed access unless they change their passwords at that time. </p><pre>-----------------------------------------------------------------------------<br /> TACACS<br />FEATURE INTERNAL XTACACS TACACS+<br />=============================================================================<br />AUTHENTICATION<br />PAP/CHAP * * *<br />System script * * *<br />Autocommand * * *<br />DialBack 95 * 95<br />Username/password * * *<br />Use MD5 encryption *<br />Token card support * *<br />Via Kerberos 5 95<br />For exec * * *<br />For PPP (IP and IPX) * * *<br />For ARA * * *<br />Multiple challenge and response *<br />Router access authentication * * *<br />Support for rcmd *<br />Try multiple authentication types * *<br />-----------------------------------------------------------------------------<br />AUTHORIZATION * *<br />Per user-IP (SLIP and PPP) * * *<br />Per user IPX 95 95 95<br />Per user ARA 95 95 95<br />exec prompt access * *<br />exec and PPP IP address * *<br />exec and Telnet * * *<br />Router commands * * *<br />User-changeable Dependent on Yes, but only<br />password server with one server<br />-----------------------------------------------------------------------------<br />ACCOUNTING<br />Time connection start * *<br />Time connection finish * *<br />Total connection time * *<br /># packets, # bytes<br />Which commands + argument 95<br />Location connect from 95<br />User ID * *<br />User protocol * *<br />Use UDP *<br />Use TCP *<br />Absolute time out<br />Inactivity time out<br />-----------------------------------------------------------------------------<br /></pre> <h2>The TACACS+ Protocol Spec</h2> TACACS+ also provides a general-purpose protocol specification that allows the TACACS+ protocol to be integrated into standard databases. The TACACS+ protocol specification will make integration of the TACACS+ protocol into third-party or customer authentication/security databases easier and it also provides more functionality. Current third party support for TACACS includes Security Dymanics, Enigma Logic, and more new customers to be announced. <p> Third-party token support will be enhanced with TACACS+ in that the custom database will be able to handle challenge response mechanisms for tokencards and other advanced authentication systems. </p><p> </p><h2>General</h2> TACACS+ sample server C code and protocol specification will be available from Cisco Connection Online (CCO) on the World Wide Web (http://www.cisco.com) and character-based bulletin board (telnet cco.cisco.com), and through anonymous FTP (ftp.cisco.com). <p> Cisco is working with the IETF to standardize these security protocols. And is working with other centralized security protocols like Radius. Cisco will participate in the evolution of a single standards-based NAS protocol. </p><p> </p><hr /> Posted: Mar 30 11:46:18 1995 <h6> <a href="http://www.cisco.com/public/copyright.html"> Copyright 1996 © Cisco Systems Inc. </a></h6>vineethv2http://www.blogger.com/profile/10203333517491088500noreply@blogger.com1tag:blogger.com,1999:blog-8266941125214387001.post-37297540530406054072008-09-30T04:51:00.000-07:002008-09-30T04:53:08.325-07:00Cryptographic protocols<h3>3</h3> <ul><li><a href="http://en.wikipedia.org/wiki/3-D_Secure" title="3-D Secure">3-D Secure</a></li></ul> <h3>A</h3> <ul><li><a href="http://en.wikipedia.org/wiki/AKA_%28security%29" title="AKA (security)">AKA (security)</a></li><li><a href="http://en.wikipedia.org/wiki/ANSI_ASC_X9.95_Standard" title="ANSI ASC X9.95 Standard">ANSI ASC X9.95 Standard</a></li><li><a href="http://en.wikipedia.org/wiki/AS2" title="AS2">AS2</a></li><li><a href="http://en.wikipedia.org/wiki/Alice_and_Bob" title="Alice and Bob">Alice and Bob</a></li><li><a href="http://en.wikipedia.org/wiki/AuthIP" title="AuthIP">AuthIP</a></li></ul> <h3>B</h3> <ul><li><a href="http://en.wikipedia.org/wiki/BitTorrent_protocol_encryption" title="BitTorrent protocol encryption">BitTorrent protocol encryption</a></li></ul> <h3>C</h3> <ul><li><a href="http://en.wikipedia.org/wiki/CCMP" title="CCMP">CCMP</a></li><li><a href="http://en.wikipedia.org/wiki/CRAM-MD5" title="CRAM-MD5">CRAM-MD5</a></li><li><a href="http://en.wikipedia.org/wiki/Certificate_Management_Protocol" title="Certificate Management Protocol">Certificate Management Protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Certificate_Management_over_CMS" title="Certificate Management over CMS">Certificate Management over CMS</a></li><li><a href="http://en.wikipedia.org/wiki/Certificate_signing_request" title="Certificate signing request">Certificate signing request</a></li><li><a href="http://en.wikipedia.org/wiki/Certification_path_validation_algorithm" title="Certification path validation algorithm">Certification path validation algorithm</a></li><li><a href="http://en.wikipedia.org/wiki/Chaffing_and_winnowing" title="Chaffing and winnowing">Chaffing and winnowing</a></li><li><a href="http://en.wikipedia.org/wiki/Challenge-handshake_authentication_protocol" title="Challenge-handshake authentication protocol">Challenge-handshake authentication protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Challenge-response_authentication" title="Challenge-response authentication">Challenge-response authentication</a></li><li><a href="http://en.wikipedia.org/wiki/Code_Access_Security" title="Code Access Security">Code Access Security</a></li><li><a href="http://en.wikipedia.org/wiki/Common_reference_string_model" title="Common reference string model">Common reference string model</a></li><li><a href="http://en.wikipedia.org/wiki/Conch_%28SSH%29" title="Conch (SSH)">Conch (SSH)</a></li><li><a href="http://en.wikipedia.org/wiki/Cryptanalysis_of_TIA%27s_Common_Cryptographic_Algorithms" title="Cryptanalysis of TIA's Common Cryptographic Algorithms">Cryptanalysis of TIA's Common Cryptographic Algorithms</a></li><li><a href="http://en.wikipedia.org/wiki/Cryptographic_Message_Syntax" title="Cryptographic Message Syntax">Cryptographic Message Syntax</a></li><li><a href="http://en.wikipedia.org/wiki/Cryptographic_protocol" title="Cryptographic protocol">Cryptographic protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Cryptographically_Generated_Addresses" title="Cryptographically Generated Addresses">Cryptographically Generated Addresses</a></li></ul> <h3>D</h3> <ul><li><span class="redirect-in-category"><a href="http://en.wikipedia.org/wiki/DH/DSS" title="DH/DSS">DH/DSS</a></span></li><li><a href="http://en.wikipedia.org/wiki/Data_Validation_and_Certification_Server" title="Data Validation and Certification Server">Data Validation and Certification Server</a></li><li><a href="http://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security" title="Datagram Transport Layer Security">Datagram Transport Layer Security</a></li><li><a href="http://en.wikipedia.org/wiki/Dead_Peer_Detection" title="Dead Peer Detection">Dead Peer Detection</a></li><li><a href="http://en.wikipedia.org/wiki/Delegated_Path_Discovery" title="Delegated Path Discovery">Delegated Path Discovery</a></li><li><a href="http://en.wikipedia.org/wiki/Delegated_Path_Validation" title="Delegated Path Validation">Delegated Path Validation</a></li><li><a href="http://en.wikipedia.org/wiki/Deniable_authentication" title="Deniable authentication">Deniable authentication</a></li><li><a href="http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange" title="Diffie-Hellman key exchange">Diffie-Hellman key exchange</a></li><li><a href="http://en.wikipedia.org/wiki/Diffie-Hellman_problem" title="Diffie-Hellman problem">Diffie-Hellman problem</a></li><li><a href="http://en.wikipedia.org/wiki/Digest_access_authentication" title="Digest access authentication">Digest access authentication</a></li><li><a href="http://en.wikipedia.org/wiki/DigiCipher_2" title="DigiCipher 2">DigiCipher 2</a></li><li><a href="http://en.wikipedia.org/wiki/Digital_credential" title="Digital credential">Digital credential</a></li><li><a href="http://en.wikipedia.org/wiki/Dining_cryptographers_protocol" title="Dining cryptographers protocol">Dining cryptographers protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Dining_cryptographers_protocol/Rewrite" title="Dining cryptographers protocol/Rewrite">Dining cryptographers protocol/Rewrite</a></li><li><a href="http://en.wikipedia.org/wiki/Distance-bounding_protocol" title="Distance-bounding protocol">Distance-bounding protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Distributed_System_Security_Architecture" title="Distributed System Security Architecture">Distributed System Security Architecture</a></li><li><a href="http://en.wikipedia.org/wiki/DomainKeys" title="DomainKeys">DomainKeys</a></li><li><a href="http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail" title="DomainKeys Identified Mail">DomainKeys Identified Mail</a></li></ul> <h3>E</h3> <ul><li><a href="http://en.wikipedia.org/wiki/EAP-AKA" title="EAP-AKA">EAP-AKA</a></li><li><a href="http://en.wikipedia.org/wiki/EAP-SIM" title="EAP-SIM">EAP-SIM</a></li><li><a href="http://en.wikipedia.org/wiki/Ecash" title="Ecash">Ecash</a></li><li><a href="http://en.wikipedia.org/wiki/Electronic_money" title="Electronic money">Electronic money</a></li><li><a href="http://en.wikipedia.org/wiki/Encrypted_key_exchange" title="Encrypted key exchange">Encrypted key exchange</a></li><li><a href="http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol" title="Extensible Authentication Protocol">Extensible Authentication Protocol</a></li></ul><br /><h3>G</h3> <ul><li><a href="http://en.wikipedia.org/wiki/Generic_Bootstrapping_Architecture" title="Generic Bootstrapping Architecture">Generic Bootstrapping Architecture</a></li><li><a href="http://en.wikipedia.org/wiki/Generic_Security_Service_Algorithm_for_Secret_Key_Transaction" title="Generic Security Service Algorithm for Secret Key Transaction">Generic Security Service Algorithm for Secret Key Transaction</a></li><li><a href="http://en.wikipedia.org/wiki/Grid_Security_Infrastructure" title="Grid Security Infrastructure">Grid Security Infrastructure</a></li></ul> <h3>H</h3> <ul><li><a href="http://en.wikipedia.org/wiki/H.235" title="H.235">H.235</a></li><li><a href="http://en.wikipedia.org/wiki/HAIPE" title="HAIPE">HAIPE</a></li><li><a href="http://en.wikipedia.org/wiki/HTTPsec" title="HTTPsec">HTTPsec</a></li><li><a href="http://en.wikipedia.org/wiki/Hashcash" title="Hashcash">Hashcash</a></li><li><a href="http://en.wikipedia.org/wiki/Homomorphic_secret_sharing" title="Homomorphic secret sharing">Homomorphic secret sharing</a></li><li><a href="http://en.wikipedia.org/wiki/Host_Identity_Protocol" title="Host Identity Protocol">Host Identity Protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Https" title="Https">Https</a></li></ul> <h3>I</h3> <ul><li><a href="http://en.wikipedia.org/wiki/IEEE_802.11i-2004" title="IEEE 802.11i-2004">IEEE 802.11i-2004</a></li><li><a href="http://en.wikipedia.org/wiki/IKEv2" title="IKEv2">IKEv2</a></li><li><a href="http://en.wikipedia.org/wiki/IPsec" title="IPsec">IPsec</a></li><li><a href="http://en.wikipedia.org/wiki/Interlock_protocol" title="Interlock protocol">Interlock protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol" title="Internet Security Association and Key Management Protocol">Internet Security Association and Key Management Protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Internet_key_exchange" title="Internet key exchange">Internet key exchange</a></li></ul> <h3>K</h3> <ul><li><a href="http://en.wikipedia.org/wiki/Kerberos_%28protocol%29" title="Kerberos (protocol)">Kerberos (protocol)</a></li><li><a href="http://en.wikipedia.org/wiki/Key_exchange" title="Key exchange">Key exchange</a></li><li><a href="http://en.wikipedia.org/wiki/Key-agreement_protocol" title="Key-agreement protocol">Key-agreement protocol</a></li></ul> <h3>M</h3> <ul><li><a href="http://en.wikipedia.org/wiki/MIKEY" title="MIKEY">MIKEY</a></li><li><a href="http://en.wikipedia.org/wiki/MS-CHAP" title="MS-CHAP">MS-CHAP</a></li><li><a href="http://en.wikipedia.org/wiki/Microsoft_Point-to-Point_Encryption" title="Microsoft Point-to-Point Encryption">Microsoft Point-to-Point Encryption</a></li><li><a href="http://en.wikipedia.org/wiki/Multiplexed_Transport_Layer_Security" title="Multiplexed Transport Layer Security">Multiplexed Transport Layer Security</a></li></ul> <h3>N</h3> <ul><li><a href="http://en.wikipedia.org/wiki/NAT-T" title="NAT-T">NAT-T</a></li><li><a href="http://en.wikipedia.org/wiki/NTLM" title="NTLM">NTLM</a></li><li><a href="http://en.wikipedia.org/wiki/Needham-Schroeder_protocol" title="Needham-Schroeder protocol">Needham-Schroeder protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Network_Security_Services" title="Network Security Services">Network Security Services</a></li><li><a href="http://en.wikipedia.org/wiki/Non-interactive_zero-knowledge_proof" title="Non-interactive zero-knowledge proof">Non-interactive zero-knowledge proof</a></li></ul> <h3>O</h3> <ul><li><a href="http://en.wikipedia.org/wiki/OCSP_Stapling" title="OCSP Stapling">OCSP Stapling</a></li><li><a href="http://en.wikipedia.org/wiki/Oak_Orion" title="Oak Orion">Oak Orion</a></li><li><a href="http://en.wikipedia.org/wiki/Oakley_protocol" title="Oakley protocol">Oakley protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Oblivious_transfer" title="Oblivious transfer">Oblivious transfer</a></li><li><a href="http://en.wikipedia.org/wiki/Off-the-Record_Messaging" title="Off-the-Record Messaging">Off-the-Record Messaging</a></li><li><a href="http://en.wikipedia.org/wiki/Offline_private_key_protocol" title="Offline private key protocol">Offline private key protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol" title="Online Certificate Status Protocol">Online Certificate Status Protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Otway-Rees_protocol" title="Otway-Rees protocol">Otway-Rees protocol</a></li></ul> <h3>P</h3> <ul><li><a href="http://en.wikipedia.org/wiki/Password-authenticated_key_agreement" title="Password-authenticated key agreement">Password-authenticated key agreement</a></li><li><a href="http://en.wikipedia.org/wiki/Privacy-enhanced_Electronic_Mail" title="Privacy-enhanced Electronic Mail">Privacy-enhanced Electronic Mail</a></li><li><a href="http://en.wikipedia.org/wiki/Private_Communications_Technology" title="Private Communications Technology">Private Communications Technology</a></li><li><a href="http://en.wikipedia.org/wiki/Private_information_retrieval" title="Private information retrieval">Private information retrieval</a></li><li><a href="http://en.wikipedia.org/wiki/Proof_of_knowledge" title="Proof of knowledge">Proof of knowledge</a></li><li><a href="http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol" title="Protected Extensible Authentication Protocol">Protected Extensible Authentication Protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Protocol_for_Carrying_Authentication_for_Network_Access" title="Protocol for Carrying Authentication for Network Access">Protocol for Carrying Authentication for Network Access</a></li><li><a href="http://en.wikipedia.org/wiki/Publius_Publishing_System" title="Publius Publishing System">Publius Publishing System</a></li></ul><br /><h3>R</h3> <ul><li><a href="http://en.wikipedia.org/wiki/Rekeying" title="Rekeying">Rekeying</a></li><li><a href="http://en.wikipedia.org/wiki/Renewable_security" title="Renewable security">Renewable security</a></li></ul> <h3>S</h3> <ul><li><a href="http://en.wikipedia.org/wiki/S/MIME" title="S/MIME">S/MIME</a></li><li><a href="http://en.wikipedia.org/wiki/SCVP" title="SCVP">SCVP</a></li><li><a href="http://en.wikipedia.org/wiki/SPEKE_%28cryptography%29" title="SPEKE (cryptography)">SPEKE (cryptography)</a></li><li><a href="http://en.wikipedia.org/wiki/SPNEGO" title="SPNEGO">SPNEGO</a></li><li><a href="http://en.wikipedia.org/wiki/SSH_file_transfer_protocol" title="SSH file transfer protocol">SSH file transfer protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Secret_sharing" title="Secret sharing">Secret sharing</a></li><li><a href="http://en.wikipedia.org/wiki/Secure_Communications_Interoperability_Protocol" title="Secure Communications Interoperability Protocol">Secure Communications Interoperability Protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Secure_Neighbor_Discovery_Protocol" title="Secure Neighbor Discovery Protocol">Secure Neighbor Discovery Protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol" title="Secure Real-time Transport Protocol">Secure Real-time Transport Protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Secure_Shell" title="Secure Shell">Secure Shell</a></li><li><a href="http://en.wikipedia.org/wiki/Secure_channel" title="Secure channel">Secure channel</a></li><li><a href="http://en.wikipedia.org/wiki/Secure_copy" title="Secure copy">Secure copy</a></li><li><a href="http://en.wikipedia.org/wiki/Secure_hypertext_transfer_protocol" title="Secure hypertext transfer protocol">Secure hypertext transfer protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Secure_multi-party_computation" title="Secure multi-party computation">Secure multi-party computation</a></li><li><a href="http://en.wikipedia.org/wiki/Secure_remote_password_protocol" title="Secure remote password protocol">Secure remote password protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Secure_two-party_computation" title="Secure two-party computation">Secure two-party computation</a></li><li><a href="http://en.wikipedia.org/wiki/Security_Protocols_Open_Repository" title="Security Protocols Open Repository">Security Protocols Open Repository</a></li><li><a href="http://en.wikipedia.org/wiki/Security_association" title="Security association">Security association</a></li><li><a href="http://en.wikipedia.org/wiki/Security_protocol_notation" title="Security protocol notation">Security protocol notation</a></li><li><a href="http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer" title="Simple Authentication and Security Layer">Simple Authentication and Security Layer</a></li><li><a href="http://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol" title="Simple Certificate Enrollment Protocol">Simple Certificate Enrollment Protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Station-to-Station_protocol" title="Station-to-Station protocol">Station-to-Station protocol</a></li><li><a href="http://en.wikipedia.org/wiki/StrongSwan" title="StrongSwan">StrongSwan</a></li></ul> <h3>T</h3> <ul><li><a href="http://en.wikipedia.org/wiki/TACLANE" title="TACLANE">TACLANE</a></li><li><a href="http://en.wikipedia.org/wiki/TLS-PSK" title="TLS-PSK">TLS-PSK</a></li><li><a href="http://en.wikipedia.org/wiki/Temporal_Key_Integrity_Protocol" title="Temporal Key Integrity Protocol">Temporal Key Integrity Protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Threshold_shadow_scheme" title="Threshold shadow scheme">Threshold shadow scheme</a></li><li><a href="http://en.wikipedia.org/wiki/Transport_Layer_Security" title="Transport Layer Security">Transport Layer Security</a></li></ul> <h3>U</h3> <ul><li><a href="http://en.wikipedia.org/wiki/Universal_composability" title="Universal composability">Universal composability</a></li></ul> <h3>W</h3> <ul><li><a href="http://en.wikipedia.org/wiki/WLAN_Authentication_and_Privacy_Infrastructure" title="WLAN Authentication and Privacy Infrastructure">WLAN Authentication and Privacy Infrastructure</a></li><li><a href="http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access" title="Wi-Fi Protected Access">Wi-Fi Protected Access</a></li><li><a href="http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup" title="Wi-Fi Protected Setup">Wi-Fi Protected Setup</a></li><li><a href="http://en.wikipedia.org/wiki/Wide_Mouth_Frog_protocol" title="Wide Mouth Frog protocol">Wide Mouth Frog protocol</a></li><li><a href="http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy" title="Wired Equivalent Privacy">Wired Equivalent Privacy</a></li><li><a href="http://en.wikipedia.org/wiki/Wireless_Transport_Layer_Security" title="Wireless Transport Layer Security">Wireless Transport Layer Security</a></li><li><a href="http://en.wikipedia.org/wiki/Witness-indistinguishable_proof" title="Witness-indistinguishable proof">Witness-indistinguishable proof</a></li></ul> <h3>X</h3> <ul><li><a href="http://en.wikipedia.org/wiki/X.509" title="X.509">X.509</a></li><li><a href="http://en.wikipedia.org/wiki/XKMS" title="XKMS">XKMS</a></li></ul> <h3>Z</h3> <ul><li><a href="http://en.wikipedia.org/wiki/ZRTP" title="ZRTP">ZRTP</a></li><li><a href="http://en.wikipedia.org/wiki/Zero-knowledge_password_proof" title="Zero-knowledge password proof">Zero-knowledge password proof</a></li><li><a href="http://en.wikipedia.org/wiki/Zero-knowledge_proof" title="Zero-knowledge proof">Zero-knowledge proof</a></li><li><a href="http://en.wikipedia.org/wiki/Zimmermann-Sassaman_key-signing_protocol" title="Zimmermann-Sassaman key-signing protocol">Zimmermann-Sassaman key-signing protocol</a></li></ul>vineethv2http://www.blogger.com/profile/10203333517491088500noreply@blogger.com1tag:blogger.com,1999:blog-8266941125214387001.post-35844584149039681602008-09-30T04:45:00.000-07:002008-09-30T04:55:21.283-07:00ISAKMP (Internet Security Association and Key Management Protocol)<b>ISAKMP</b> (<b>I</b>nternet <b>S</b>ecurity <b>A</b>ssociation and <b>K</b>ey <b>M</b>anagement <b>P</b>rotocol) is a protocol for establishing <a href="http://en.wikipedia.org/wiki/Security_association" title="Security association"><b>S</b>ecurity <b>A</b>ssociations</a> (SA) and cryptographic keys in an Internet environment. The protocol is defined by <b><a href="http://tools.ietf.org/html/rfc2408" class="external" title="http://tools.ietf.org/html/rfc2408">RFC 2408</a></b>. <table id="toc" class="toc" summary="Contents"> <tbody><tr> <td> <div id="toctitle"> <h2>Contents</h2> <span class="toctoggle"><br /></span></div> <ul><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol#Overview"><span class="tocnumber">1</span> <span class="toctext">Overview</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol#Implementation"><span class="tocnumber">2</span> <span class="toctext">Implementation</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol#See_also"><span class="tocnumber">3</span> <span class="toctext">See also</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol#External_links"><span class="tocnumber">4</span> <span class="toctext">External links</span></a></li></ul> </td> </tr> </tbody></table> <script type="text/javascript"> //<![CDATA[ if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); } //]]> </script> <p><a name="Overview" id="Overview"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Overview</span></h2> <p>ISAKMP defines the procedures for authenticating a communicating peer, creation and management of <a href="http://en.wikipedia.org/wiki/Security_association" title="Security association">Security Associations</a>, <a href="http://en.wikipedia.org/wiki/Key_generation" title="Key generation">key generation</a> techniques, and threat mitigation (e.g. denial of service and replay attacks). ISAKMP typically utilizes <a href="http://en.wikipedia.org/wiki/Internet_Key_Exchange" title="Internet Key Exchange" class="mw-redirect">IKE</a> for key exchange, although other methods can be implemented. Preliminary SA is formed using this protocol; later a fresh keying is done.</p> <p>ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security Associations. SAs contain all the information required for execution of various network security services, such as the IP layer services (such as header authentication and payload encapsulation), transport or application layer services, or self-protection of negotiation traffic. ISAKMP defines payloads for exchanging key generation and authentication data. These formats provide a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism.</p> <p>ISAKMP is distinct from <a href="http://en.wikipedia.org/wiki/Key-agreement_protocol" title="Key-agreement protocol">key exchange protocols</a> in order to cleanly separate the details of security association management (and key management) from the details of key exchange. There may be many different key exchange protocols, each with different security properties. However, a common framework is required for agreeing to the format of SA attributes, and for negotiating, modifying, and deleting SAs. ISAKMP serves as this common framework.</p> <p>ISAKMP can be implemented over any transport protocol. All implementations must include send and receive capability for ISAKMP using <a href="http://en.wikipedia.org/wiki/User_Datagram_Protocol" title="User Datagram Protocol">UDP</a> on port 500. Additionally, UDP port 4500 must also be allowed at the destination if the source interface IP address undergoes network address translation from natural (assigned) IP address to a public IP address for connection to the internet.</p> <p><a name="Implementation" id="Implementation"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Implementation</span></h2> <p>The <a href="http://en.wikipedia.org/wiki/IPsec" title="IPsec">IPsec</a> Services Service in <a href="http://en.wikipedia.org/wiki/Microsoft_Windows" title="Microsoft Windows">Microsoft Windows</a> handles this functionality.</p> <p>The <a href="http://en.wikipedia.org/wiki/KAME_project" title="KAME project">KAME project</a> implements ISAKMP for <a href="http://en.wikipedia.org/wiki/Berkeley_Software_Distribution" title="Berkeley Software Distribution">BSD</a> and <a href="http://en.wikipedia.org/wiki/Linux" title="Linux">Linux</a> operating systems, and thus also for <a href="http://en.wikipedia.org/wiki/PfSense" title="PfSense">pfSense</a>. In legacy installations, the name of the application that implements ISAKMP is <b>racoon</b>.</p> <p><a name="See_also" id="See_also"></a></p> <h2><span class="editsection"></span><span class="mw-headline">See also</span></h2> <ul><li><a href="http://en.wikipedia.org/wiki/Oakley_protocol" title="Oakley protocol">Oakley protocol</a></li><li><a href="http://en.wikipedia.org/wiki/IPsec" title="IPsec">IPsec</a></li><li><a href="http://en.wikipedia.org/wiki/Internet_Key_Exchange" title="Internet Key Exchange" class="mw-redirect">IKE</a></li></ul> <p><a name="External_links" id="External_links"></a></p> <h2><span class="editsection"></span><span class="mw-headline">External links</span></h2> <ul><li><a href="http://tools.ietf.org/html/rfc2408" class="external" title="http://tools.ietf.org/html/rfc2408">RFC 2408</a> — <i>Internet Security Association and Key Management Protocol</i></li><li><a href="http://tools.ietf.org/html/rfc2407" class="external" title="http://tools.ietf.org/html/rfc2407">RFC 2407</a> — <i>The Internet IP Security Domain of Interpretation for ISAKMP</i></li></ul>vineethv2http://www.blogger.com/profile/10203333517491088500noreply@blogger.com1tag:blogger.com,1999:blog-8266941125214387001.post-83318998955632699182008-09-30T00:55:00.000-07:002008-09-30T04:55:21.283-07:00Diffie-Hellman key exchange (D-H)<p><b>Diffie-Hellman key exchange</b> (<b>D-H</b>) is a <a href="http://en.wikipedia.org/wiki/Cryptographic_protocol" title="Cryptographic protocol">cryptographic protocol</a> that allows two parties that have no prior knowledge of each other to jointly establish a shared secret <a href="http://en.wikipedia.org/wiki/Key_%28cryptography%29" title="Key (cryptography)">key</a> over an insecure <a href="http://en.wikipedia.org/wiki/Communication" title="Communication">communications</a> channel. This key can then be used to encrypt subsequent communications using a <a href="http://en.wikipedia.org/wiki/Symmetric_key" title="Symmetric key" class="mw-redirect">symmetric key</a> <a href="http://en.wikipedia.org/wiki/Cipher" title="Cipher">cipher</a>.</p> <p>Synonyms of Diffie-Hellman key exchange include:</p> <ul><li><b>Diffie-Hellman key agreement</b></li><li><b>Diffie-Hellman key establishment</b></li><li><b>Diffie-Hellman key negotiation</b></li><li><b>Exponential key exchange</b></li></ul> <p>The scheme was first published publicly by <a href="http://en.wikipedia.org/wiki/Whitfield_Diffie" title="Whitfield Diffie">Whitfield Diffie</a> and <a href="http://en.wikipedia.org/wiki/Martin_Hellman" title="Martin Hellman">Martin Hellman</a> in <a href="http://en.wikipedia.org/wiki/1976" title="1976">1976</a>, although it later emerged that it had been separately invented a few years earlier within <a href="http://en.wikipedia.org/wiki/GCHQ" title="GCHQ" class="mw-redirect">GCHQ</a>, the British signals intelligence agency, by <a href="http://en.wikipedia.org/wiki/Malcolm_J._Williamson" title="Malcolm J. Williamson">Malcolm J. Williamson</a> but was kept classified. In <a href="http://en.wikipedia.org/wiki/2002" title="2002">2002</a>, Hellman suggested the algorithm be called <b>Diffie-Hellman-Merkle key exchange</b> in recognition of <a href="http://en.wikipedia.org/wiki/Ralph_Merkle" title="Ralph Merkle">Ralph Merkle</a>'s contribution to the invention of <a href="http://en.wikipedia.org/wiki/Public-key_cryptography" title="Public-key cryptography">public-key cryptography</a> (Hellman, 2002).</p> <p>Although Diffie-Hellman key agreement itself is an <i>anonymous</i> (non-<i>authenticated</i>) <a href="http://en.wikipedia.org/wiki/Key-agreement_protocol" title="Key-agreement protocol">key-agreement protocol</a>, it provides the basis for a variety of authenticated protocols, and is used to provide <a href="http://en.wikipedia.org/wiki/Perfect_forward_secrecy" title="Perfect forward secrecy">perfect forward secrecy</a> in <a href="http://en.wikipedia.org/wiki/Transport_Layer_Security" title="Transport Layer Security">Transport Layer Security</a>'s ephemeral modes.</p> <table id="toc" class="toc" summary="Contents"> <tbody><tr> <td> <div id="toctitle"> <h2>Contents</h2> <span class="toctoggle">[<a href="javascript:toggleToc()" class="internal" id="togglelink">hide</a>]</span></div> <ul><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Diffie-Hellman#History_of_the_protocol"><span class="tocnumber">1</span> <span class="toctext">History of the protocol</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Diffie-Hellman#Description"><span class="tocnumber">2</span> <span class="toctext">Description</span></a> <ul><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Diffie-Hellman#Chart"><span class="tocnumber">2.1</span> <span class="toctext">Chart</span></a></li></ul> </li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Diffie-Hellman#Security"><span class="tocnumber">3</span> <span class="toctext">Security</span></a> <ul><li class="toclevel-2"><a href="http://en.wikipedia.org/wiki/Diffie-Hellman#Authentication"><span class="tocnumber">3.1</span> <span class="toctext">Authentication</span></a></li></ul> </li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Diffie-Hellman#References"><span class="tocnumber">4</span> <span class="toctext">References</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Diffie-Hellman#See_also"><span class="tocnumber">5</span> <span class="toctext">See also</span></a></li><li class="toclevel-1"><a href="http://en.wikipedia.org/wiki/Diffie-Hellman#External_links"><span class="tocnumber">6</span> <span class="toctext">External links</span></a></li></ul> </td> </tr> </tbody></table> <script type="text/javascript"> //<![CDATA[ if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); } //]]> </script> <p><a name="History_of_the_protocol" id="History_of_the_protocol"></a></p> <h2><span class="editsection"></span><span class="mw-headline">History of the protocol</span></h2> <p>Diffie-Hellman key agreement was invented in <a href="http://en.wikipedia.org/wiki/1976" title="1976">1976</a> during a collaboration between Whitfield Diffie and Martin Hellman and was the first practical method for establishing a <a href="http://en.wikipedia.org/wiki/Shared_secret" title="Shared secret">shared secret</a> over an unprotected communications channel. <a href="http://en.wikipedia.org/wiki/Ralph_Merkle" title="Ralph Merkle">Ralph Merkle</a>'s work on public key distribution was an influence. <a href="http://en.wikipedia.org/w/index.php?title=John_Gill_%28cryptographer%29&action=edit&redlink=1" class="new" title="John Gill (cryptographer) (page does not exist)">John Gill</a> suggested application of the <a href="http://en.wikipedia.org/wiki/Discrete_logarithm" title="Discrete logarithm">discrete logarithm</a> problem. It had been discovered by <a href="http://en.wikipedia.org/wiki/Malcolm_J._Williamson" title="Malcolm J. Williamson">Malcolm Williamson</a> of <a href="http://en.wikipedia.org/wiki/GCHQ" title="GCHQ" class="mw-redirect">GCHQ</a> in the <a href="http://en.wikipedia.org/wiki/United_Kingdom" title="United Kingdom">UK</a> some years previously, but GCHQ chose not to make it public until <a href="http://en.wikipedia.org/wiki/1997" title="1997">1997</a>, by which time it had no influence on research in <a href="http://en.wikipedia.org/wiki/Academia" title="Academia">academia</a>.</p> <p>The method was followed shortly afterwards by <a href="http://en.wikipedia.org/wiki/RSA" title="RSA">RSA</a>, another implementation of public key cryptography using <a href="http://en.wikipedia.org/wiki/Public-key_cryptography" title="Public-key cryptography">asymmetric algorithms</a>.</p> <p>In <a href="http://en.wikipedia.org/wiki/2002" title="2002">2002</a>, Martin Hellman wrote:</p> <blockquote> <p>The system...has since become known as Diffie-Hellman key exchange. While that system was first described in a paper by Diffie and me, it is a public key distribution system, a concept developed by Merkle, and hence should be called 'Diffie-Hellman-Merkle key exchange' if names are to be associated with it. I hope this small pulpit might help in that endeavor to recognize Merkle's equal contribution to the invention of public key cryptography. <a href="http://www.comsoc.org/livepubs/ci1/public/anniv/pdfs/hellman.pdf" class="external autonumber" title="http://www.comsoc.org/livepubs/ci1/public/anniv/pdfs/hellman.pdf" rel="nofollow">[1]</a></p> </blockquote> <p><span class="plainlinks"><a href="http://patft.uspto.gov/netacgi/nph-Parser?patentnumber=4,200,770" class="external text" title="http://patft.uspto.gov/netacgi/nph-Parser?patentnumber=4,200,770" rel="nofollow">U.S. Patent 4,200,770</a></span><span class="PDFlink noprint"><a href="http://www.pat2pdf.org/pat2pdf/foo.pl?number=4,200,770" class="external text" title="http://www.pat2pdf.org/pat2pdf/foo.pl?number=4,200,770" rel="nofollow"> </a></span>, now expired, describes the algorithm and credits Hellman, Diffie, and Merkle as inventors.</p> <p><a name="Description" id="Description"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Description</span></h2> <div class="center"> <div class="thumb tnone"> <div class="thumbinner" style="width: 402px;"><a href="http://en.wikipedia.org/wiki/Image:Diffie-Hellman-Schl%C3%BCsselaustausch.svg" class="image" title="Diffie-Hellman key exchange"><img alt="Diffie-Hellman key exchange" src="http://upload.wikimedia.org/wikipedia/commons/thumb/1/13/Diffie-Hellman-Schl%C3%BCsselaustausch.svg/400px-Diffie-Hellman-Schl%C3%BCsselaustausch.svg.png" class="thumbimage" width="400" border="0" height="220" /></a> <div class="thumbcaption"> <div class="magnify"><a href="http://en.wikipedia.org/wiki/Image:Diffie-Hellman-Schl%C3%BCsselaustausch.svg" class="internal" title="Enlarge"><img src="http://en.wikipedia.org/skins-1.5/common/images/magnify-clip.png" alt="" width="15" height="11" /></a></div> Diffie-Hellman key exchange</div> </div> </div> </div> <p>The simplest, and original, implementation of the protocol uses the <a href="http://en.wikipedia.org/wiki/Multiplicative_group_of_integers_modulo_n" title="Multiplicative group of integers modulo n">Multiplicative group of integers modulo</a> <i>p</i>, where <i>p</i> is <a href="http://en.wikipedia.org/wiki/Prime_number" title="Prime number">prime</a> and <i>g</i> is <a href="http://en.wikipedia.org/wiki/Primitive_root_modulo_n" title="Primitive root modulo n">primitive root</a> mod <i>p</i>. Here is an example of the protocol:</p> <table border="0" cellpadding="2" cellspacing="0"> <tbody><tr> <td> <table class="wikitable"> <tbody><tr> <th colspan="3">Alice</th> </tr> <tr> <td style="font-size: 90%;" align="center" bgcolor="#d0d0d0">Sec</td> <td align="center" bgcolor="#d0d0d0"><br /></td> <td style="font-size: 90%;" align="center" bgcolor="#d0d0d0">Calc</td> </tr> <tr> <td align="center"><br /></td> <td align="center"><b>p, g</b></td> <td align="center"><br /></td> </tr> <tr> <td align="center"><b>a</b></td> <td align="center"><br /></td> <td align="center"><br /></td> </tr> <tr> <td align="center"><br /></td> <td align="center"><br /></td> <td align="center"><b>g<sup>a</sup></b> mod p</td> </tr> <tr> <td align="center"><br /></td> <td align="center">…</td> <td align="center"><br /></td> </tr> <tr> <td align="center"><br /></td> <td align="center">(<b>g<sup>b</sup></b> mod p)<b><sup>a</sup></b> mod p</td> <td align="center"><br /></td> </tr> </tbody></table> </td> <td valign="bottom"> <table border="0" cellpadding="5" cellspacing="1"> <tbody><tr> <td align="center"><br /></td> </tr> <tr> <td align="center"><br /></td> </tr> <tr> <td align="center"><br /></td> </tr> <tr> <td align="center"><br /></td> </tr> <tr> <td align="center"><br /></td> </tr> <tr> <td align="center"><b><img class="tex" alt="\rightarrow" src="http://upload.wikimedia.org/math/8/3/e/83e37b7246fdfcb99b2754210ebeae27.png" /></b></td> </tr> <tr> <td align="center"><b><img class="tex" alt="\leftarrow" src="http://upload.wikimedia.org/math/a/6/4/a6465c0244621c63e7e1e96eb55aad7a.png" /></b></td> </tr> <tr> <td align="center"><b>=</b></td> </tr> </tbody></table> </td> <td> <table class="wikitable"> <tbody><tr> <th colspan="3">Bob</th> </tr> <tr> <td style="font-size: 90%;" align="center" bgcolor="#d0d0d0">Calc</td> <td align="center" bgcolor="#d0d0d0"><br /></td> <td style="font-size: 90%;" align="center" bgcolor="#d0d0d0">Sec</td> </tr> <tr> <td align="center"><br /></td> <td align="center"><b>p, g</b></td> <td align="center"><br /></td> </tr> <tr> <td align="center"><br /></td> <td align="center"><br /></td> <td align="center"><b>b</b></td> </tr> <tr> <td align="center"><br /></td> <td align="center">…</td> <td align="center"><br /></td> </tr> <tr> <td align="center"><b>g<sup>b</sup></b> mod p</td> <td align="center"><br /></td> <td align="center"><br /></td> </tr> <tr> <td align="center"><br /></td> <td align="center">(<b>g<sup>a</sup></b> mod p)<b><sup>b</sup></b> mod p</td> <td align="center"><br /></td> </tr> </tbody></table> </td> <td> <ol><li><a href="http://en.wikipedia.org/wiki/Alice_and_Bob" title="Alice and Bob">Alice and Bob</a> agree to use a prime number <i>p</i>=23 and base <i>g</i>=5.</li><li>Alice chooses a secret integer <i>a</i>=6, then sends Bob (<i>g<sup>a</sup></i> mod <i>p</i>) <ul><li>5<sup>6</sup> mod 23 = 8.</li></ul> </li><li>Bob chooses a secret integer <i>b</i>=15, then sends Alice (<i>g<sup>b</sup></i> mod <i>p</i>) <ul><li>5<sup>15</sup> mod 23 = 19.</li></ul> </li><li>Alice computes (<i>g<sup>b</sup></i> mod <i>p</i>)<i><sup>a</sup></i> mod <i>p</i> <ul><li>19<sup>6</sup> mod 23 = 2.</li></ul> </li><li>Bob computes (<i>g<sup>a</sup></i> mod <i>p</i>)<i><sup>b</sup></i> mod <i>p</i> <ul><li>8<sup>15</sup> mod 23 = 2.</li></ul> </li></ol> </td> </tr> </tbody></table> <p>Both Alice and Bob have arrived at the same value, because <i>g<sup>ab</sup></i> and <i>g<sup>ba</sup></i> are equal. Note that only <i>a</i>, <i>b</i> and <i>g<sup>ab</sup> = g<sup>ba</sup></i> are kept secret. All the other values -- <i>p</i>, <i>g</i>, <i>g<sup>a</sup> mod p</i>, and <i>g<sup>b</sup> mod p</i> -- are sent in the clear. Once Alice and Bob compute the shared secret they can use it as an encryption key, known only to them, for sending messages across the same open communications channel. Of course, much larger values of <i>a</i>, <i>b</i>, and <i>p</i> would be needed to make this example secure, since it is easy to try all the possible values of <i>g<sup>ab</sup></i> mod 23 (there will be, at most, 22 such values, even if <i>a</i> and <i>b</i> are large). If <i>p</i> were a prime of at least 300 digits, and <i>a</i> and <i>b</i> were at least 100 digits long, then even the best algorithms known today could not find <i>a</i> given only <i>g</i>, <i>p</i>, and <i>g<sup>a</sup></i> mod <i>p</i>, even using all of mankind's computing power. The problem is known as the <a href="http://en.wikipedia.org/wiki/Discrete_logarithm_problem" title="Discrete logarithm problem" class="mw-redirect">discrete logarithm problem</a>. Note that <i>g</i> need not be large at all, and in practice is usually either 2 or 5.</p> <p>Here's a more general description of the protocol:</p> <ol><li>Alice and Bob agree on a finite <a href="http://en.wikipedia.org/wiki/Cyclic_group" title="Cyclic group">cyclic group</a> <i>G</i> and a <a href="http://en.wikipedia.org/wiki/Generating_set_of_a_group" title="Generating set of a group">generating</a> element <i>g</i> in <i>G</i>. (This is usually done long before the rest of the protocol; <i>g</i> is assumed to be known by all attackers.) We will write the group <i>G</i> multiplicatively.</li><li>Alice picks a random <a href="http://en.wikipedia.org/wiki/Natural_number" title="Natural number">natural number</a> <i>a</i> and sends <i>g<sup>a</sup></i> to Bob.</li><li>Bob picks a random natural number <i>b</i> and sends <i>g<sup>b</sup></i> to Alice.</li><li>Alice computes (<i>g<sup>b</sup></i>)<i><sup>a</sup></i>.</li><li>Bob computes (<i>g<sup>a</sup></i>)<i><sup>b</sup></i>.</li></ol> <p>Both Alice and Bob are now in possession of the group element <i>g<sup>ab</sup></i>, which can serve as the shared secret key. The values of (<i>g<sup>b</sup></i>)<i><sup>a</sup></i> and (<i>g<sup>a</sup></i>)<i><sup>b</sup></i> are the same because groups are <a href="http://en.wikipedia.org/wiki/Power-associativity" title="Power-associativity" class="mw-redirect">power associative</a>. (See also <a href="http://en.wikipedia.org/wiki/Exponentiation" title="Exponentiation">exponentiation</a>.)</p> <p><a name="Chart" id="Chart"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Chart</span></h3> <p>Here is a chart to help simplify who knows what. (Eve is an <a href="http://en.wikipedia.org/wiki/Eavesdropper" title="Eavesdropper" class="mw-redirect">eavesdropper</a>—she watches what is sent between Alice and Bob, but she does not alter the contents of their communications.)</p> <p>Let s = shared secret key. s = 2</p> <p>Let a = Alice's private key. a = 6</p> <p>Let b = Bob's private key. b = 15</p> <p>Let g = public base. g=5</p> <p>Let p = public (prime) number. p = 23</p> <table border="0" cellpadding="2" cellspacing="0"> <tbody><tr> <td valign="top"> <table class="wikitable"> <tbody><tr> <th colspan="2">Alice</th> </tr> <tr> <td align="center">knows</td> <td align="center">doesn't know</td> </tr> <tr> <td>p = 23</td> <td>b = 15</td> </tr> <tr> <td>base g = 5</td> <td><br /></td> </tr> <tr> <td>a = 6</td> <td><br /></td> </tr> <tr> <td>5<sup>6</sup> mod 23 = 8</td> <td><br /></td> </tr> <tr> <td>5<sup>b</sup> mod 23 = 19</td> <td><br /></td> </tr> <tr> <td>19<sup>6</sup> mod 23 = 2</td> <td><br /></td> </tr> <tr> <td>8<sup>b</sup> mod 23 = 2</td> <td><br /></td> </tr> <tr> <td>19<sup>6</sup> mod 23 = 8<sup>b</sup> mod 23</td> <td><br /></td> </tr> <tr> <td>s = 2</td> <td><br /></td> </tr> </tbody></table> </td> <td valign="top"> <table class="wikitable"> <tbody><tr> <th colspan="2">Bob</th> </tr> <tr> <td align="center">knows</td> <td align="center">doesn't know</td> </tr> <tr> <td>p = 23</td> <td>a = 6</td> </tr> <tr> <td>base g = 5</td> <td><br /></td> </tr> <tr> <td>b = 15</td> <td><br /></td> </tr> <tr> <td>5<sup>15</sup> mod 23 = 19</td> <td><br /></td> </tr> <tr> <td>5<sup>a</sup> mod 23 = 8</td> <td><br /></td> </tr> <tr> <td>8<sup>15</sup> mod 23 = 2</td> <td><br /></td> </tr> <tr> <td>19<sup>a</sup> mod 23 = 2</td> <td><br /></td> </tr> <tr> <td>8<sup>15</sup> mod 23 = 19<sup>a</sup> mod 23</td> <td><br /></td> </tr> <tr> <td>s = 2</td> <td><br /></td> </tr> </tbody></table> </td> <td valign="top"> <table class="wikitable"> <tbody><tr> <th colspan="2">Eve</th> </tr> <tr> <td align="center">knows</td> <td align="center">doesn't know</td> </tr> <tr> <td>p = 23</td> <td>a = 6</td> </tr> <tr> <td>base g = 5</td> <td>b = 15</td> </tr> <tr> <td><br /></td> <td>s = 2</td> </tr> <tr> <td>5<sup>a</sup> mod 23 = 8</td> <td><br /></td> </tr> <tr> <td>5<sup>b</sup> mod 23 = 19</td> <td><br /></td> </tr> <tr> <td>19<sup>a</sup> mod 23 = s</td> <td><br /></td> </tr> <tr> <td>8<sup>b</sup> mod 23 = s</td> <td><br /></td> </tr> <tr> <td>19<sup>a</sup> mod 23 = 8<sup>b</sup> mod 23</td> <td><br /></td> </tr> </tbody></table> </td> </tr> </tbody></table> <p>Note: It should be difficult for Alice to solve for Bob's private key or for Bob to solve for Alice's private key. If it isn't difficult for Alice to solve for Bob's private key (or vice versa), Eve may simply substitute her own private / public key pair, plug Bob's public key into her private key, produce a fake shared secret key, and solve for Bob's private key (and use that to solve for the shared secret key. Eve may attempt to choose a public / private key pair that will make it easy for her to solve for Bob's private key).</p> <p><a name="Security" id="Security"></a></p> <h2><span class="editsection"></span><span class="mw-headline">Security</span></h2> <p>The protocol is considered secure against eavesdroppers if <i>G</i> and <i>g</i> are chosen properly. The eavesdropper ("<a href="http://en.wikipedia.org/wiki/Alice_and_Bob" title="Alice and Bob">Eve</a>") must solve the <a href="http://en.wikipedia.org/wiki/Diffie-Hellman_problem" title="Diffie-Hellman problem">Diffie-Hellman problem</a> to obtain <i>g</i><sup><i>ab</i></sup>. This is currently considered difficult. An efficient algorithm to solve the <a href="http://en.wikipedia.org/wiki/Discrete_logarithm_problem" title="Discrete logarithm problem" class="mw-redirect">discrete logarithm problem</a> would make it easy to compute <i>a</i> or <i>b</i> and solve the Diffie-Hellman problem, making this and many other public key cryptosystems insecure.</p> <p>The <a href="http://en.wikipedia.org/wiki/Glossary_of_group_theory" title="Glossary of group theory">order</a> of <i>G</i> should be prime or have a large prime factor to prevent use of the <a href="http://en.wikipedia.org/wiki/Pohlig-Hellman_algorithm" title="Pohlig-Hellman algorithm" class="mw-redirect">Pohlig-Hellman algorithm</a> to obtain <i>a</i> or <i>b</i>. For this reason, a <a href="http://en.wikipedia.org/wiki/Sophie_Germain_prime" title="Sophie Germain prime">Sophie Germain prime</a> <i>q</i> is sometimes used to calculate <i>p=2q+1</i>, called a <a href="http://en.wikipedia.org/wiki/Safe_prime" title="Safe prime">safe prime</a>, since the order of <i>G</i> is then only divisible by 2 and <i>q</i>. <i>g</i> is then sometimes chosen to generate the order <i>q</i> subgroup of <i>G</i>, rather than <i>G</i>, so that the <a href="http://en.wikipedia.org/wiki/Legendre_symbol" title="Legendre symbol">Legendre symbol</a> of <i>g<sup>a</sup></i> never reveals the low order bit of <i>a</i>.</p> <p>If Alice and Bob use <a href="http://en.wikipedia.org/wiki/Random_number_generator" title="Random number generator" class="mw-redirect">random number generators</a> whose outputs are not completely random and can be predicted to some extent, then Eve's task is much easier.</p> <p>The secret integers <i>a</i> and <i>b</i> are discarded at the end of the <a href="http://en.wikipedia.org/wiki/Session_%28computer_science%29" title="Session (computer science)">session</a>. Therefore, Diffie-Hellman key exchange by itself trivially achieves <a href="http://en.wikipedia.org/wiki/Perfect_forward_secrecy" title="Perfect forward secrecy">perfect forward secrecy</a> because no long-term private keying material exists to be disclosed.</p> <p><a name="Authentication" id="Authentication"></a></p> <h3><span class="editsection"></span><span class="mw-headline">Authentication</span></h3> <p>In the original description, the Diffie-Hellman exchange by itself does not provide <a href="http://en.wikipedia.org/wiki/Authentication" title="Authentication">authentication</a> of the communicating parties and is thus vulnerable to a <a href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack" title="Man-in-the-middle attack">man-in-the-middle attack</a>. A person in the middle may establish two distinct Diffie-Hellman key exchanges, one with Alice and the other with Bob, effectively masquerading as Alice to Bob, and vice versa, allowing the attacker to decrypt (and read or store) then re-encrypt the messages passed between them. A method to authenticate the communicating parties to each other is generally needed to prevent this type of attack.</p> <p>A variety of cryptographic authentication solutions incorporate a Diffie-Hellman exchange. When Alice and Bob have a <a href="http://en.wikipedia.org/wiki/Public_key_infrastructure" title="Public key infrastructure">public key infrastructure</a>, they may digitally sign the agreed key, or <i>g</i><sup><i>a</i></sup> and <i>g</i><sup><i>b</i></sup>, as in <a href="http://en.wikipedia.org/wiki/MQV" title="MQV">MQV</a>, <a href="http://en.wikipedia.org/wiki/Station-to-Station_protocol" title="Station-to-Station protocol">STS</a> and the <a href="http://en.wikipedia.org/wiki/Internet_key_exchange" title="Internet key exchange">IKE</a> component of the <a href="http://en.wikipedia.org/wiki/IPsec" title="IPsec">IPsec</a> protocol suite for securing <a href="http://en.wikipedia.org/wiki/Internet_Protocol" title="Internet Protocol">Internet Protocol</a> communications. When Alice and Bob share a password, they may use a <a href="http://en.wikipedia.org/wiki/Password-authenticated_key_agreement" title="Password-authenticated key agreement">password-authenticated key agreement</a> form of Diffie-Hellman.</p> <p><a name="References" id="References"></a></p> <h2><span class="editsection"></span><span class="mw-headline">References</span></h2> <ul><li><a href="http://www.mirrors.wiretapped.net/security/info/reference/cesg-publications/History/secenc.pdf" class="external text" title="http://www.mirrors.wiretapped.net/security/info/reference/cesg-publications/History/secenc.pdf" rel="nofollow">Non-Secret Encryption Using a Finite Field</a> MJ Williamson, <a href="http://en.wikipedia.org/wiki/January_21" title="January 21">January 21</a>, <a href="http://en.wikipedia.org/wiki/1974" title="1974">1974</a>.</li><li><a href="http://www.fi.muni.cz/usr/matyas/lecture/paper3.pdf" class="external text" title="http://www.fi.muni.cz/usr/matyas/lecture/paper3.pdf" rel="nofollow">Thoughts on Cheaper Non-Secret Encryption</a> MJ Williamson, <a href="http://en.wikipedia.org/wiki/August_10" title="August 10">August 10</a>, <a href="http://en.wikipedia.org/wiki/1976" title="1976">1976</a>.</li><li><a href="http://citeseer.ist.psu.edu/340126.html" class="external text" title="http://citeseer.ist.psu.edu/340126.html" rel="nofollow">New Directions in Cryptography</a> W. Diffie and M. E. Hellman, IEEE Transactions on Information Theory, vol. IT-22, Nov. 1976, pp: 644-654.</li><li><span class="plainlinks"><a href="http://patft.uspto.gov/netacgi/nph-Parser?patentnumber=4200770" class="external text" title="http://patft.uspto.gov/netacgi/nph-Parser?patentnumber=4200770" rel="nofollow">Cryptographic apparatus and method</a></span><span class="PDFlink noprint"><a href="http://www.pat2pdf.org/pat2pdf/foo.pl?number=4200770" class="external text" title="http://www.pat2pdf.org/pat2pdf/foo.pl?number=4200770" rel="nofollow"> </a></span> Martin E. Hellman, Bailey W. Diffie, and Ralph C. Merkle, U.S. Patent #4,200,770, <a href="http://en.wikipedia.org/wiki/April_29" title="April 29">29 April</a> <a href="http://en.wikipedia.org/wiki/1980" title="1980">1980</a></li><li><a href="http://www.cesg.gov.uk/site/publications/media/ellis.pdf" class="external text" title="http://www.cesg.gov.uk/site/publications/media/ellis.pdf" rel="nofollow">The History of Non-Secret Encryption</a> <a href="http://en.wikipedia.org/wiki/James_H._Ellis" title="James H. Ellis">JH Ellis</a> <a href="http://en.wikipedia.org/wiki/1987" title="1987">1987</a> (28K PDF file) (<a href="http://www.jya.com/ellisdoc.htm" class="external text" title="http://www.jya.com/ellisdoc.htm" rel="nofollow">HTML version</a>)</li><li><a href="http://cr.yp.to/bib/1988/diffie.pdf" class="external text" title="http://cr.yp.to/bib/1988/diffie.pdf" rel="nofollow">The First Ten Years of Public-Key Cryptography</a> Whitfield Diffie, Proceedings of the IEEE, vol. 76, no. 5, May 1988, pp: 560-577 (1.9MB PDF file)</li><li><a href="http://en.wikipedia.org/wiki/Alfred_Menezes" title="Alfred Menezes">Menezes, Alfred</a>; <a href="http://en.wikipedia.org/wiki/Paul_van_Oorschot" title="Paul van Oorschot">van Oorschot, Paul</a>; <a href="http://en.wikipedia.org/wiki/Scott_Vanstone" title="Scott Vanstone">Vanstone, Scott</a> (1997). <i><a href="http://en.wikipedia.org/w/index.php?title=Handbook_of_Applied_Cryptography&action=edit&redlink=1" class="new" title="Handbook of Applied Cryptography (page does not exist)">Handbook of Applied Cryptography</a></i> Boca Raton, Florida: CRC Press. <a href="http://en.wikipedia.org/wiki/Special:BookSources/0849385237" class="internal">ISBN 0-8493-8523-7</a>. (<a href="http://www.cacr.math.uwaterloo.ca/hac/" class="external text" title="http://www.cacr.math.uwaterloo.ca/hac/" rel="nofollow">Available online</a>)</li><li><a href="http://en.wikipedia.org/wiki/Simon_Singh" title="Simon Singh">Singh, Simon</a> (1999) <i><a href="http://en.wikipedia.org/wiki/The_Code_Book" title="The Code Book">The Code Book</a>: the evolution of secrecy from Mary Queen of Scots to quantum cryptography</i> New York: Doubleday <a href="http://en.wikipedia.org/wiki/Special:BookSources/0385495315" class="internal">ISBN 0-385-49531-5</a></li><li><a href="http://www.comsoc.org/livepubs/ci1/public/anniv/pdfs/hellman.pdf" class="external text" title="http://www.comsoc.org/livepubs/ci1/public/anniv/pdfs/hellman.pdf" rel="nofollow">An Overview of Public Key Cryptography</a> Martin E. Hellman, IEEE Communications Magazine, May 2002, pp:42-49. (123kB PDF file)</li></ul> <p><a name="See_also" id="See_also"></a></p> <h2><span class="editsection"></span><span class="mw-headline">See also</span></h2> <ul><li><a href="http://en.wikipedia.org/wiki/Portal:Cryptography" title="Portal:Cryptography">Cryptography portal</a></li><li><a href="http://en.wikipedia.org/wiki/Elliptic_Curve_Diffie-Hellman" title="Elliptic Curve Diffie-Hellman">Elliptic Curve Diffie-Hellman</a></li><li><a href="http://en.wikipedia.org/wiki/Public-key_cryptography" title="Public-key cryptography">Public-key cryptography</a></li><li><a href="http://en.wikipedia.org/wiki/ElGamal_encryption" title="ElGamal encryption">ElGamal encryption</a></li><li><a href="http://en.wikipedia.org/wiki/Diffie-Hellman_problem" title="Diffie-Hellman problem">Diffie-Hellman problem</a></li><li><a href="http://en.wikipedia.org/wiki/MQV" title="MQV">MQV</a></li><li><a href="http://en.wikipedia.org/wiki/Password-authenticated_key_agreement" title="Password-authenticated key agreement">Password-authenticated key agreement</a></li></ul> <p><a name="External_links" id="External_links"></a></p> <h2><span class="editsection"></span><span class="mw-headline">External links</span></h2> <ul><li><a href="http://tools.ietf.org/html/rfc2631" class="external" title="http://tools.ietf.org/html/rfc2631">RFC 2631</a> - <i>Diffie-Hellman Key Agreement Method</i> E. Rescorla June 1999.</li><li><a href="http://csrc.nist.gov/encryption/kms/summary-x9-42.pdf" class="external text" title="http://csrc.nist.gov/encryption/kms/summary-x9-42.pdf" rel="nofollow"><i>Summary of ANSI X9.42: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography</i></a> (64K PDF file) (<a href="http://www.rsasecurity.com/rsalabs/node.asp?id=2306" class="external text" title="http://www.rsasecurity.com/rsalabs/node.asp?id=2306" rel="nofollow">Description of ANSI 9 Standards</a>)</li><li><a href="http://www.xml-dev.com/blog/index.php?action=viewtopic&id=196" class="external text" title="http://www.xml-dev.com/blog/index.php?action=viewtopic&id=196" rel="nofollow">Diffie-Hellman explained visually</a></li><li><a href="http://www.netip.com/articles/keith/diffie-helman.htm" class="external text" title="http://www.netip.com/articles/keith/diffie-helman.htm" rel="nofollow">Diffie-Hellman Key Exchange – A Non-Mathematician’s Explanation</a> by Keith Palmgren</li><li><a href="http://search.cpan.org/search?query=Crypt%3A%3ADH&mode=module" class="external text" title="http://search.cpan.org/search?query=Crypt%3A%3ADH&mode=module" rel="nofollow">Crypt::DH</a> <a href="http://en.wikipedia.org/wiki/Perl" title="Perl">Perl</a> module from <a href="http://en.wikipedia.org/wiki/CPAN" title="CPAN">CPAN</a></li><li><a href="http://ds9a.nl/tmp/dh.html" class="external text" title="http://ds9a.nl/tmp/dh.html" rel="nofollow">Hands-on Diffie-Hellman demonstration</a></li><li><a href="http://oldpiewiki.yoonkn.com/cgi-bin/moin.cgi/DiffieHellmanKeyExchange" class="external text" title="http://oldpiewiki.yoonkn.com/cgi-bin/moin.cgi/DiffieHellmanKeyExchange" rel="nofollow">C implementation using GNU Multiple Precision Arithmetic Library</a></li></ul> <table class="nowraplinks" style="background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; color: inherit;" cellspacing="0"><tbody><tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <th style="background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" colspan="2" class="navbox-title"> <div style="float: left; width: 6em; text-align: left;"> <div class="noprint plainlinksneverexpand" style="border: medium none ; padding: 0pt; background: rgb(204, 204, 255) none repeat scroll 0% 0%; white-space: nowrap; font-weight: normal; font-size: xx-small; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"><a href="http://en.wikipedia.org/wiki/Template:Crypto_public-key" title="Template:Crypto public-key"><span title="View this template" style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">v</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template_talk:Crypto_public-key&action=edit&redlink=1" class="new" title="Template talk:Crypto public-key (page does not exist)"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="Discussion about this template">d</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template:Crypto_public-key&action=edit" class="external text" title="http://en.wikipedia.org/w/index.php?title=Template:Crypto_public-key&action=edit" rel="nofollow"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="You can edit this template. Please use the preview button before saving.">e</span></a></div> </div> <div style="float: right; width: 6em;"> </div> <span style="font-size: 100%;"><a href="http://en.wikipedia.org/wiki/Public-key_cryptography" title="Public-key cryptography">Public-key cryptography</a></span></th> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Algorithms:</b> <a href="http://en.wikipedia.org/wiki/CEILIDH" title="CEILIDH">CEILIDH</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Cramer-Shoup_system" title="Cramer-Shoup system" class="mw-redirect">Cramer-Shoup</a> |</span> <span style="white-space: nowrap;"><strong class="selflink">DH</strong> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Digital_Signature_Algorithm" title="Digital Signature Algorithm">DSA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Elliptic_Curve_Diffie-Hellman" title="Elliptic Curve Diffie-Hellman">ECDH</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Elliptic_Curve_DSA" title="Elliptic Curve DSA">ECDSA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Encrypted_key_exchange" title="Encrypted key exchange">EKE</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/ElGamal_encryption" title="ElGamal encryption">ElGamal encryption</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/ElGamal_signature_scheme" title="ElGamal signature scheme">ElGamal signature scheme</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/GMR_%28cryptography%29" title="GMR (cryptography)">GMR</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Integrated_Encryption_Scheme" title="Integrated Encryption Scheme">IES</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Lamport_signature" title="Lamport signature">Lamport</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/MQV" title="MQV">MQV</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NTRUEncrypt" title="NTRUEncrypt">NTRUEncrypt</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NTRUSign" title="NTRUSign">NTRUSign</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Paillier_cryptosystem" title="Paillier cryptosystem">Paillier</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Rabin_cryptosystem" title="Rabin cryptosystem">Rabin</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/RSA" title="RSA">RSA</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Schnorr_signature" title="Schnorr signature">Schnorr</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/SPEKE_%28cryptography%29" title="SPEKE (cryptography)">SPEKE</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Secure_remote_password_protocol" title="Secure remote password protocol">SRP</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Station-to-Station_protocol" title="Station-to-Station protocol">STS</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/XTR" title="XTR">XTR</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Theory:</b> <a href="http://en.wikipedia.org/wiki/Discrete_logarithm" title="Discrete logarithm">Discrete logarithm</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Elliptic_curve_cryptography" title="Elliptic curve cryptography">Elliptic curve cryptography</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/RSA_problem" title="RSA problem">RSA problem</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Standardization:</b> <a href="http://en.wikipedia.org/w/index.php?title=ANS_X9F1&action=edit&redlink=1" class="new" title="ANS X9F1 (page does not exist)">ANS X9F1</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/CRYPTREC" title="CRYPTREC">CRYPTREC</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/IEEE_P1363" title="IEEE P1363">IEEE P1363</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NESSIE" title="NESSIE">NESSIE</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/NSA_Suite_B" title="NSA Suite B" class="mw-redirect">NSA Suite B</a></span></p> </div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"> <p><span style="white-space: nowrap;"><b>Misc:</b> <a href="http://en.wikipedia.org/wiki/Digital_signature" title="Digital signature">Digital signature</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Public_key_fingerprint" title="Public key fingerprint">Fingerprint</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Public_key_infrastructure" title="Public key infrastructure">PKI</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Web_of_trust" title="Web of trust">Web of trust</a> |</span> <span style="white-space: nowrap;"><a href="http://en.wikipedia.org/wiki/Key_size" title="Key size">Key size</a></span></p> </div> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <table class="nowraplinks navbox-subgroup" style="width: 100%;" cellspacing="0"> <tbody><tr> <th style="background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" colspan="2" class="navbox-title"> <div style="float: left; width: 6em; text-align: left;"> <div class="noprint plainlinksneverexpand" style="border: medium none ; padding: 0pt; background: rgb(204, 204, 255) none repeat scroll 0% 0%; white-space: nowrap; font-weight: normal; font-size: xx-small; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"><a href="http://en.wikipedia.org/wiki/Template:Crypto_navbox" title="Template:Crypto navbox"><span title="View this template" style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">v</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/wiki/Template_talk:Crypto_navbox" title="Template talk:Crypto navbox"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="Discussion about this template">d</span></a> <span style="font-size: 80%;">•</span> <a href="http://en.wikipedia.org/w/index.php?title=Template:Crypto_navbox&action=edit" class="external text" title="http://en.wikipedia.org/w/index.php?title=Template:Crypto_navbox&action=edit" rel="nofollow"><span style="border: medium none ; background: rgb(204, 204, 255) none repeat scroll 0% 0%; color: rgb(0, 43, 184); -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" title="You can edit this template. Please use the preview button before saving.">e</span></a></div> </div> <div style="float: right; width: 6em;"> </div> <span style="font-size: 100%;"><a href="http://en.wikipedia.org/wiki/Cryptography" title="Cryptography">Cryptography</a></span></th> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-odd"> <div style="padding: 0em 0.25em;"><a href="http://en.wikipedia.org/wiki/History_of_cryptography" title="History of cryptography">History of cryptography</a> | <a href="http://en.wikipedia.org/wiki/Cryptanalysis" title="Cryptanalysis">Cryptanalysis</a> | <a href="http://en.wikipedia.org/wiki/Portal:Cryptography" title="Portal:Cryptography">Cryptography portal</a> | <a href="http://en.wikipedia.org/wiki/Topics_in_cryptography" title="Topics in cryptography">Topics in cryptography</a></div> </td> </tr> <tr style="height: 2px;"> <td><br /></td> </tr> <tr> <td colspan="2" style="padding: 0px; width: 100%;" class="navbox-list navbox-even"> <div style="padding: 0em 0.25em;"><a href="http://en.wikipedia.org/wiki/Symmetric-key_algorithm" title="Symmetric-key algorithm">Symmetric-key algorithm</a> | <a href="http://en.wikipedia.org/wiki/Block_cipher" title="Block cipher">Block cipher</a> | <a href="http://en.wikipedia.org/wiki/Stream_cipher" title="Stream cipher">Stream cipher</a> | <a href="http://en.wikipedia.org/wiki/Public-key_cryptography" title="Public-key cryptography">Public-key cryptography</a> | <a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function" title="Cryptographic hash function">Cryptographic hash function</a> | <a href="http://en.wikipedia.org/wiki/Message_authentication_code" title="Message authentication code">Message authentication code</a> | <a href="http://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator" title="Cryptographically secure pseudorandom number generator">Random numbers</a> | <a href="http://en.wikipedia.org/wiki/Steganography" title="Steganography">Steganography</a></div></td></tr></tbody></table></td></tr></tbody></table>vineethv2http://www.blogger.com/profile/10203333517491088500noreply@blogger.com0tag:blogger.com,1999:blog-8266941125214387001.post-88273068540180409662008-09-30T00:45:00.000-07:002008-09-30T00:48:43.192-07:00Wardriving<p><b>Wardriving</b> is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer or PDA.</p> <p>Software for wardriving is freely available on the Internet, notably <span class="mw-redirect"><br /></span></p><p><span style="font-weight: bold;" class="mw-redirect">NetStumbler</span> for Windows, </p><p><span style="font-weight: bold;">Kismet</span> or <span style="font-weight: bold;" class="new">SWScanner</span> for Linux, FreeBSD, NetBSD, OpenBSD, DragonFly BSD, and Solaris, and <span style="font-weight: bold;" class="mw-redirect">KisMac</span> for <span class="mw-redirect">Macintosh</span>.<br /></p><p>There are also homebrew wardriving applications for handheld game consoles that support <span class="mw-redirect">Wi-fi</span>, such as <span style="font-weight: bold;">sniff_jazzbox</span> for the Nintendo DS, <span style="font-weight: bold;">Road Dog</span> for the <span class="mw-redirect">Sony PSP</span> and <span style="font-weight: bold;" class="mw-redirect">Stumbler</span> for the iPhone. There also exists a mode within Metal Gear Solid: Portable Ops for the <span class="mw-redirect">Sony PSP</span> (wherein the player is able to find new comrades by searching for wireless access points) which can be used to wardrive.</p>vineethv2http://www.blogger.com/profile/10203333517491088500noreply@blogger.com0tag:blogger.com,1999:blog-8266941125214387001.post-10259030467531754872008-09-30T00:40:00.000-07:002008-09-30T00:45:30.192-07:00Hii to Everyone....This is the ADMIN Speaking !!!!..<br /><br />Welcome freeks n Geeks....<br /><br />Tiz Plaze is all goin 2 become Hack n Packs... Tat meanz we will discuss<br />Stuff related to HAckz...Right...<br />n We need ur support... I Hope u'll corporate...<br /><br />So Enjoy !!!<br /><br />N HaPpY SuRfInG !!!!<br /><br />Regards<br /><br />AdMin..vineethv2http://www.blogger.com/profile/10203333517491088500noreply@blogger.com0