![]() |
Reference Series |
Table of Contents For This Issue
|
| |
How Computers Work, Part I | |
August 2001 Vol.5 Issue 3 Page(s) 150-155 in print issue | |
Deciphering The Secret World Of Encryption A Look At The Methods Used To Keep Your Identity & Information Safe |
![]() Encryption is the process of obscuring the data in a file to prevent others from gaining access to its contents. An encrypted file appears as a string of gibberish. For someone to read or use the file, that person needs to decrypt it. Decryption is the process of translating an encrypted file into its original, readable form. In most cases, only the users with the correct key (a type of password) can turn the file in a readable one. In the electronic world, data encryption has a variety of purposes, including safeguarding data file integrity and protecting e-mail and e-commerce (electronic commerce) transmissions. We also use encryption to authenticate a user’s right to access a computer resource and to determine a user’s identity across a network. The study of encryption and decryption methods is called cryptology. In the next couple of pages, we will give you a glimpse into the world of the cryptologist and show you how data is protected as it speeds across the Information Superhighway. ![]() Second, the procedure used to encrypt cleartext is a cipher, or encryption algorithm. Algorithms are numerically based lists of instructions involving mathematical functions. ![]() A symmetric key is used to encrypt and decrypt the same message. This means both the sender and the recipient must know the key. Symmetric-key cryptography is used to encrypt data files and transmissions between computer systems. Its primary weakness is that both machines must share the key during a transmission. This makes the key vulnerable to interception and decryption. Plus, a challenge exists in finding a secure method to transfer the key.
Public-key cryptography is often used to create digital signatures, which verify the clear- text’s origin and integrity. Digital signatures are used in e-mail and e-commerce systems. Additionally, public-key cryptography is often used to encrypt symmetric keys, called session keys when used this way, so they safely pass between two computer systems. Public keys do not exist forever; they have expiration dates in order to keep them from being compromised. ![]() To understand these algorithms and the history of cryptology, one need only to look at the art of war. Even ancient history recounts the military commanders’ needs for developing communication methods that their enemies could not understand. The ancient Spartans, for example, used a transcription cipher. They wound a narrow strip of parchment around a staff called a scytale. Then they wrote message characters that ran down the length of the parchment spiral. If someone unwound the parchment strip from the scytale, the order of the characters became scrambled. The only way to decode the message was by wrapping the parchment over a scytale of the same circumference. We can make a tabular transcription cipher illustrating how the Spartan’s cipher would work. Let’s assume our scytale has a circumference of five characters. The message “ATTACK THE PERSIANS AT DAWN” would look like this: XXXXX (our scytale’s diameter) ATTAC KTHEP ERSIA NSATD AWN By reading down each column of letters we get the encrypted message “AKENATTRSWTHSANAEITCPAD.” If you unwound the parchment, however, you would only be able to read a jumble of characters. Back in the early days, they even used substitution ciphers. The Roman legions of Julius Caesar used a substitution code where they replaced each character with a letter that was three characters to the right of the original letter. For instance, they would have replaced the letter “J” by the letter “M.” A sample message in the Caesar cipher would look like this: plain text:ATTACK THE GAULS AT DAWN cipher text:CWWCFNWKHJCXOVCWGCZQ To decipher the message, the recipient would simply substitute a letter three letters to the left for every character in the ciphertext. The Caesar cipher is still with us today in ROT13, a simple encryption algorithm. This algorithm uses the 13th letter to the right of a plaintext element in order to produce the ciphertext element. Some Usenet news-client programs have a ROT13 button or keystroke to quickly hide sensitive text from someone peering over a user’s shoulder. ![]() For instance, if the cryptographic program assigns the cleartext letter “a” the binary value of “100000,” it can then alter each bit, making it more difficult to deduce cleartext from the ciphertext. Each bit can be changed using the XOR (exclusive-OR) mathematical operation. The following table shows the possible values for XOR bit operations. (The character “Å” represents the XOR operation.) 0 Å 0 = 0 1 Å 0 = 1 0 Å 1 = 1 1 Å 1 = 0 The number “100000” could be XORed one bit at a time to another binary number. For the sake of example, let’s use “111001” as the encryption key (which is a very short key). In practice, keys are comprised of extremely large binary numbers, the best may contain 128 bits or more that depend on the encryption algorithm. The XOR operation for our example would render the following result. 100000 (plain text) 111000 (key) 011000 (cipher text) XOR operations are also reversible. Thus, we can decipher our ciphertext by reapplying the same key of “111000” to give us our plaintext of “100000” or “a.” 011000 (cipher text) 111000 (key) 100000 (plain text) ![]() Regardless of length, cryptographic keys must be unique. At the Network Security conference in June 1999, cryptologist Bruce Schneier said, “Some people obsess about key length. A long key does not equal a strong system.” In Schneier’s book, “Applied Cryptography,” Schneier cites examples of bad keys. These include a name, initials, personal interests, words in any language, names from literature and legend, substituting numbers for letters in names and words, and word pairs. Instead, he recommends a key writer use a range of randomly ordered bits. When a random bit key is not easily generated, Schneier says a pass phrase is the next best choice. A pass phrase is a long password that is converted into a bit pattern using a key-crunching technique, which converts the phrases into random keys. Thus a line of poetry converted to binary code stands a better chance of making a key more difficult to decode than creating a key from one word. ![]() One-time pad. Even though it might appear that private-key ciphers are easy to break once the cryptanalyst knows the key, one private key algorithm scheme is unbreakable: the one-time pad. Gilbert Vernam and Major Joseph Mauborgne invented it in 1917. In the one-time pad system, both the sender and recipient have a pad, which is a range of key values used once and then discarded. The name one-time pad recalls the days when diplomatic and military cryptologists used paper pads that contained the key or keys used at a given time period. As each period ended, the cryptologists destroyed the keys for that time range. It can be very difficult to keep one-time pad keys synchronized. Should either sender or receiver loose track of which key was used last, then that person cannot decode the cipher text. Computer-driven one-time pad systems allow algorithms to change the key with each cleartext element. Even with complete knowledge of a cryptographic algorithm and a sample of the ciphertext, an unknown, constantly changing key can keep the cleartext secret. Cryptologists can approach the security of the one-time pad system by using cryptographic-grade random-number generators. Symmetric algorithms can make use of a large random number as an encryption key. For secrecy’s sake, this key is changed often. However, the random-number generator must not repeat numbers already generated. Random-number generators in computer language compilers such as BASIC are actually pseudo-random-number generators. They produce a large set of numbers that appear to be random, but in time, the numbers repeat. Because patient cryptanalysts look for these repeats, cryptologists have to develop their own random-number generators. For an example, go to the Couterpane Web site where you can find the freely available source code belonging to Bruce Schneier’s Yarrow cryptographic random-number generator (http:// www.counterpane.com/yarrow.html). ![]() The Digital Encryption Standard. The DES (Digital Encryption Standard) was developed for the U.S. Government in 1977, based on work derived from Lucifer, an IBM cipher. DES is still in use today. Some governments and the financial industry tend to favor this standard. DES is a 64-bit block algorithm that uses a 56-bit key. Because some cryptologists no longer believe DES is secure, Triple-DES (or 3DES) was created to beef up the algorithm. In this version, the plaintext is encrypted three times by three keys. The keys are used in reverse to decrypt the cipher text. International Data Encryption Algorithm. In 1990, James L. Massey and Xuejia Lai developed IDEA (International Data Encryption Algorithm) in Zurich, Switzerland. It is one of the best-known algorithms, having been used in the popular PGP (Pretty Good Privacy) encryption program. IDEA uses a 128-bit key, is very strong, and is available free of charge to non-profit organizations. Ascom-Tech holds IDEA’s international patents. Blowfish. Bruce Schneier’s symmetric-key algorithm is Blowfish. It is a 64-bit block algorithm that can use keys up to 448 bits in length. It is a royalty-free algorithm designed as a drop-in replacement for DES and IDEA with free source code. Additional information is available at The Blowfish Encryption Algorithm page at http:// www.counterpane.com/blowfish.html. RC2. Ronald Rivest of RSA Data Security Inc. (http://www.rsa.com) developed RC2, a block algorithm. RC2 uses keys from one to 2,048 bits. RC4. The stream algorithm RC4 is another of Ronald Rivest’s creations. It also allows the use of keys from one to 2,048 bits. RC5. RC5 is a Rivest block algorithm. Published in 1995, it allows a user to determine key size, block length, and the number of encryption rounds. ![]()
RSA. RSA, developed in 1977 at MIT by Ronald Rivest, Adi Shamir, and Leonard Adelman, is the most common public-key algorithm. RSA is used for data encryption and digital signing. The algorithm is based on the difficulty of factoring large prime numbers. RSA Data Security Inc. markets RSA in the United States. The U.S. patent covering RSA expired Sept. 20, 2000. ElGamal. ElGamal, described by T. ElGamal in 1985, is another discrete logarithm algorithm used for encryption and digital signatures. ElGamal is thought to be more secure because of its longer keys. ![]() V. S. Miller and Neal Koblitz first independently described an application of the discrete logarithm algorithm in 1985. Elliptic curve public keys use the elliptic curve discrete log problem. It has the advantage of taking less computing power. The algebra is fairly straightforward, making software and hardware versions much easier to develop. Elliptic curve cryptography is still fairly new. RSA and Baltimore Technologies (http://www.baltimore.com), however, have offered products using it. Certicom’s (http://www.certicom.com) version offers security for Palm and Windows CE PDAs (personal digital assistants). The U.S. Government first used this product on June 30, 1998, to send a check for $32,153 over the Internet to GTE for work done on a military contract. ![]() Message digest algorithms are very sensitive to minor changes in the input, making them ideal for checking against tampering. In addition, they make it very difficult to deduce the input data from the final message digest value. Message Digest 5. Ronald Rivest created MD5 (Message Digest 5). His earlier attempts, MD2 and MD4, proved slow and not as secure. RSA Data Security distributes it free of charge. Secure Hash Algorithm. The NIST (National Institute of Standards and Technology) and the NSA (National Security Agency) developed the SHA-1 (Secure Hash Algorithm). It was intended for use with the DSS (Digital Signature Standard) and was modeled on Rivest’s earlier MD4 algorithm, along with some improvements. SHA-1 produces a 160-bit message digest instead of a 128-bit one. RIPE-MD. RIPE-MD is a European effort to create an MD4-derived message digest. A later version, RIPEMD-160, produces a 160-bit digest. It’s intended to replace MD4 and MD5 designs. HAVAL. Yuliang Zheng, Josef Peiprzyk, and Jennifer Seberry developed the message digest algorithm HAVAL. It is a variation on MD5 that allows hash values from 92 bits to 256 bits in length and has a variable number of encryption rounds. ![]() ![]() A digital envelope is used to send a secret symmetric key (session key) to another user. It is produced by encrypting the session key with the recipient’s public key. Digital certificates are issued from a “trusted” server called a certificate authority. The following example describes it best. Bob applies for a digital certificate and is given a certificate containing a private key. Bob’s public-key certificate is on the certificate authority. Alice and Fred, who also use the certificate authority, can encrypt items for Bob using his public certificate without ever having to contact him for it. Digital certificates can contain the user’s name, the name of the issuing certificate authority, a serial number, the key, the date issued, the expiration date, and the issuer’s digital signature. Once issued, a CRL (certificate revocation list) tacks the digital certificate. In a PKI (public-key infrastructure), several certificate authorities are linked. Maintaining and validating certificates in large PKI systems can become daunting. Large commercial PKI services include VeriSign (http://www.verisign.com) and GTE CyberTrust (acquired by Baltimore Technologies in January 2000). ![]() •The IPSec (Internet Protocol Security Protocol) is the standard for cryptographic authentication of datagrams at the network layer. It uses RSA, Diffie-Hellman, MD5, DES, Triple-DES and SHA-1. •PPTP (Point-to-Point Tunneling Protocol) creates VPN (virtual private network) connections between computers. It uses RSA and DES. •Developed jointly by VISA and MasterCard, the SET (Secure Electronic Transactions) security protocol protects Internet credit card transactions. It uses RSA, DES, SHA-1, and HMAC-SHA1. •S/MIME (Secure Multipurpose Internet Message Extensions) ensures secure transmission, forwarding, and authentication of data at the application layer. It uses RSA, DES, Triple-DES, RC2, MD5, and SHA-1. •The SSH (Secure Shell) gives users secure remote access to another computer over a network. SSH is used to replace the weak “remote services” often misused by hackers for computer break-ins. It uses RSA, RC5, RC4, RC2, DES, and 3DES. •At the transport layer, the SSL (Secure Sockets Layer) provides a secure link between two computers, allowing authentication and encrypted data exchange. An improved version is TLS (Transport Layer Security). SSL was first developed by Netscape. SSL uses RSA, RC4, SHA-1, MD5, 3DES, DES, and Diffie-Hellman. ![]() ![]() by Bill Hayes View the graphics that accompany this article. (NOTE: These pages are PDF (Portable Document Format) files. You will need Adobe Acrobat Reader to view these pages. Download Adobe Acrobat Reader)
|