Encryption (open literature only)

Introduction

Encryption is used to protect the confidentiality of information when it must reside or be transmitted through otherwise unsafe environments. Encryption is also used for "digital signatures" to authenticate the origin of messages or data. Encryption algorithms themselves are rarely used alone in practice. Rather, they are typically embedded into a larger security systems to ensure their correct and consistent use, since a failure to do can compromise the security of other messages, even those that have been properly encrypted.

While there is greater general interest in cryptography and a larger commercial market than there was 15-20 years ago, the basic cryptographic algorithms are little changed over that period. For more information on the current technology and issues in cryptography, see Cryptography related sources on the Internet.

Design Space

Uses of Encryption

Encryption can be used in several different ways as summarized below. In addition to the characteristics of a particular encryption algorithm that are required to support a given use, the algorithm itself is generally integrated into a larger system that handles other aspects of the area to which encryption is being applied to ensure correct use and to minimize the visibility of the use of encryption. For example, if encryption is used for file protection, directories may also be protected and keys are managed on behalf of users so that normal file access does not change much.

Message Encryption. This is the traditional use of cryptography. Blocks of text are encrypted as units. This is the normal way in which email is encrypted.
Digital Signatures. Authenticating who sent a message is often useful. In the public key scheme, the secret decryption key can be used to encrypt, allowing the non-secret encryption key to be used to decrypt. Since only the secret key holder is presumed to have the secret key, only he could have encrypted/signed the message. Anyone can check the digital signature by applying the non-secret key. Secret, signed messages can be obtained by digitally signing with your secret key, then encrypting using the recipient's non-secret key.
Stream Encryption. Some encryption schemes increase security by varying the key for separate packets of a long message. Often, the key is computed from previous packets. As long as all packets ultimately arrive, this works, but if packets are lost, subsequent packages are not decryptable. Various synchronizations can be used to minimize the loss. This is particularly an issue for potential encryption of audio or video where the underlying transport will drop packets when load gets high.
File Encryption. Various encryption algorithms have been applied to files and databases. The main issue here is one of packaging the encryption naturally into normal file access and managing keys when a key may need to be used for a long time after it was originally used to encrypt.
Electronic Cash. Cryptography is used to create unforgeable "electronic cash" tokens. Tokens include a serial number that can be decrypted (and saved) by the bank accepting the token. Reuse (illegitimate) of the token allows the user to be identified because the serial number will have already been seen in a previous transaction. See About DigiCash.

Legal Issues and Civilian vs. Military Encryption

There is a bifurcation between civilian and military encryption. Military and intelligence algorithms are not publicly available, while civilian algorithms are mandated against for most military and intelligence applications. Further, while civilian encryption can be done in software, military encryption is generally (always) done in hardware to reduce the possibility of bypassing or corrupting the encryption process. This summary was written without access to information about defense-related encryption. As such, it addresses only encryption available for commercial use. It should definitely be updated if the application to be selected is a military one.

Export of encryption from the US is controlled by the International Tariff and Arms Regulations (ITAR). There are many legal impediments to the use or lack of use of encryption for various kinds of information, in various countries, with differing encryption algorithm strengths. These requirements overlap and seem to often conflict. This is an area of active public policy debate. Use of any particular encryption scheme needs to be considered carefully on an application by application basis, with particular concern for foreign use or sale. For an illustrative example of export policy, see NetScape Policy on Encryption Export.

Ideally it would be possible to encapsulate the encryption function so that any encryption process could be used. This however, is not so simple because of the differences in capabilities of public and private key encryption, key management, authentication issues, and the susceptibility of various algorithms to attack, all of which condition how a particular algorithm an be used. The NSA/DARPA ISSR/JTO programs are investigating modular security systems based on cryptography.

Encryption Strength

Encryption algorithms are generally rated by how much effort (time, processing power) is required to crack them based under a number of assumptions. These include amount of encrypted text available, whether the basic algorithm is known to the attacker, and whether encrypted text can be matched with its corresponding plaintext. In most cases, it is assumed that the attacker has access to all of these.

In general, attacks can be made more time consuming by increasing key length. Generically, it is easy to increase key length as the attackers power grows (due to faster computers); however, if the encryption is done in hardware this is not feasible. Even if this is possible, increasing key length requires that all users obtain new keys. The difficulties of key management are discussed below.

Because given enough time a key will be discovered, the long term viability of an encryption requires that the key be changed periodically. The stronger the encryption, the less frequently keys must be changed to prevent attack.

In general, because of increasing computing power, it is safest to assume that a message is not breakable only during a particular "time window" based on current and projected computing technology. Keeping messages secure for some time period is often sufficient because many messages are only important/embarrassing for a certain length of time. If perpetual security is required, there are theoretically unbreakable encryptions based on "one time keys" that are very secure but have enormous key management problems associated with them.

Key Management

To communicate, both sender and receiver need to share encryption/decryption keys (these may or may not be the same; see public vs. private). The dissemination of keys is of critical importance, since it is both cumbersome and a major source of vulnerability. There must be a way for a sender to let a receiver know the decryption key and to change that key as often as is dictated by the strength of the encryption (see Strength). Key use must be synchronized so that both sender and receiver are using the same key for a communication. Messages intended for groups require the same key for all group members. Keys are also usually changed periodically in case the key was inadvertently divulged. This channel must be secure (private and verifiable), so that the key is not divulged in transit and so that it is possible to know that the key was obtained from the correct source to prevent "spoofing" (pretending to be someone else in order to steal a message by getting them to encrypt the message to you rather than the real recipient). Couriers or complex protocols are used to exchange keys for private keys; public keys eliminate most key management problems.

Public vs. Private Key

The major differentiator between encryption methods is that of public vs. private key. In a traditional private key system, the encryption and decryption keys are identical and must be kept secret. Each pair of communicating partners or groups must have a secret key.

In a public key scheme, each individual has a pair of keys; a non-secret one for encrypting and a secret one for decrypting. The encryption key is known to anyone who wants it and is generally available from a well-known location to prevent spoofing. Because the encryption key is non-secret, anyone can encrypt a message for a particular recipient, but only the intended recipient has the decryption key allowing the message to be read.

Each user, i, has both a public key, Ei, which is made publicly available, and a private key, Di, which only user i knows. The keys are mathematically related, and both are generated by the user. Thus, there is no need for anyone else to hold the private key, which enhances security.

Public and private keys are inverses and are symmetrical, in the sense that for a given message m, Ei(Di(m)) = Di(Ei(m)) = m. To preserve privacy, a user X will obtain the public key Ey for user Y and compute Ey(m)). Since only Y knows Dy, only Y can decrypt. A checksum or some other identifying pattern is embedded into m so that a valid decryption can be verified.

Digital signatures work similarly, except that when X wants to sign a message to Y, X uses his/her private key Dx and computes Dx(m). Upon receipt, Y computes Ex(Dx(m)) = m. Since only X had knowledge of Dx, only X could have signed the message. Privacy encryption can be combined with digital signatures by computing Ey(Dx(m)), which is decrypted as Ex(Dy(Ey(Dx(m)))) = m.

The public key register of the Ei need not be read secure, since the Ei are given away freely. The registry must be protected against corruption, since that would allow fraudulent keys to be given out. The channel to the registry must be secure to prevent "spoofing" attacks, but this can be done using public key encryption.

Algorithms

There are two main algorithms used by various encryption products:

permutation/substitution algorithms repeatedly permute groups of bits and then map bit patterns to other bit patterns. These form the basis for private key ciphers such as DES and Clipper.
number theoretic algorithms encrypt and decrypt by exponentiation modulo a large prime number. These are collectively known as RSA algorithms for their developers (Rivest, Shamir, Adelman). Security is based on the presumed difficulty of factoring large numbers.

Systems

Listed below are a sampling of some important systems. Currently, DES, RSA, and PGP dominate the non-military cryptography scene; Clipper has potential future significance, and is an interesting study in the politics of cryptography.

The Catholic University of Louvain maintains a long list of cryptography vendors and research groups.

Data Encryption Standard (DES)

The current FIPS standard is 56 bit key DES. DES is widely used in commercial and non-defense government communications. Despite initial questions about the security of DES w.r.t. "trap doors", none have been uncovered in nearly 20 years. Current DES is nearing the end of its life as a encryption scheme for moderate to high level security needs because of technological advances that make brute force attacks on keys feasible. Designs exist for a hypothetical machine that for $1M could find one key in a matter of minutes by exhaustive search. Future processor speeds will lower the cost of exhaustive search to the point where it is feasible for anyone. For on-line information about the algorithm, see DES Update and Cryptographer's Homepage.

Clipper

Escrowed Encryption Standard is a NIST Voluntary Standard for encryption of "voice, fax, and computer information over circuit-switched telephone systems." The goal of the initiative is to balance the needs of privacy with law enforcement and export with national security.

NSA provides the cryptographic algorithm (SKIPJACK) and the digital signature standard (DSS). The algorithms themselves are secret. Clipper is the name of the chip to actually do the encryption, and is the name by which the whole initiative is most commonly known. The algorithms will only be available in hardware; no software implementations allowed. Clipper provides a fairly high level of security (but not too high so that if exported it is breakable). Keys will be escrowed with either federal or commercial agencies; it is not clear yet which it will be. Escrowed keys would be available to law enforcement by court order. This has caused substantial controversy and is wildly unpopular on the WWW; ACM has urged its withdrawal. For more on key escrow, see CACM, 3/96.

The current standard is for telephony only and does not apply to email or directly to computer storage. The extension of the initiative to these areas is called CAPSTONE/TESTER/MOSAIC.

See: "Crypto Policy Perspectives", CACM, August, 1994; and Byte, 10/95, pg. 77.

RSA Data Security

Commercial encryption based on RSA. Besides the RSA homepage, see a short article Byte 10/95 p.77.

RSA Secure disk & file security provides automatic or manual encryption for files managed under MSWindows. Claimed to be the same RC4 that's used by security developers at Microsoft, Apple and Novell. The product provides "threshold access control" so that a given number of file owners are required in order to be able to decrypt a file (m of n). Price: $129/user.
Email security. Future product to provide secure email based on the MIME protocol. Claims to allow multiple implementations to exchange encrypted messages. Their website says Microsoft, Lotus, Banyan, Connectsoft, and many other vendors have endorsed S/MIME, RSA's new specification for secure interoperable e-mail.

PGP

PGP (Pretty Good Privacy) is a publicly available encryption scheme based on the RSA algorithm. It has been widely distributed over the Internet. The legal, commercial version is available from ViaCrypt ($98). ITAR is a big issue with PGP, which has been the subject of considerable controversy. PGP claims to be both faster and more secure than RSA, but since it uses RSA, it is not clear how either claim could be true. One possibility is in the key management used by PGP. PGP can be integrated with email via scripts (FAQ 2.7). For more detail and claims, see the PGP FAQ page.

This research is sponsored by the Defense Advanced Research Projects Agency and managed by the U.S. Army Research Laboratory under contract DAAL01-95-C-0112. The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied of the Defense Advanced Research Projects Agency, U.S. Army Research Laboratory, or the United States Government.

© Copyright 1996 Object Services and Consulting, Inc. Permission is granted to copy this document provided this copyright statement is retained in all copies. Disclaimer: OBJS does not warrant the accuracy or completeness of the information on this page.

This page was written by David Wells. Send questions and comments about it to wells@objs.com.

Last updated: 7/2/97 sjf

Back to Internet Tool Survey -- Back to OBJS