Introduction to Cryptography
Preface
People mean different things when they talk about cryptography.
Children play with toy ciphers and secret languages. However, these
have nothing to do with real security and strong encryption. Strong
encryption is the kind of encryption that can be used to protect
information of real value against organized criminals, multinational
corporations, and major governments. Strong encryption used to be
only military business; however, in the information society it has
become one of the central tools for maintaining privacy and
confidentiality.
As we move into an information society, the technological means for
global surveillance of millions of individual people are becoming
available to major govenments. Cryptography has become one of the
main tools for privacy, trust, access control, electronic payments,
corporate security, and countless other fields.
Cryptography is no longer a military thing that should not be messed
with. It is time to demystify cryptography and make full use of the
advantages it provides for the modern society.
In the following, basic terminology and the main methods of cryptography are
presented. Any opinions and evaluations presented here are
speculative, and the author cannot be held responsible for their
correctness.
Basic Terminology
Suppose that someone wants to send a message to a receiver, and wants
to be sure that no-one else can read the message. However, there is
the possibility that someone else opens the letter or hears the
electronic communication.
In cryptographic terminology, the message is called plaintext
or cleartext. Encoding the contents of the message in such a
way that hides its contents from outsiders is called
encryption. The encrypted message is called the
ciphertext. The process of retrieving the plaintext from the
ciphertext is called decryption. Encryption and decryption
usually make use of a key, and the coding method is such that
decryption can be performed only by knowing the proper key.
Cryptography is the art or science of keeping messages secret.
Cryptanalysis is the art of breaking ciphers,
i.e. retrieving the plaintext without knowing the proper key. People
who do cryptography are cryptographers, and practitioners of
cryptanalysis are cryptanalysts.
Cryptography deals with all aspects of secure messaging,
authentication, digital signatures, electronic money, and other
applications. Cryptology is the branch of mathematics that
studies the mathematical foundations of cryptographic methods.
Basic Cryptographic Algorithms
A method of encryption and decryption is called a cipher. Some
cryptographic methods rely on the secrecy of the algorithms; such
algorithms are only of historical interest and are not adequate for
real-world needs. All modern algorithms use a key to control
encryption and decryption; a message can be decrypted only if the key
matches the encryption key. The key used for decryption can be
different from the encryption key, but for most algorithms they are
the same.
There are two classes of key-based algorithms, symmetric (or
secret-key) and asymmetric (or public-key)
algorithms. The difference is that symmetric algorithms use the same
key for encryption and decryption (or the decryption key is easily
derived from the encryption key), whereas asymmetric algorithms use a
different key for encryption and decryption, and the decryption key
cannot be derived from the encryption key.
Symmetric algorithms can be divided into stream
ciphers and block ciphers. Stream ciphers can encrypt a
single bit of plaintext at a time, whereas block ciphers take a number
of bits (typically 64 bits in modern ciphers), and encrypt them as a
single unit. Many symmetric ciphers are described on the algorithms page.
Asymmetric ciphers (also called public-key algorithms or
generally public-key cryptography) permit the encryption
key to be public (it can even be published in a newspaper),
allowing anyone to encrypt with the key, whereas only the proper
recipient (who knows the decryption key) can decrypt the
message. The encryption key is also called the public key and
the decryption key the private key or secret key.
Modern cryptographic algorithms cannot really be executed by humans.
Strong cryptographic algorithms are designed to be executed by
computers or specialized hardware devices. In most applications,
cryptography is done in computer software.
Generally, symmetric algorithms are much faster to execute on a
computer than asymmetric ones. In practice they are often used
together, so that a public-key algorithm is used to encrypt a randomly
generated encryption key, and the random key is used to
encrypt the actual message using a symmetric algorithm.
Many good cryptographic algorithms are widely and publicly available
in any major bookstore, scientific library, or patent office, on the Internet.
Well-known symmetric functions include DES and IDEA. RSA is probably the best known
asymmetric algorithm. The books page lists
several good textbooks on cryptography and related topics.
Digital Signatures
Some public-key algorithms can be used to generate digital
signatures. A digital signature is a block of data that was
created using some secret key, and there is a public key that can be
used to verify that the signature was really generated using the
corresponding private key. The algorithm used to generate the
signature must be such that without knowing the secret key it is not
possible to create a signature that would verify as valid.
Digital signatures are used to verify that a message really comes from
the claimed sender (assuming only the sender knows the secret key
corresponding to his/her public key). They can also be used to
timestamp documents: a trusted party signs the document
and its timestamp with his/her secret key, thus testifying that the
document existed at the stated time.
Digital signatures can also be used to testify (or certify)
that a public key belongs to a particular person. This is done by
signing the combination of the key and the information about its owner
by a trusted key. The reason for trusting that key may again be that
it was signed by another trusted key. Eventually some key must be a
root of the trust hierarchy (that is, it is not trusted because
it was signed by somebody, but because you believe a priori that the
key can be trusted). In a centralized key infrastructure there
are very few roots in the trust network (e.g., trusted government
agencies; such roots are also called certification
authorities). In a distributed infrastructure there need
not be any universally accepted roots, and each party may have
different trusted roots (such of the party's own key and any keys
signed by it). This is the web of trust concept used e.g. in PGP.
A digital signature of an arbitrary document is typically created by
computing a message digest from the document, and concatenating
it with information about the signer, a timestamp, etc. The resulting
string is then encrypted using the private key of the signer using a
suitable algorithm. The resulting encrypted block of bits is the
signature. It is often distributed together with information about
the public key that was used to sign it. To verify a signature, the
recipient first determines whether it trusts that the key belongs to
the person it is supposed to belong to (using the web of trust or a
priori knowledge), and then decrypts the signature using the public
key of the person. If the signature decrypts properly and the
information matches that of the message (proper message digest etc.),
the signature is accepted as valid.
Several methods for making and verifying digital signatures are freely
available. The most widely known algorithm is RSA.
Cryptographic Hash Functions
Cryptographic hash functions are typically used to compute the
message digest when making a digital signature. A hash function
compresses the bits of a message to a fixed-size hash value in
a way that distributes the possible messages evenly among the possible
hash values. A cryptographic hash function does this in a way that
makes it extremely difficult to come up with a message that would hash
to a particular hash value.
Cryptographic hash functions typically produce hash values of 128 or
more bits. This number is vastly larger than the number of different
messages likely to ever be exchanged in the world.
Many good cryptographic hash functions are freely available.
Well-known ones include MD5 and SHA.
Cryptographic Random Number Generators
Cryptographic random number generators generate random numbers
for use in cryptographic applications, such as for keys. Conventional
random number generators available in most programming languages or
programming environments are not suitable for use in cryptographic
applications (they are designed for statistical randomness, not to
resist prediction by cryptanalysts).
In the optimal case, random numbers are based on true physical sources
of randomness that cannot be predicted. Such sources may include the
noise from a semiconductor device, the least significant bits of an
audio input, or the intervals between device interrupts or user
keystrokes. The noise obtained from a physical source is then
"distilled" by a cryptographic hash function to make every bit depend
on every other bit. Quite often a large pool (several thousand bits)
is used to contain randomness, and every bit of the pool is made to
depend on every bit of input noise and every other bit of the pool in
a cryptographically strong way.
When true physical randomness is not available, pseudorandom numbers
must be used. This situation is undesirable, but often arises on
general purpose computers. It is always desirable to obtain some
environmental noise - even from device latencies, resource utilization
statistics, network statistics, keyboard interrupts, or whatever. The
point is that the data must be unpredictable for any external
observer; to achieve this, the random pool must contain at least 128
bits of true entropy.
Cryptographic pseudorandom generators typically have a large pool
("seed value") containing randomness. Bits are returned from this
pool by taking data from the pool, optionally running the data through
a cryptographic hash function to avoid revealing the contents of the
pool. When more bits are needed, the pool is stirred by encrypting
its contents by a suitable cipher with a random key (that may be taken
from an unreturned part of the pool) in a mode which makes every bit
of the pool depend on every other bit of the pool. New environmental
noise should be mixed into the pool before stirring to make
predicting previous or future values even more impossible.
Even though cryptographically strong random number generators are not
very difficult to built if designed properly, they are often
overlooked. The importance of the random number generator must thus
be emphasized - if done badly, it will easily become the weakest point
of the system.
Several examples of cryptographic
random number generators are publicly available.
Strength of Cryptographic Algorithms
Good cryptographic systems should always be designed so that they are
as difficult to break as possible. It is possible to build systems
that cannot be broken in practice (though this cannot usually be
proved). This does not significantly increase system implementation
effort; however, some care and expertise is required. There is no
excuse for a system designer to leave the system breakable. Any mechanisms
that can be used to circumvent security must be made explicit,
documented, and brought into the attention of the end users.
In theory, any cryptographic method with a key can be broken by trying
all possible keys in sequence. If using brute force
to try all keys is the only option, the required computing power
increases exponentially with the length of the key. A 32 bit
key takes 2^32 (about 10^9) steps. This is something any amateur
can do on his/her home computer. A system with 40 bit keys
(e.g. US-exportable version of RC4) takes 2^40 steps - this kind of
computing power is available in most universities and even smallish
companies. A system with 56 bit keys (such as DES) takes a
substantial effort, but is quite easily breakable with special
hardware. The cost of the special hardware is substantial but easily
within reach of organized criminals, major companies, and governments.
Keys with 64 bits are probably breakable now by major governments, and
will be within reach of organized criminals, major companies, and
lesser governments in a few years. Keys with 80 bits may become
breakable in future. Keys with 128 bits will probably remain
unbreakable by brute force for the foreseeable future. Even larger
keys are of course possible.
However, key length is not the only relevant issue. Many ciphers can
be broken without trying all possible keys. In general, it is very
difficult to design ciphers that could not be broken more
effectively using other methods. Designing your own ciphers may be
fun, but it is not recommended in real applications unless you are a
true expert and know exactly what you are doing.
One should generally be very wary of unpublished or secret algorithms.
Quite often the designer is then not sure of the security of the
algorithm, or its security depends on the secrecy of the algorithm.
Generally, no algorithm that depends on the secrecy of the algorithm
is secure. Particularly in software, anyone can hire someone to
disassemble and reverse-engineer the algorithm. Experience has shown
that a vast majority of secret algorithms that have become public knowledge
later have been pitifully weak in reality.
The key lengths used in public-key cryptography are usually much
longer than those used in symmetric ciphers. There the problem is not
that of guessing the right key, but deriving the matching secret key
from the public key. In the case of RSA, this is equivalent to factoring a
large integer that has two large prime factors. In the case of some
other cryptosystems it is equivalent to computing the discrete
logarithm modulo a large integer (which is believed to be roughly
comparable to factoring). Other cryptosystems are based on yet other
problems.
To give some idea of the complexity, for the RSA cryptosystem, a 256
bit modulus is easily factored by ordinary people. 384 bit keys can
be broken by university research groups or companies. 512 bits is
within reach of major governments. Keys with 768 bits are probably
not secure in the long term. Keys with 1024 bits and more should be
safe for now unless major algorithmic advances are made in factoring;
keys of 2048 bits are considered by many to be secure for decades.
It should be emphasized that the strength of a cryptographic system
is usually equal to its weakest point. No aspect of the system
design should be overlooked, from the choice algorithms to the key
distribution and usage policies.
Cryptanalysis and Attacks on Cryptosystems
Cryptanalysis is the art of deciphering encrypted communications
without knowing the proper keys. There are many cryptanalytic
techniques. Some of the more important ones for a system implementor
are described below.
- Ciphertext-only attack: This is the situation where
the attacker does not know anything about the contents of the message,
and must work from ciphertext only. In practice it is quite often
possible to make guesses about the plaintext, as many types of
messages have fixed format headers. Even ordinary letters and
documents begin in a very predictable way. It may also be possible to
guess that some ciphertext block contains a common word.
- Known-plaintext attack: The attacker knows or can guess
the plaintext for some parts of the ciphertext. The task is to
decrypt the rest of the ciphertext blocks using this information.
This may be done by determining the key used to encrypt the data, or
via some shortcut.
- Chosen-plaintext attack:
The attacker is able to have any text he likes encrypted with the
unknown key. The task is to determine the key used for encryption.
Some encryption methods, particularly RSA, are extremely vulnerable to
chosen-plaintext attacks. When such algorithms are used, extreme care
must be taken to design the entire system so that an attacker can
never have chosen plaintext encrypted.
- Man-in-the-middle attack: This attack is relevant for
cryptographic communication and key exchange protocols. The idea is
that when two parties are exchanging keys for secure communications
(e.g., using Diffie-Hellman), an
adversary puts himhelf between the parties on the communication line.
The adversary then performs a separate key exchange with each party.
The parties will end up using a different key, each of which is known
to the adversary. The adversary will then decrypt any communications
with the proper key, and encrypt them with the other key for sending
to the other party. The parties will think that they are
communicating securely, but in fact the adversary is hearing
everything.
One way to prevent man-in-the-middle attacks is that both sides
compute a cryptographic hash function of the key exchange (or at least
the encryption keys), sign it using a digital signature algorithm, and
send the signature to the other side. The recipient then verifies
that the signature came from the desired other party, and that the
hash in the signature matches that computed locally. This method is
used e.g. in Photuris.
- Timing Attack: This very
recent attack is based on repeatedly measuring the exact execution
times of modular exponentiation operations. It is relevant to at
least RSA, Diffie-Hellman, and Elliptic Curve methods. More
information is available in the original paper.
There are many other cryptographic attacks and cryptanalysis
techniques. However, these are probably the most important ones for a
practical system designer. Anyone contemplating to design a new
encryption algorithm should have a much deeper understanding of these
issues. One place to start looking for information is the excellent
book Applied
Cryptography by Bruce Schneier.
