CRYPTOGRAPHY & INFORMATION SECURITY
During these days he had noticed a tapping code scratched into the wall of his cell, and
had begun, eagerly, to send messages to whoever might be on the other side of the wall.
After an hour or so of tapping, however, the door to his cell burst open, and an amused
guard sauntered in to tell him, in filthy, broken English, that his neighbour wanted him
to ‘shot the fock op,’ because, alas, ‘nobody give to him the focking code.’
In information security, cryptography – the art of secret writing – plays a vital part. It is
nearly as old as the art of writing itself. “The multiple human needs and desires that demand
privacy among two or more people in the midst of social life must inevitably lead to
cryptology wherever men thrive and wherever they write.”1 As a tool for keeping
communications secret, it has been widely used in intelligence, diplomacy, and wars.
Revolutionary advances in cryptography have boosted its use in recent decades, opening up
an amazing array of applications. It can be used to authenticate computer users, ensure the
integrity and confidentiality of electronic communications, and keep sensitive information
safely stored. From a secretive military technology, cryptography has emerged a key
technology for all participants in the information society concerned about information
security.
Also relevant for the rest of this book are some further distinctions
and the technology of steganography . Finally, some special protocols extend
the potential of cryptography . In the second part of this chapter, I outline the many
applications of encryption, as used by providers , governments and other users
I conclude with an indication of the extent cryptography is being used today
and a general assessment of the importance of cryptography in the information society .
HISTORY
Cryptography is of all times and of all cultures. In its long history, the two basic forms that
have prevailed are codes and ciphers. Codes are lists of words, names, etc. coupled with an
encrypted form, e.g., letters or numbers – comparable to a dictionary. Ciphers are methods
to change each letter (or group of letters) into other letters, numbers, or symbols. Generally,
codes work on words, whereas ciphers work on letters. For a long period, a combination of
codes and ciphers in the form of nomenclators (a sort of secret dictionaries) was used.
Nowadays, only ciphers avail.
Two of the cryptographic systems used in Antiquity illustrate the basic methods of ciphers
that are still being used today: transposition and substitution. The Spartans used a staff of
wood around which a strip of papyrus or parchment was wrapped. The message was written
vertically on the staff, so that after the strip of papyrus was unwrapped, all the letters of the
message were mixed up. The message could be decrypted by winding the strip around a staff
of the same thickness. This process of mixing letters together is called transposition.
Another basic method is substituting letters by other letters or symbols. Julius Caesar
invented a system in which each letter was substituted by the letter three places further down
the alphabet (jumping from z again to a). Decrypting was done by substituting each letter by
its third predecessor. The system of replacing each letter by a letter a fixed number of places
down the alphabet is called a Caesar cipher. Another kind of substitution cipher is the
Hebrew system of Atbash.
Intermezzo – dramatis personae
Alice and Bob have been corresponding secretly for many years, since the advent of modern
cryptography. They are now the main characters in the ongoing story of cryptography
literature. Their communications security is threatened by Eve, an eavesdropper who listens
in on them, and Mallet, a malicious interceptor who can alter and fabricate messages.
Criminal Carol is also an avid user of cryptography. Occasionally, Alice and Bob attract the
attention of Leah, a law-enforcement agent, who together with policewoman Polly is
monitoring Carol. Alice and Bob sometimes use the trustworthy services of Trent, a Trusted
Third Party, or of Dorothy, a Key Escrow Agent who holds private keys in deposit.
Symmetric and public-key cryptography
In the early 1970s, in response to a request for ciphers by the US National Bureau of
Standards, IBM submitted a recently developed crypto system called Lucifer. A weaker
version2 was developed into a new system, the Data Encryption Standard (DES), that has
remained a standard to the present day. It is a conventional crypto system, using many
alternating rounds of substitutions and transpositions, with a 56-bit key. It is a symmetric
system, in that both encryption and decryption use the same key.
Today, many other strong symmetric systems exist, such as IDEA (developed in the
1990s and considered a strong symmetric cipher), RC4 and RC5, Blowfish, and Khufu. There
is one symmetric crypto system that is provably and unconditionally secure. This is the One-
Time Pad (OTP).5 Although it is the only provably uncrackable crypto system,6 it is not in
wide use. Not only is it difficult to generate a truly random string of bits, but, more
importantly, the key can be used only once (there is an easy method of attack if it is used
twice), which makes it impracticable. Moreover, the key must be as long as the message and
must be exchanged securely between sender and receiver; this pays off only for small and
highly confidential messages (and for storage of information). Its main application has been
(or is?) in the red line between Moscow and Washington.
The working of public-key cryptography
Public-key cryptography is based on one-way trapdoor functions. A one-way function is a
mathematical operation that is easy to do in one way, but difficult or impossible to reverse.
An everyday example is the throwing of an antique vase into thousands of pieces: easy
enough to do, but almost impossible to reverse. A trapdoor one-way function means that
there is a trick (i.e., secret information) with which it is easy to reverse the otherwise oneway
operation. In public-key cryptography, you use the trapdoor one-way function to encrypt
a message, and use the trapdoor to decrypt it. The pair of public and private keys consists of
two numbers computed by using the trapdoor.
An analogy may clarify this. Bob has settled on translation into Kwakiutl as his crypto
system. His public key is the English-Kwakiutl dictionary, which he publishes widely (say
on the Internet). As private key, he uses the Kwakiutl-English dictionary, which he keeps
secret. To send a message to Bob, Alice uses the English-Kwakiutl dictionary to translate her
message into Kwakiutl.
8 A ‘hard’ problem is a problem that can not be solved in polynomial time. This means that as
the numbers involved get larger, it quickly becomes too time-assuming to solve the problem.
For sufficiently large numbers, the problem is too complicated to be solved – even with
supercomputers. For example, presently, 200-digit numbers are beyond factoring.
9 There is another class of public-key crypto systems (such as Diffie-Hellman and ElGamal),
which are based on another mathematical problem: discrete logarithms. For convenience’s
sake, I restrict the description here to public-key systems based on the factoring problem, such
as RSA. 10 Elliptic-curve crypto systems, which have been developed in recent years, speed up
public-key cryptography significantly. However, certain elliptic curves can be cracked relatively
easily, and it is not yet certain whether implementations can ensure that users avoid choosing
these weak curves.
Authenticity, integrity, and non-repudiation
Authenticity and integrity (without confidentiality) can also be safeguarded by hash functions
and message authentication codes. A one-way hash function is a one-way function, without
a trapdoor: it can only be used to transform a message into a digest, which cannot be
reversed. The digest, or hash, is usually a short, fixed-length block (typically 128 to 160 bits)
(for an analogy, one can think of a mincing machine outputting a very concentrated piece of
minced meat). To show that a message has not been tampered with, Alice can use a message
CRYPTOGRAPHY,Symmetric crypto systems and MACs can provide for integrity and authenticity
between communicating parties. However, they cannot prove this to others: there is no way
Bob can prove a message came from Alice, as he could have encrypted it with their common
key himself.
Besides safeguarding confidentiality, integrity, and authenticity, public-key cryptography
can also be used for a fourth objective, non-repudiation. Assuming her private key has not
been compromised, Alice can not repudiate messages signed with her key (in a commonsense
understanding, that is – legally, she can always repudiate anything, and with a good
lawyer, she might convince a court that someone else used her key). She can only repudiate
signatures if she has notified a key compromise within a reasonable period after noticing the
compromise. Messages will have to have been time-stamped in order to see which messages
Alice can not repudiate. Non-repudiation of the receiver can in general not be effected,
except by more complex protocols and procedural agreements.
Cryptanalysis and the strength of crypto systems
The art of breaking encoded messages and crypto systems is called cryptanalysis. It is the
counterpart of cryptography, the art of making crypto systems. Cryptanalysis can attack any
part of the process of encryption, for example, the algorithm used, its implementation, the key
management, carelessness of the user, or the waste-paper basket.
A cryptanalyst’s attack depends on the information at his disposal. The most basic is a
ciphertext-only attack, where the cryptanalyst has only got a ciphertext to decipher. A
knownplaintext attack is easier, as the cryptanalyst has got a ciphertext and a corresponding
plaintext, for example, because he has found it somewhere or because he can guess the
contents of a standard message. Still more powerful is a chosen-plaintext attack: the
cryptanalyst can choose plaintexts and have them encrypted (for instance, by testing how a
stolen smart card encrypts plaintexts). If the crypto system can resist a chosen-plaintext
attack, it is strong indeed. In developing new systems, devisers often assume a cryptanalyst
to be able to commit a chosen-plaintext attack; the system should be devised in such a way
that it resists this.
Still, it is difficult to assess the strength of a crypto system. Crypto systems are always
under attack, from all angles. Although one can argue that a certain algorithm is theoretically
sound, and one can study an implementation to see if it contains any trapdoors, still one does
not know whether the system does not yield to an attack unthought of. New attacks appear
every so often. For instance, in November 1995, Paul Kocher announced a timing attack that
cryptanalyzes by means of closely timing the processor’s cryptographic operations [Kocher].
Against a computer, this is essentially an academic attack (someone who is powerful enough
to measure to the microsecond what your computer is doing is likely also able to look over
your shoulder at the screen), but it may work against smart cards. Another attack, developed
in 1997 by Biham and Shamir (extending an attack developed in 1996 by Bellcore
researchers), uses a micro-wave oven to trigger minor errors in the processor of a smart card;
the results can be exploited for cryptanalysis through ‘differential fault analysis’. [Biham]
Even the mathematical security of an algorithm can not be proven. Public key crypto
systems rely on problems that are thought to be ‘hard’, such as taking discrete logarithms
(Diffie-Hellman) or factoring large numbers (RSA). However, there is no proof that these
problems are indeed hard – there could be a solution as yet unthought of to factor large
numbers in reasonable time.
There is an argument in favor, though, of assessing the problem as ‘hard’: the problem
of factoring has been studied by many specialists for decades, precisely because it has such
great implications in the field of cryptography. It had already been studied for a long time
before, and the fact that it has large implications in cryptography has only added to its appeal
as a research object. This makes it unlikely that someone comes up with a new and easy
method of factoring large numbers. The more people are attacking the problem and the longer
they take, the more likely it is that the problem is indeed ‘hard’, even though it has not been
mathematically proved.
Distributed attacks
Several efforts have shown the vulnerability of crypto systems to major, concerted attacks.
Over the past two years, several cracking contests have tested the strength of symmetric crypto
systems with varying key lengths. All contests except the last one were won by the combined
computing power of many computers testing keys in their spare time (e.g., at night, or in the
form of a screen saver), facilitated by lively discussions and software exchange over the
Internet. The results show the power of networking, with more and more people
participating in combined attacks.
Key length
A good working assumption in cryptology is that the strength of a crypto system relies
entirely on the keys.15 That is, the system should be so strong that the only way to crack it is
to try every possible key: a brute-force attack. Therefore, keys should be of sufficient length
to resist a brute-force attack. Trying every possible key to see which one fits can be done in
parallel, on many computers at the same time. Also, one can build special hardware for
cracking algorithms; although this hardware can be used for cracking only one system, it is
much quicker than general-purpose software. Brute-force attack is a trade-off between cost
and time: the more money you spend on computing power, the quicker you will find the key.
The number of keys to be tried rises exponentially with their length. Every bit added to
a key doubles the number of possible keys. If you are not sure how much computation
capacity the attacker has got, it is wise to add a few key bits to be on the safe side – it does
not cost much to use a somewhat longer key, but it makes the cryptanalyst’s work of
bruteforcing the key space a lot harder. A rule of thumb known as Moore’s law says that the
computing capacity of computers doubles about every eighteen months. To keep abreast of
advances in computer technology, it therefore suffices to raise the key length by one bit every
year and a half, or to add six bits every ten years.
Key management
As the security of encryption lies mainly in its keys, not only do they have to be of sufficient
length, but they also have to be kept well. Symmetric keys and private keys have to remain
secret, whereas public keys require a proof of integrit or Certification Agencies maintain lists of
compromised keys. To solve liability questions that may arise in case of a key compromise, a
key certificate can be issued with a limited time-span, and agreements can be made on the time
limit to notify the key center of a key compromise. Because the idea of using digital signatures
is useless if people can sign a message and subsequently deny having signed it (“Oh, sorry, I lost
my key before this message was signed.”), it is advisable to have a TTP time-stamp transactions.
If the key center has not been notified of a key compromise before the time-stamp, the
signature can be considered valid and the holder of the corresponding private key is
accountable for the signature. In public-key crypto systems, one must rely on the correctness of
the public key.
Protocols
Apart from cryptographic algorithms, a large number of cryptographic protocols are being
developed. These are a series of steps, involving two or more parties, designed to accomplish
a task using cryptography [Schneier, 21]. They can be used for a wider variety of objectives than
simple crypto systems. Indeed, it is amazing what can be accomplished through
cryptographic protocols: mutually distrustful parties can do a great variety of things over a
network without being able to cheat. For instance, they can fairly toss a coin or play poker
over the telephone, or sign a contract simultaneously over a network.
Suppose you are a carpet dealer in Baghdad. One day, Ali Baba comes and steals a carpet.
You run after him, but he flees into a tunnel in the rock. At a junction, you are at a loss; as
you cannot wait all day, you choose left. Wrong: at the end there is a blank wall, but no
carpet robber. Bad luck. The next day, the same happens, and this time, you go right at the
junction – wrong again. The stars must be against you. By the tenth carpet you lose this way,
though, you will doubt whether it is only bad luck – the chance of your choosing wrong ten
consecutive times is less than one in a thousand. There must be a catch: Ali Baba knows a
secret passageway connecting the two tunnel ends, so that he can escape no matter which way
you go. You do not know where this secret passage is, but you are convinced it must be there.
Ali Baba has used a zero-knowledge protocol to convince you that he knows a secret, without
giving it away.
Zero-knowledge protocols have interesting applications, for instance in authentication
procedures: you can authenticate yourself by showing you know a secret (for instance, a PIN
code), without giving any information about the secret itself.
Other cryptographic protocols that have a great potential are secret-sharing protocols.
With these, you can divide a secret among a number of people, so that they can reproduce the
secret only when a certain number of them are together; still, each single holder does not
have any clue to the secret. The protocol can be sophisticated into any detail desired: you can
give certain (groups of) people priorities or veto rights. Secret sharing can be used for taking
major decisions, such as launching a missile attack, or for sharing a vital company secret
among the board.
Applications
Cryptography is used to safeguard information-security objectives: integrity, authenticity,
confidentiality, and (within limits) non-repudiation. In the information society, many
applications call for these objectives. Often, cryptography is virtually the only way to
effectively safeguard information. This section will show to what uses cryptography can be
put by the various participants in the information society.
Providers
Network providers can incorporate cryptography in their networks, to make sure all
information transfers are secured from altering and eavesdropping. Link-by-link encryption
will ensure that in between nodes all information is enciphered. The new version of the
Internet Protocol
Financial applications
First, financial transactions have to be secure. Home banking is an increasingly popular
activity, which relies on the integrity, authenticity, and confidentiality of transmitted requests
and orders. For online payment, transmitting credit-card numbers over networks is, to say the
least, risky. Losses through the interception of credit-card numbers have occurred repeatedly.
Information that is directly valuable should be encrypted before being sent online, if not
before being typed at all – packet sniffers can intrude in terminals and record information to
be downloaded later by the initiator of the sniffer (which can even bypass firewalls). It is
wiser to use a zero-knowledge protocol to give the credit-card number,36 for instance, by
challenged signed response: the server gives the client a random number, which he types into
a personal calculator containing a chip with the credit-card number. Inside, the chip computes
a hash from the random number and the credit-card number, which the client send to the
server.
Privacy and sensitive data
Cryptography will also ensure that on multi-functional smart cards, people can only read the
sections they are allowed to access – an important feature to prevent the making of privacy
threatening personal profiles. More in general, cryptography serves to protect personal data
files, as required by data-protection laws.39 Moreover, for many purposes, Privacy Enhancing
Technologies (PET) can be used to protect personal information from unnecessary disclosure:
pseudonymous data often suffice for the purposes of collecting personal data. A Norwegian
report thus recommends ‘pseudonimizing’ health registries, so that data can be gathered for
research purposes without threatening personal privacy [NOU]. A joint report of the Dutch and
Ontarian data protection registrars strongly recommends the use of PET in a variety of
applications.
Cryptography in practice
Cryptography is widely available. A worldwide survey of cryptographic products by Trusted
Information Systems found 1619 products as of December 1997 (rising from 1393 in
December 1996). Of these, 656 non-US products were identified from 29 countries (43 per
cent using DES), mostly in Europe, but also in Argentina, India, Iran, Mexico, and Russia.
These products were produced and distributed by 949 companies (475 US, 474 non-US) in
at least 68 countries.
Although the potential applications for cryptography are abundant, its present use is
confined to a few major areas. It protects the integrity of valuable information, it
authenticates people who engage in transactions, and it shields confidential information from
unauthorized access. It is mainly used in financial areas (bank transactions, home banking,
smart cards, e-cash), in privacy protection (personal registries, smart cards, government
registries, sensitive information storage), and communications security (e-mail, facsimile, the
air interface of GSM).