introduction to encryption technology - it todayittoday.info/aims/dsm/87-20-05.pdf · cryptography...
TRANSCRIPT
04/98
87-20-05
DATA SECURITY MANAGEMENT
INTRODUCTION TO ENCRYPTION TECHNOLOGY
Ronald A. Gove
I N S I D E
Historical Notes, Basics of Modern Cryptography, Stream Cyphers, Block Cyphers,Cryptanalysis, Key Management, Public Key Cryptography
INTRODUCTIONThis article presents an overview of some of the basic ideas underlyingencryption technology. It begins by defining some basic terms. The his-torical notes that follow will help provide an understanding of the longtradition of encryption or secret writing. The article then explores mod-ern cryptography and discusses some of the underlying mathematicaland technological concepts behind private and public key encryptionsystems such as DES and RSA. It provides extensive discussion of con-ventional private key encryption prior to introducing the concept of pub-lic key cryptography. This is done for both historical reasons (private keydid come first) and technical reasons (public key is really a partial solu-tion to the key management problem.)
Some Basic DefinitionsThis discussion cannot begin without defining some terms that will beused throughout the article. The first is encryption. In simplest terms, en-cryption is the process of making information unreadable by unautho-rized persons. The process may be manual, mechanical, or electronic,and the core of this article describes the many ways that the encryptionprocess takes place. Encryption is to be distinguished from message hid-ing. Invisible inks, micro-dots, and the like are the stuff of spy novels andare used in the trade; however, thisarticle will not discuss these tech-niques for hiding information. Exhib-it 1 shows a conceptual version of anencryption system. It consists of asender and a receiver, a message
P A Y O F F I D E A
Encryption is intrinsic to security in the networkedworld. An understanding of encryption technolo-gies will assist the security professional in under-standing and implementing solutions to securityconcerns in distributed systems.
Auerbach Publications© 1998 CRC Press LLC
(called the plain text), the encrypted message (called the cipher text),and an item called a key. The encryption process, which transforms theplain text into the cipher text, may be thought of as a black box. It takesinputs (the plain text and key) and produces output (the cipher text).The messages may be handwritten characters, electromechanical repre-sentations as in a teletype, strings of 1s and 0s as in a computer or com-puter network, or even analog speech. The black box will be providedwith whatever input/output devices it needs to operate; the insides, orcryptographic algorithm, will operate independently of the external rep-resentation of the information.
The key, which is more properly called the cryptovariable, is used toselect a specific instance of the encryption process embodied in the ma-chine. Cryptovariables (keys) will be discussed in more detail in later sec-tions. At this point, it is enough to think of it as a way to make the sameblack box produce different cipher texts from the same plain text. In typ-ical operation, a key is inserted prior to encrypting a message and thesame key is used for some period of time. This period of time is knownas a cryptoperiod. For reasons associated with cryptanalysis, the keyshould be changed on a regular basis. The most important fact about thekey is that it embodies the security of the encryption system. This meansthe system is designed so that complete knowledge of all system details,including specific plain and cipher text messages, is not sufficient to de-rive the cryptovariable.
It is important that the system is designed in this fashion because theencryption process itself is seldom secret. The details of the data encryp-tion standard (DES), for example, are widely published so that anyonemay implement a DES compliant system. In order to provide the intend-ed secrecy in the cipher text, there has to be some piece of informationthat is not available to those not authorized to receive the message; thispiece of information is the cryptovariable or key.
EXHIBIT 1 — Conceptual Version of an Encryption System
Inside the black box is an implementation of an algorithm that performsthe encryption. Exactly how the algorithm works is the main topic of thisarticle and the details depend on the technology used for the message.
Cryptography is the study of the means to perform encryption. Thus,cryptographers design encryption systems. Cryptanalysis is the process offiguring out the message without knowledge of the key, or more generally,figuring out which key was used to encrypt an entire series of messages.
SOME HISTORICAL NOTESThe first evidence of cryptography occurred over 4,000 years ago inEgypt. Almost as soon as writing was invented, secret writing developed.In India, the ancients’ version of Dr. Ruth’s Guide to Good Sex, the Kama-Sutra, places secret writing as 45th in a list of arts women should know.The Arabs in the 7th century A.D. were the first to write down methodsof cryptanalysis. Historians have discovered a text dated about 855 A.D.that describes cipher alphabets for use in magic.
One of the more well known of the ancient methods of encryption isthe Caesar Cipher, so called because it was used by Julius Caesar. The al-gorithm is a simple alphabetic substitution. Each plain text letter is re-placed by the letter 3 letters away to the right, i.e., the letter A is replacedby D, B by E, and so forth (see Exhibit 2).
Caesar’s cipher is a form of monoalphabetic substitution. AlthoughCaesar always used an offset of 3, in principle, one can use any offset,from 1 to 25. (An offset of 26 is the original alphabet.) The offset is in factthe key or cryptovariable for this simplest of all monoalphabetic substi-tutions. All such ciphers with any offset are now called Caesar Ciphers.
The are many ways to produce alphabetic substitution ciphers. In fact,there are 26 (26 factorial or 26X25X24 … X2X1) ways to arrange the 26letters of the alphabet. All but one of these yields a nonstandard alpha-bet. A more complicated substitution can be made by using a differentalphabet for each letter according to some well-defined rule. Such ci-phers are called polyalphabetic substitutions.
Cryptography underwent many changes during the centuries, oftenfollowing closely with advances in technology. When man wrote byhand only, encryption was purely manual. After the invention of the
EXHIBIT 2 — Caesar Cipher
a b c d e f g h I j k l m n o p q r s t u v w x y zD E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Plain text: Omnia Gallia est divisa in partes tres …
Cipher Text: RPQLD JDOOLD HVW GLYLVD LQ SDUWHV WUHV …
printing press, various mechanical devices appeared, such as Leon Batis-ta Alberti’s cipher disk in Italy. In the 18th century, Thomas Jefferson in-vented a ciphering device consisting of a stack of 26 disks, each contain-ing the alphabet around the face of the edge. Each disk had the lettersarranged in a different order. A positioning bar was attached that allowedthe user to align the letters along a row. To use the device, one spelledout the message by moving each disk so that the proper letter lay alongthe alignment bar. The bar was then rotated a fixed amount (the “key” or“cryptovariable”) for that message and the letters appearing along thenew position of the bar were copied off as the cipher text. The receivercould then position the cipher text letters on the “wheel” and rotate thecylinder until the plain text message appeared.
By World War II, very complex electromechanical devices were in useby the allied and axis forces. The need for a full-time, professional cryp-tographic force was recognized during and after World War II, and led tothe formation of the National Security Agency by Presidential memoran-dum signed by Truman.
Cryptography was virtually unknown outside of diplomatic and mili-tary circles until the mid-1970s. During this period, as the use of comput-ers, particularly by financial institutions, became more widespread, theneed arose for a “public,” (nonmilitary or diplomatic) cryptographic sys-tem. In 1973, the National Bureau of Standards (now the National Insti-tute of Standards and Technology) issued a request for proposals for astandard cryptographic algorithm. They received no suitable response atthat time and reissued the request in 1974. IBM responded to this requestwith their Lucifer system, which they had been developing for their ownuse. This algorithm was evaluated with the help of the NSA and eventu-ally was adopted as a the Data Encryption Standard (DES) in 1976.
The controversy surrounding the selection of DES1 stimulated aca-demic interest in cryptography and cryptanalysis. This interest led to thediscovery of many cryptanalytic techniques and eventually to the con-cept of public key cryptography. Public key cryptography is a techniquethat used distinct keys for encryption and decryption, only one of whichneed be secret. This technique will be discussed later in this article; it ismore understandable once one has a firm understanding of conventionalcryptography.
The 20 years since the announcement of DES and the discovery ofpublic key cryptography has seen advances in computer technology andnetworking that were not even imaginable in 1975. The Internet has cre-ated an unprecedented demand for instantaneous information exchangein the military, government, and most importantly, private sectors. TheUnited States’ economic base, government functions, and military effec-tiveness are more dependent on automated information systems than any
country in the world. However, the very technology that created this de-pendence is its greatest weakness: the infrastructure is fundamentallyvulnerable to attacks from individuals, groups, or nation-states that caneasily deny service or compromise the integrity of information. Effectivecryptography provides a partial solution to this problem.
THE BASICS OF MODERN CRYPTOGRAPHYBecause virtually all of modern cryptography is based on the use of dig-ital computers and digital algorithms, this section begins with a brief in-troduction to digital technology and binary arithmetic. All information ina computer is reduced to a representation as 1s and 0s (or the “on” and“off” state of an electronic switch). All of the operations within the com-puter can be reduced to logical OR, EXCLUSIVE OR, and AND. Arith-metic in the computer (called binary arithmetic) obeys the followingrules (represented by “addition” and “multiplication” tables):
The symbol Å is called modulo 2 addition and Ä is called modulo 2multiplication. If ‘1’ represents a truth value of TRUE and ‘0’ representsFALSE, then Å is equivalent to exclusive OR in logic (XOR) and Ä isequivalent to AND. For example, A XOR B is true only if A or B is TRUEbut not both. Likewise, A AND B is true only when both A and B areTRUE.
All messages, both plain text and cipher text, may be represented bystrings of 1s and 0s. Because the actual method used to digitize the mes-sage is not relevant to an understanding of cryptography, the details willnot be discussed here.
There are two main classes of algorithms:
• Stream Ciphers — operate on essentially continuous streams of plaintext represented as 1s and 0s.
• Block Ciphers — operate on blocks of plain text fixed size.
These two divisions overlap because a block cipher may be operatedas a stream cipher. Generally speaking, stream ciphers tend to be imple-mented more in hardware devices while block ciphers are more suitedto implementation in software to execute on a general purpose comput-er. Again, these guidelines are not absolute and there are a variety of rea-sons for choosing one method over another.
Å 0 1 Ä 0 1
0 0 1 0 0 0
1 1 0 1 0 1
Stream CiphersExhibit 3 illustrates a simple stream cipher. Here, the plain text is repre-sented by a sequence of 1s and 0s. (The binary streams are to be readfrom right to left. That is, the rightmost bit is the first bit in the sequence.)A keystream2 generator produces a “random” stream of 1s and 0s that areadded modulo 2, bit by bit, to the plain text stream to produce the ciphertext stream.
The cryptovariable (key) is shown as entering the keystream genera-tor. The nature of these keys will be explained later.
There are many different mechanisms within the keystream generator. Ingeneral, the internal operation consists of a finite state machine and a com-plex function. The finite state machine consists of a system state and a func-tion (called the next state function) that cause the system to change state.
The complex function operates on the system state to produce thekeystream. Exhibit 3 shows the operation of the encryption operation.The decryption operation is equivalent; the roles of plain text and ciphertext can be exchanged. This works because of the following relationshipsin modulo two addition: Letting p represent a plain text bit, k a key-stream bit, and c the cipher text bit
c = p Å k
so,
c Å k = p Å k Å k = p
because in binary arithmetic x Å x is always 0. (1 Å 1 = 0 Å 0 = 0).
EXHIBIT 3 — Stream Ciphers
Plain Text 1 0 1 1 0 1 1 0 0Å Å Å Å Å Å Å Å Å
Keystream 1 1 0 1 0 0 0 1 1
Cipher Text 0 1 1 0 0 1 1 1 1
These concepts are best understood with examples. Exhibit 4 shows asimple linear feedback shift register (LFSR). An LFSR underlies manystream ciphers. In this example, the state is represented by the 4-stageregister (shown here filled with 1s.) During operation, at each tick of theinternal clock, the 4 bits shift to the right, the rightmost bit is dropped,and the last 2 bits (before the shift) are added (mod 2) and placed in theleftmost stage. In general, an LFSR may be of any length, n, and any ofthe individual stages may be selected for summing and insertion into theleftmost stage. The only constraint is that the rightmost bit should alwaysbe selected for the feedback sum. Otherwise, the length is really n – 1,not n. The exhibit shows the sequence of system states obtained from theinitial value of 1111. In some systems, the initial value of the register ispart of the cryptovariable.
If the sequence began with 0000, all subsequent states would be 0000.This would not be good for cryptographic applications because the out-put would be constant; therefore, this state is avoided. This four-stageregister steps through 15 = 24 – 1 distinct states before repeating. Not allconfigurations of feedback will produce a maximal sequence. If the stag-es in Exhibit 4 are numbered from left to right as 1,2,3,4, and instead offeeding back the sum of stages 3 and 4, 2 and 4 are selected, a very dif-ferent sequence would occur. This example would produce 2 sequences(called cycles) of length 6, one cycle of length 3, and 1 of length 0. Forexample, starting with 1111 as before will yield:
1111 ® 0111 ® 0011 ® 1001 ® 1100 ® 1110 ® 1111
To avoid repeating the keystream, it is important to have as manystates as possible produced by the internal state machine of the key-stream generator. Once the keystream begins to repeat, the same plain
EXHIBIT 4 — Simple LFSR
text will produce the same cipher text. This is a cryptographic weaknessthat should be avoided. Although a single stage of the LFSR could be se-lected and used as the keystream, this is not a good idea. The reason isthat the linearity of the sequence of stages allows a simple cryptanalysis.This can be avoided by introducing more complexity into the system.The objective is to produce a keystream that looks completely randomand that will pass as many tests of statistical randomness as one cares toapply. Knowledge of the algorithm and a sequence of successive key-stream bits does not allow the next bit in the sequence to be predicted.The complexity can often be introduced by using some nonlinear poly-nomial f(a1, a2, …, am) of a selection of the individual stages of the LFSR.Nonlinear means that some of the terms are multiplied together, such asa1a2 + a3a4 + … am–1am. The selection of which register stages are associ-ated with which inputs to the polynomial can be part of the cryptovari-able (key). Another technique for introducing complexity is to usemultiple LFSRs and select output alternately from each based on somepsuedorandom process. For example, one might have three LFSRs andcreate the keystream by selecting bits from one of the two, based on theoutput of a third.
Some of the features that a cryptographer will design into the algo-rithm for a stream cipher are:
1. Long periods without a repetition2. Functional complexity — each keystream bit should depend on most
or all of the cryptovariable3. Statistically unpredictable — given n successive bits from the key-
stream, it is not possible to predict the n + 1st bit with a probabilitydifferent from 1/2
4. Statistically unbiased keystream — there should be as many 0s as 1s5. The keystream should not be linearly related to the cryptovariable
It should also be noted that to send and receive messages encryptedwith a stream cipher, the sending and receiving systems must satisfy sev-eral conditions. First, the sending and receiving equipment must useidentical algorithms for producing the keystream. Second, they musthave the same cryptovariable. Third, they must start in the same state.Fourth, they must know where the beginning of the message is.
The first condition is obvious. Ensuring that the two machines havethe same cryptovariable is an administrative problem (key management)that will be discussed in a later section. One can ensure that the two de-vices start in the same state by several means. One way is to include theinitial state as part of the cryptovariable. Another way is to send the initialstate to the receiver at the beginning of each message (this is sometimescalled a message indicator, or initial vector). A third possibility is to de-sign the machines to always default to a specific state. Knowing where
the beginning of the message is can be difficult and various messagingprotocols use different techniques.
Block CiphersA block cipher (see Exhibit 5) operates on blocks of text of fixed size. Thespecific size is often selected to correspond to the word size in the imple-menting computer, or to some other convenient reference (e.g., 8-bit ASCIItext is conveniently processed by block ciphers with lengths a multiple of8 bits). Because the block cipher forms a one-to-one correspondence be-tween input and output blocks, it is nothing more than a permutation. Ifthe blocks are n bits long, then there are 2n possible input blocks and 2n
possible output blocks. The relationship between the input and output de-fines a permutation. There are (2n)! possible permutations, so theoreticallythere are (2n)! possible block cipher systems on n bit blocks.
A simple block cipher on 4-bit blocks is shown in Exhibit 6. With sucha prodigious number of possible block ciphers, one would think it a triv-ial matter to create one. It is not so easy. First, the algorithm must be easyto describe and implement. Most of the (2n)! permutations can only bedescribed by listing the entries in a table such as the one in Exhibit 6. Fora 32-bit block cipher, this table would contain 109.6 entries, which is quiteimpractical. Another consideration is that there needs to be a relation be-tween the cryptovariable and the permutation. In most implementations,the cryptovariable selects a specific permutation from a wide class of per-mutations. Thus, one would need as many tables as cryptovariables. Theend result is that it is not easy to design good block ciphers.
The most well-known block cipher is the Data Encryption Standard,DES. The cryptovariable for DES is 64 bits, 8 of which are parity checkbits. Consequently, the cryptovariable is effectively 56 bits long. DES op-erates as follows: a 64-bit plain text block, after its initial permutation(which has no cryptographic significance), is split onto left and righthalves, L0 and R0. These two halves are then processed as follows for I =0, 1, …, 15
EXHIBIT 5 — Block Ciphers
Li = Ri–1
Ri = Li–1 + f(Ri–1, Ki)
Here, the blocks Ki are derived from the cryptovariable. The functionf is a very complex function involving several expansions, compressions,and permutations by means of several fixed tables called the S boxes andP boxes.
As was the case with the DES cryptovariable, there has been much dis-cussion about the significance of the S boxes. Some people have arguedthat the NSA designed the S boxes to include a “trap door” that wouldallow them to decrypt DES-encrypted messages at will. If that is the case,no one has been able to discover it. More recently, it has been stated thatthe S boxes were selected to minimize the danger from an attack calleddifferential cryptanalysis.
Because of the widespread belief that the DES cryptovariable is toosmall, it is often suggested that a message be encrypted twice with DESusing two different cryptovariables. The operation of DES encryption onmessage P and cryptovariable K can be represented as C = E(P; K); thecorresponding decryption is represented as P = D(C; K) = D(E(P; K); K).The “double DES” with cryptovariables K and K’ is:
C = E(E(P; K); K’)
Because each cryptovariable is 56 bits long, an effective cryptovari-able length of 56 + 56 = 112 bits has been created. However, the section
EXHIBIT 6 — Simple Block Cipher
on cryptanalysis shows that there is an attack on double DES that has awork factor on the same order as single DES. Thus, double DES is nomore secure than single DES. A third variant is triple DES. Let K and K’be DES cryptovariables; therefore, triple DES is
C = E(D(E(P; K); K’); K)
That is, the encrypt function is applied to P using the first cryptovari-able, K. The decrypt function is then applied to the result using the sec-ond cryptovariable, K’. Because the decrypt function is using a differentcryptovariable, the message is not decrypted; it is transformed by a per-mutation as in any block cipher. The final step is to encrypt once againwith the encrypt function. By using the D in the middle, a triple DES im-plementation can encrypt a single DES message:
C = E(D(E(P; K); K); K) = E(P; K)
No successful attacks have been reported on triple DES. The next sec-tion discusses cryptanalysis in more detail.
CRYPTANALYSISAs stated in the introduction, cryptography is the science of designing al-gorithms for encrypting messages. Cryptanalysis is the science (somewould say art) of “breaking” the cryptographic systems. The followingparagraphs explain just what “breaking” a cryptosystem means, becausethere are many misconceptions in the press.
There is an obvious analogy between cryptanalysis and cryptographyand burglars and locks. As the locksmiths design better locks, the bur-glars develop better ways to pick them. Likewise, as the cryptographerdesigns better algorithms, the cryptanalyst develops new attacks. A typi-cal design methodology would be to have independent design teams andattack teams. The design team proposes algorithms and the attack teamtries to find weaknesses. In the academic world, the designers will pub-lish new algorithms and the rest of the academic world searches for at-tacks. Each attack provides a new paper toward publication and tenure.
Breaking or attacking a cryptosystem means recovering the plaintextmessage without possession of the cryptovariable (or key) used to en-crypt that message. More generally, breaking the system means deter-mining the cryptovariable (key) that was used. Although it is the messagethat the analyst really wants, possession of the cryptovariable allows theanalyst to recover all of the messages that were encrypted in that crypto-variable. Because the cryptoperiod may be days or weeks, the analystwill be able to recover many more messages than if he attacks a singlemessage at a time.
Determining what algorithm was used is generally not considered partof breaking an encryption system. In most cases, e.g., DES, the algorithmis widely known. Even many of the proprietary systems such as RC4 andRC5 have been published. Because it is very difficult to maintain the se-crecy of an algorithm, it is better to design the algorithm so that knowl-edge of the algorithm’s details is still not sufficient to determine thecryptovariable used for a specific message without trying all possiblecryptovariables.
Trying all cryptovariables is called a “brute force” or “exhaustive” at-tack. It is an attack that will always work as long as the plain text mes-sage is recognizable after decryption. That is, in any attack, one needs tobe able to decide when success has occurred. One also has to be able tofind the cryptovariable (and hence the message) in time for it to be ofuse. For example, in a tactical military environment, spending one weekto recover a message about an attack that will occur in one day will notbe useful. Last, one has to be able to afford to execute the attack. Onecan often trade off time and computer power; an attack that may takeone year on a PC would take only one day on 365 PCs.
In an example of a brute force attack on some system, it can be as-sumed that the cryptovariable has n binary bits (e.g., DES has n = 56). Itwill also be assumed that a stream cipher and matched plain and ciphertext pairs Pi and Ci for I = 1, 2, … exist. For each possible cryptovariablethere is some fixed amount of computation (“work”) needed to encrypta Pi and see if it results in the corresponding Ci. This work can be con-verted into the total number, W, of basic bit operations in the algorithmssuch as shifts, mod 2 additions, compares, etc. Suppose for definitenessthat W = 1,000 or 103.
There is a total of 2n n-bit cryptovariables. For n = 56, 256 is about 1016.8
or 72,000,000,000,000,000. If one of the possible cryptovariables is select-ed and P1 is encrypted, there is a 50:50 chance of getting C1 because theonly choices are 1 and 0. If C1 is not obtained, the selected cryptovariableis rejected as incorrect and the next one is tested. If C1 is obtained, thefirst choice must be tested on P2 and C2. At least 56 tests must be per-formed to be sure that the cryptovariable is correct. The rationale is thatthe probability of the wrong cryptovariable successfully matching 56 ormore bits is 2–56. Because 256 cryptovariables potentially must be tried,the probability of the incorrect cryptovariable passing all the tests is(256)(2–56) = 1. (Such a cryptovariable is called a noncausal survivor.) If afew more than 56 are tested, the expected number of noncausal survi-vors is much less than 1. Thus, one can be sure that the cryptovariablethat successfully matches the 56 Pi and Ci is the one actually used. In ablock cipher, such as DES, testing one block is usually sufficient becausethat results in 64 correct bits.
A natural question is How long does it really take to execute a bruteforce attack, or any other kind of attack? The answer depends on howmuch computational power is available to the analyst. And because cryp-tographic systems must be useful for many years, the amount of compu-tational power that will be available in years hence must be known.Gordan Moore, one of the founders of Intel, once noted that processingspeeds seem to double (or costs are halved) every 18 months. This isequivalent to a factor of 10 increased about every 5 years. This trend hascontinued quite accurately for many years and has come to be known as“Moore’s” law.
Some predictions can be made using Moore’s law. First, the idea of aMIPS year (M.Y.) is introduced. This is the number of instructions a mil-lion-instruction-per-second computer can execute in one year. One MY isapproximately 1013.5 instructions. At today’s (1998) prices, one can get a50 MIPS PC for about $750. The cost of a MIPS year can then be estimatedat about $750/50 or $15, assuming the computer can run for one year.
These two examples will illustrate what this means. There are twocryptographic systems to be considered: one has a 56-bit cryptovariable(e.g., DES) and the other has a 40-bit cryptovariable. It should be notedthat 40 bits is the maximum cryptovariable length allowed for export bythe U.S. government. It can be assumed that each algorithm requiresabout 1,000 basic instructions to test each cryptovariable. Statistics showthat, on average, one may expect to locate the correct cryptovariable af-ter testing about 1/2 of the cryptovariable space.
There are two perspectives: 1) How much does it cost? 2) How longdoes it take? The cost may be estimated from
(1/2)(1000N(15))/MY
where N equals the number of cryptovariables (in the examples, either256 or 240), and MY = 1013.5. The elapsed time requires that some assump-tions be made as to the speed of processing. If K is set equal to the num-ber of seconds in one year, and R the number of cryptovariables testedper second, the following formula is obtained:
Time (in years) = (1/2)(N/KR)
The results are displayed in the following tables:
Cost for Brute Force
Year M.Y. Cost On 56-bit cryptovariable On 40-bit cryptovariable
1997 $15 $17 million $2602002 $1.50 $1.7 million $262007 $0.15 $170 thousand $2.60
A substantiation of these calculations occurred during the summer of1995. At that time, a student at Ecole Polytechnique reported that he had“broken” an encrypted challenge message posted on the Web byNetscape. The message, an electronic transaction, was encrypted usingan algorithm with a 40-bit cryptovariable. The student partitioned thecryptovariable space across a number of computers to which he had ac-cess and set them searching for the correct one. In other words, he exe-cuted a brute force attack and successfully recovered the cryptovariableused in the message. His attack ran for about 6 days and processed about800,000 keys per second. Although most analysts did not believe that a40-bit cryptovariable was immune to a brute force attack, the student’ssuccess caused quite a stir in the press. In addition, the student postedhis program on a Web site so that anyone could copy the program andrun the attack. At the RSA Data Security Conference, January 1997, it wasannounced that a Berkeley student using the idle time on a network of250 computers was able to break the RSA challenge message, encryptedusing a 40-bit key, in 31/2 hours.
Other AttacksThis article has focused mostly on brute force attacks. However, theremay be other ways to attack an encryption system. These other methodsmay be loosely grouped as analytic attacks, statistical attacks, and imple-mentation attacks.
Analytic attacks make use of some weakness in the algorithm that en-ables the attacker to effectively reduce the complexity of the algorithmthrough some algebraic manipulation. The section on public key systemsdescribes how RSA can be attacked by factoring with much less workthan brute force. Another example of an analytic attack is the attack ondouble DES.
Double DES may be represented by:
C = E(E(P; K); L)
where K and L are 56-bit DES keys. It can be assumed that a matchedplain and cipher text pair Ci, Pi exists. Set X = E(P; K). Then D(C; L) = X.
Time for Brute Force Attack
Number of cryptovariables tested
per second On 56-bit cryptovariable On 40-bit cryptovariable
1,000 300 million years 17.5 years1,000,000 300,000 years 6.2 days1,000,000,000 300 years 9 minutes1,000,000,000,000 109 days 0.5 seconds
Fix a pair C1, P1, and make a table of all 256 values X = D(C1; L) as L rang-es through all 256 possible DES keys. Then try each K in succession, com-puting E(P1; K) and looking for matches with the values of X in the table.Each pair K, L for which E(P1; K) matches D(C1; L) in the table is a pos-sible choice of the sought after cryptovariable. Each surviving pair is thentested against the next plain-cipher pair P2, C2.
The chance of a noncausal match (a match given that the pair K, L isnot the correct key) is about 2–64. Thus, of the 2112 pairs K, L, about 2(112–64)
= 248 will match on the first pair P1, C1. Trying these on the second blockP2, C2 and 2(48–64) = 2–16 of the noncausal pairs will match. Thus, the prob-ability of the correct key passing both tests is about 1 – 2–16 ~ 1.
The total work to complete this attack (called the “meet in the middle”attack) is proportional to 256 + 248 = 256(1 + 2–8) ~ 256. In other words, anattack on double DES has about the same work as trying all possible sin-gle DES keys; therefore, there is no real gain in security with doubleDES.
Statistical attacks make use of some statistical weakness in the design.For example, if there is a slight bias toward 1 or 0 in the keystream, onecan sometimes develop an attack with less work than brute force. Theseattacks are too complex to describe in this short article.
The third class of attacks are implementation attacks. Here, one at-tacks the specific implementation of the encryption protocol, not simplythe cryptographic engine. A good example of this kind of attack was inthe news in late summer 1995. The target was Netscape; the attack wasagainst the 128-bit cryptovariable. Several Berkeley students were able toobtain source code for the Netscape encryption package and were ableto determine how the system generated cryptovariables. The randomgenerator was given a seed value that was a function of certain systemclock values.
The students discovered that the uncertainty in the time variable thatwas used to seed the random number generator was far less than the un-certainty possible in the whole cryptovariable space. By trying all possi-ble seed values, they were able to guess the cryptovariable within a fewminutes of processing time. In other words, the implementation did notuse a randomization process that could in principle produce any one ofthe 2128 possible keys. Instead, it was selecting from a space more on theorder of 220. The lesson here is that even though one has a very strongencryption algorithm and a large key space, a weak implementationcould still lead to the compromise of the system.
KEY (CRYPTOVARIABLE) MANAGEMENTIn the previous sections, it was noted that each encryption system re-quires a key (or cryptovariable) to function and all of the secrecy in theencryption process is maintained in the key. In addition, the sending and
receiving parties must have the same cryptovariable if they are to com-municate. This need translates to a significant logistical problem.
The longer a cryptovariable is used, the more likely it is to be compro-mised. The compromise may occur through a successful attack or, morelikely, the cryptovariable may be stolen by or sold to an adversary. Con-sequently, it is advisable to change the variable frequently. The frequen-cy of change is a management decision based on the perceived strengthof the algorithm and the sensitivity of the information being protected.
All communicating parties must have the same cryptovariable. Thus,one needs to know in advance with whom he or she plans to exchangemessages. If a person needs to maintain privacy between different peo-ple, then distinct cryptovariables are needed for each possible communi-cating pair. In a 1,000-person organization, this would amount to almostone million keys.
Last, the keys must be maintained in secrecy. They must be producedin secret, distributed in secret, and held by the users in a protected area(e.g., a safe) until they are to be used. Finally, they must be destroyed.
For centuries, the traditional means of distributing keys was through atrusted courier. A government organization produced the cryptovari-ables. And couriers, who have been properly vetted and approved, dis-tributed the cryptovariables. A rigorous audit trail of manufacture,distribution, receipt, and destruction was maintained. Careful plans andschedules for using the keys were developed and distributed.
This is clearly a cumbersome, expensive, and time-consuming pro-cess. Moreover, the process was subject to compromise. Many of histo-ry’s spies were also guilty of passing cryptovariables, as well as otherstate secrets, to the enemy.
As communications systems became more and more dependent oncommunication networks, the concept of a key distribution center wasdeveloped. The key distribution center concept is illustrated in Exhibit 7.The operation is as follows: Initially, each user, A, B, …, is given (via tra-ditional distribution) a user-unique key that we denote by KA, KB, etc.These cryptovariables will change only infrequently. The KDC maintainsa copy of each user-unique key. When A calls B, the calling protocol firstcontacts the KDC and tells it that user A is sending a message to user B.The KDC then generates a random “session key,” K, i.e., a cryptovariablethat will be used only for this communicating session between A and B.The KDC encrypts K in user A’s unique cryptovariable, E(K; KA) andsends this to A. User A decrypts this message, obtaining K. The KDC like-wise encrypts K in user B’s unique cryptovariable, E(K; KB) and sendsthis result to B. Now A and B (and no other party) have K, which theyuse as the cryptovariable for this session.
A session here may consist of a telephone call or passing a messagethrough a packet switch network; the principles are the same. In prac-
tice, the complete exchange is done in seconds and is completely trans-parent to the user.
The KDC certainly simplifies the distribution of cryptovariables. Onlythe user-unique keys need to be distributed in advance, and only infre-quently. The session key only exists for the duration of the message, sothere is no danger that the key might be stolen and sold to an unautho-rized person at some later date. But the KDC must be protected, andone still has to know with whom they will be communicating. The KDCwill not help if one needs to send an electronic mail message to somenew party.
It is clear that cryptovariable (or key) management is difficult anddoes not provide much in the way of flexibility. Many people have won-dered if it would be possible to develop an encryption system where onecould have a directory of public keys. Sending an encrypted message tosomeone would involve looking up that person’s cryptovariable in a“telephone book,” encrypting the message, and sending it. Because noone could intercept the message, no one would be able to decrypt it ex-cept the intended recipient. Can such a system be designed? The answeris yes. It is called public key cryptography.
PUBLIC KEY CRYPTOGRAPHYThe concept of public key cryptography was first discovered and public-ly announced by Diffie and Martin Hellman (and independently by RalphMerkle) in the 1970s. Admiral Bobby Inmann, a former director of theNational Security Agency, once stated publicly that NSA knew of the ideafor many years prior to the publication by Diffie and Hellman.
EXHIBIT 7 — Key Distribution Center
The concept is rather simple. It is assumed that two special functionsE and D can operate on messages M. It is also assumed that E and D sat-isfy the following conditions:
1. D(E(M)) = M2. E(D(M) = M3. Given E, it is not possible to determine D4. Given D, it is not possible to determine E
The use of the function E in encryption is straightforward. It is as-sumed that each person, A, B, C, has pairs of functions EA, DA, EB, DB, …that satisfy the conditions 1, 2, and 3 above. Each user X makes EX pub-licly available but keeps DX secret and known only to themselves. Nowwhen A wants to send a message, M, to B, A looks up EB in the publishedlist and computes EB(M). By property 2, DB(EB(M) = M so B can decryptthe message. From property 3, no person can determine DB from knowl-edge of EB, so no one but B can decipher the message.
The functions can also be used to sign messages. Perhaps A wants tosend a message M to B and she does not care if anyone else sees themessage, but she does want B to know that it really came from her. Inthis case, A computes DA(M), called a signature, and sends it along withM. When B gets these two messages, he looks up A’s function EA andcomputes EA(DA(M)) and obtains M from property 2. If this computed Magrees with the message sent as M, then B is sure that it came from A.Why? Because no one else has or can compute DA except A and the like-lihood of someone producing a fictitious X such that EA(X) = M is infi-nitely small.
Now suppose A wants to send B a secret message and sign it. Let Mbe the message. A first computes S = DA(M) and concatenates this to themessage M. A then encrypts both the message and the signature, EB(M,S) and sends it to B. B applies DB to EB(M, S) obtaining DB(EB(M, S)) =M, S. B then computes EA(S) = EA(DA(M)) = M and compares it to themessage he decrypted. If both versions of M are the same, he can be as-sured that A sent the message.
The question the reader should ask is “Do such functions exist?” Theanswer is yes, if the conditions in 3 and 4 above are relaxed. If the onlyrequirement is that it be computationally infeasible to recover D from E(and vice versa), then the functions can be shown to exist. The mostwell-known example is the RSA algorithm, named for its discoverers, Riv-ist, Shamir, and Adleman.
A description of RSA requires a small amount of mathematics and willbe explained as the article proceeds. As a base, two large (containinghundreds of digits) prime numbers, p, and q are needed to meet condi-tions 3 and 4. A prime number is a number that has no divisors exceptthe number itself and 1. (In dealing with integers, when a divides b, it
means that there is no remainder; i.e., b = ac for some integer c.) Thenumbers 2, 3, 7, 11, 13, 17 are all prime. The number 2 is the only evenprime, all the rest must be odd.
n is then defined as the product of p and q:
n = pq
Also define:
t = (p – 1)(q – 1)
As an example, take p = 3 and q = 7. (These are not large primes, butthe mathematics is the same.) Then, n = 21 and t = 12. The next step inthe construction of RSA is to select a number e that has no common di-visors with t. (In this case, e and t are said to be relatively prime.) Thenumerical example may take e = 5 because 5 and 12 have no commondivisors. The next involves finding an integer d such that ed – 1 is divis-ible by t. (This is denoted by ed = 1 mod t.) Because 5 * 5 – 1 = 25 – 1 =24 = 2 * 12 = 2 * t, one may take d = 5. (In most examples, e and d willnot be the same.)
Now, d, p, and q are kept secret. They are used to create the D func-tion. The numbers e and n are used to create the E function. The numbere is usually called the public key and d the secret key. The number n iscalled the modulus. Once p and q are used to produce n, they are nolonger needed and may be destroyed, but should never be made public.
To encrypt a message, one first converts it into a string of integers, m1,m2, … all smaller than n. Then compute:
This means that mi is raised to the eth power and then divided by n.The remainder is ci = E(mi). In this example, it is assumed that the mes-sage is 9. Compute:
since 59049 = 89979 * 21 + 18. So c = 18.The decryption, or D function, is defined by:
c E m m ni i ie= =( ) mod
95 21
59049 21
18
mod
mod=
=
D c c ni id( ) mod=
In the example,
since 1889568 = 889979 * 21 + 9.The security of RSA depends on the resistance of n to being factored.
Because e is made public, anyone who knows the corresponding d candecrypt any message. If one can factor n into its two prime factors, p andq, then one can compute t and then easily find d. Thus, it is important toselect integers p and q such that it is not likely that someone can factorthe product n. In 1983, the best factoring algorithm and the best comput-ers could factor a number of about 71 decimal (235 binary) digits. By1994, 129-digit (428 bits) numbers were being factored. Current imple-mentations of RSA generate p and q on the order of 256 to 1024 bits sothat n is about 512 to 2048 bits.
It should be noted that attacking RSA by factoring the modulus n is aform of algebraic attack. The algebraic weakness is that the factors of nled to a discovery of the secret key. A brute force attack, by definition,would try all possible values for d. Because d is hundreds of digits long,the work is on the order of 10100, which is a prodigiously large number.Factoring a 100-digit number, n, takes at most on the order of square rootof n operations or about 1050 for a 100-digit number. Although it is still avery large number, it is a vast improvement over brute force. There are,as mentioned, factoring algorithms that have much smaller work, but stillare not feasible with today’s technology, or that of the near future.
As shown in the examples, using RSA requires a lot of computation.As a result, even with special-purpose hardware, RSA is slow — too slowfor many applications. The best application for RSA and other public keysystems is as key distribution systems.
Suppose A wants to send a message to B using a conventional privatekey system such as DES. Assuming that B has a DES device, A has to findsome way to get a DES cryptovariable to B. She generates such a key, K,through some random process. She then encrypts K using B’s public al-gorithm, EB(K) and sends it to B along with the encrypted messageEDES(M; K). B applies his secret function DB to EB(K) and recovers K,which he then uses to decrypt EDES(M; K).
This technique greatly simplifies the whole key management problem.One no longer has to distribute secret keys to everyone. Instead, eachperson has a public key system that generates the appropriate E and D
18
18 21
1889668 21
9
5
d nmod
mod
mod
=
=
=
functions. Each person makes the E public and keeps D secret, and theyare done. Or are they?
The Man in the MiddleUnfortunately, there are no free lunches. If a third party can obtain thepublic listing of keys or E functions, that party can masquerade as bothends of the communication.
Suppose that A and B have posted their EA and EB respectively on apublic bulletin board. Unknown to them, C has replaced EA and EB withEC, his own encryption function. Now when A sends a message to B, Awill encrypt it as EC(M), although he believes he has computed EB(M). Cintercepts the message and computes DC(EC (M)) = M. He then encryptsit with the real EB and forwards it to B. B will be able to decrypt the mes-sage and is none the wiser. Thus, this man in the middle will appear asB to A and as A to B.
The way around this is to provide each public key with an electroni-cally signed signature attesting to the validity of the public key and theclaimed owner. The certificates are prepared by an independent thirdparty known as a certificate authority (e.g., VeriSign). The user will pro-vide a public key (E function) and an identification to the certificate au-thority (CA). The CA will then issue a digitally signed token binding thecustomer’s identity to the public key. That is, the CA will produceDCA(IDA, EA). A person, B, wishing to send a message to A, will obtainA’s public key, EA and the token DCA(IDA, EA). Because the CA’s publickey will be publicized, B computes ECA(DCA(IDA, EA)) = IDA, EA. Thus, B,to the extent that he can trust the t authority, can be assured that he reallyhas the public key belonging to A and not an impostor.
There are several other public key algorithms, but all depend in oneway or another on difficult problems in number theory. The exact formu-lations are not of general interest since an implementation will be quitetransparent to the user. The important user issue is the size of the cryp-tovariable, the speed of the computation, and the robustness of the im-plementation.
CONCLUSIONExcept for those who have spent the last few years on a desert island, ev-eryone is aware of the phenomenon known as the Internet and its sur-prising and unpredicted growth and popularity. The Internet has createdan unprecedented demand for instantaneous information exchange inthe military, government, and most importantly, private sectors. TheUnited States’ economic base, government functions, and military effec-tiveness are more dependent on the Internet and automated informationsystems than any country in the world. However, the very technologythat created this independence is its greatest weakness: the infrastructure
is fundamentally insecure. It is vulnerable to attacks, from individuals,groups, or nation-states, that can easily deny service or compromise theintegrity of information.
As more critical systems become electronic, and as the Internet is usedincreasingly as a medium for commerce, the probability that computercrime will replace traditional crime in the industrialized world increases.The President has recognized this threat and recently issued an ExecutiveOrder on Critical Infrastructure that establishes a commission, subcom-mittees, and a task force to address security issues related to the nation’scritical infrastructures (telecommunications, electrical power, bankingand finance, etc.).
One result of the growing economic use of the Internet is the recog-nition by users and vendors alike that there is a need to provide a mech-anism to protect the confidentiality of Internet users and the content oftheir transactions. One mechanism that can provide such confidentiality,when selected and used intelligently, is encryption. This article presentedan overview of some of the basic ideas of encryption: what it is and howit works.
Notes1. Many thought that NSA had implanted a “trap door” that would allow them to recover encrypted messagesat will. Others argued that the key length (56 bits) was too short.2. This term is used for historical reasons and the reader is cautioned not to confuse “keystream” with “key.”It is because of this confusion that the term “cryptovariable” is preferred to “key.” The terms key and cryp-tovariable will be used interchangeably.
Recommended ReadingHodges, A., Allan Turing: The Enigma of Intelligence, Simon and Schuster, 1983.Bamford, J., The Puzzle Palace, Houghton Mifflin, 1982.Schneier, B., Applied Cryptography, John Wiley, 1996.
Ronald A. Gove, Ph.D. is a vice president with Science Applications International Corporation, where he is theoperating center manager for the Center for Information Security Technology. Dr. Gove is a frequent speaker atinformation security conferences and symposia and served both as program chairman and as general chairmanof the Annual Computer Security Applications Conference. He is the vice president and deputy chairman of theBoard of the Applied Computer Security Associates, a not-for-profit organization dedicated to education and in-formation exchange in the area of information security.