####################################### # # # # # ======== =\ = ====== # # == = \ = = # # == = \ = ====== # # == = \ = = # # == = \= ====== # # # # # # # # ''''''''''''''''''''' # # # # # # > Written by Dr. Hugo P. Tolmes < # # # # # ####################################### Issue Number: 05 Release Date: November 19, 1987 This issue is made up of only one article (a very good one.) The article comes from the August/September issue of Technology Review. It is a very good article and deals with many aspects of computer security. This includes: encryption, early cryptography, modern cryptography, the development of security systems, and other information dealing with military/government security. This is not the entire article. Some uninteresting parts have been intentionally left out. I hope that the article will be helpful. ><><> Dr. Hugo P. Tolmes <><>< Electronic cryptography can protect any digital message- any message communicated in a stream of binary digits, or "bits." A "key"- a series of bits -is fed to the encryption device to scramble the message. Only the holder of the right digital key can translate the message back into unencrypted "clear-text." Destined to help shape our future, encryption technology has not itself been finally shaped. Competing lines of development exist, and they have very different social implications. Conventional encryption- the kind championed by the National Security Agency (NSA) -works much like a combination mailbox. Anyone who has the combination (the digital key) can lock and unlock the box (send messages and decode other messages sent with he same key). Since senders and receivers must exchange secret keys, conventional "ciphers," or cryptosystems, are best suited to a limited set of users. Systems of this type are common in military, diplomatic, and financial communications; they are widely known and in many ways define the public perception of encryption. Unfortunately, they couldn't serve as the basis for security in an extensive electronic communications system open to use by many individuals. "Public-key" encryption systems, though less commonly understood, could serve this way. According to former NSA director Bobby Inman, the agency dscovered and classified public-key encryption in the early 1970s. In 1976 cryptologist Whitfield Diffie and Stanford professor Martin Hellman rediscovered public key and published a paper describing the idea. Today, public key remains an idea in development, though RSA Data Security in Redwood City, Calif., is already marketing one system. Public-key systems work like mailboxes with two different combinations, one for locking and one for unlocking. The locking combination (the "public" key used to encrypt messages) can be given out freely, so that anyone can, in effect, put a letter in your mailbox(the decryption key) secret, so only you can remove letters. Since senders and receivers never need to exchange secret keys, individuals could ask friends, businesses, or even strangers to encrypt messages to them. The implications of the concept become clear only when we think of a system in widespread and routine use, with public keys in directories like phone books. Both individuals and institutions could use the keys to secure phone calls, electronic mail, and other telecommunications. The possibilities are enormous, and the main point is clear: this approach doesn't require citizens to trust institutions any more than institutions are required to trust citizens. One recently proposed adaptation of public-key cryptography offers even more benefits. Civil libertarians are concerned about the increasing ease with which large organizations, whether governmental or private, can amass extensive electronic dossiers on individuals- records of who they telephone, where they've worked, how much money they spend, whether they've been arrested (even if later acquitted). In this adaptation, public-key systems would employ "digital pseudonyms" to short-circuit the collection of dossiers while still making it possible to conduct the bread-and-butter transactions of an information economy- electronic purchases, credit verification, and so on. Secret Cryptography In conventional ciphers, the "algorithm," or matematical method by which signals are scrambled, is itself often classified. Proponents say this helps strengthen the cipher, but the matter is unclear. In any case, public-kay systems can be designed so that disclosure of their algorithms poses no security threat. Knowing the internal workings of the cipher doesn't help to break it; individual messages still can't be deciphered without the secret decryption key. Those who favor public key often assert that this kind of open approach is characteristic of modern cryptography. How is such elegance achieved? By basing ciphers on mathematical problems that are, in the understated lexicon of theoretical mathematics "hard." Deciphering a message without the key would require solving one of these problems. There are many, and some have resisted solution for thousands of years. If mathematics make sudden progress on one of them tomorrow, it will be news. Anyone using a cipher based on the problem would immediately know. Advocates of public-key cryptography fear that it is being squelched by NSA , the most powerful exponent of conventional ciphers. Though its budget is estimated to be five times greater than the CIA's, NSA is so secret that for many years the government denied that it even existed. Today, it's known that NSA has two primary functions. The first one- "signals intelligence" -consists primarily of intercepting messages deemed critical to national security. The agency routinely monitors phone calls to and from the United States, and a Senate intelligence committee report stated that between 1967 and 1973 , NSA illegally spied on 1,200 Americansal activities. NSA's second role is "communications security"- protecting the United States from foreign spying. In this capacity the agency has set out to market a new family of encryption systems. These ciphers are to be sold as pre-sealed and tamper-resistant integrated circuits: the encryption algorithm hidden within the chips will be classified. It will remain unknown even to the engineers who will incorporate the chips into security devices for computers or telephones. Critics fear that such secrecy offers NSA the chance to build a "trap door" through which it could decipher messages the senders think are secure. "With a hardware black box you can describe several schemes that would be almost impossible to test for from the outside and could, ineffect, constitute a hardware Trojan Horse [i.e., trap door]," says Herb Bright, an officer of the private data-security firm Computation Planning Associates. Bright is a member of the American National Standards Association/American Bankers Association committee that is evaluating NSA's new ciphers. NSA proposes a strange way for users of new ciphers to obtain keys for encoding and decoding. The agency hopes to provide these keys itself. It will assign keys to all government agencies using the systems, while civilian users will have the choice of obtaining keys from NSA or generating their own. However, the second course will be discouraged. Last year Walter Deeley, then NSA deputy director for communications security, told Science magazine, "It's not a trivial thing to produce a good key." He went on to insist that NSA wouldn't keep copies of the keys it assigned. Several factors will help NSA promote the ciphers. Starting in 1988, they will be mandated as the official U.S. civilian encryption standard. The current civilian standard, authorized by the National Bureau of Standards (NBS), and known as DES (for Data Encryption Standard), has come into widespread use among banks, financial services, and government agencies. Although such an encryption standard is officially the only advisory,practical considerations dictate its use. For example, if the Federal Reserve switches to a certain system, banks that deal with the Fed will have severe logistical problems if they don't follow suit. And the use of a standard is becoming a recognized measure of legal due care. Suppose a bank uses a non-standard system- one sold commercially but not certified by the government -and a thief alters electronic funds transfers. The bank is far more legally vulnerable than if it had stuck to the standard. In 1984 the administration put out National Security Decision Directive 145 (NSDD-145), which will help enforce NSA's standard. NSDD-145 gives a committee controlled by NSA authority to set policies concerning a wide range of communications-security issues. The directive specifically designates this committee to oversee "sensitive, but unclassified, government or government-derived information, the loss of which could adversely affect the national security." The AUnion (ACLU) considers the very category of "unclassified" national security informaion dangerous- "a deliberate, calculated effort to expand the realm of what can be considered to be 'national-security' information." Jerry Berman, head of the ACLU's Privacy and Technology Project, fears that no one really knows what's to be included in this vague realm. Large inter-bank funds transfers probably qualify, as do high-level communicatons of major federal contractors. But where does the government draw the line? Warren Reed, director of information management and technology at the General Accounting Office, observes that rulings like NSDD-145 could bring flight-safety information, financial and industrial forecasts, and even medical records under NSA control. According to Electronics magazine, the NSA director is now, for all practical purposes, "setting standards for the entire U.S. data-processing industry." And the Institute of Electrical and Electronic Engineers has gone on record warning against the "dangers we see in implementing the directive's rules for unclassified, sensitive, non-governmental information and private-sector telecommunications." Whitfield Diffie, now at Bell Northern Research in Mountain View, Calif., has said, "I will not be pleased if NSA succeeds in capturing the market for domestic communications-security equipment." Like many other cryptographers, Diffie sees a "great need" for systems designed to protect individual privacy. A Peculiar History NSA's history with civilian encryption technology enforces critics' concerns about the new ciphers. Problems began during the early 1970s, when the agency was involved in codifying DES. In 1973 the NBS called for a national civilian encryption system. IBM was in the final stages of developing its Lucifer system, and Lucifer won hands down. It was by all reports very good- so good that it upset NSA, which had considered itself comfortably ahead of the rest of the world in the still-arcane art of cryptography. Although at the time NSA had no formal role in setting the encryption standard, it was the preeminent government agency concerned with encryption, and NBS felt bound to honor its advice. Rather than approving Lucifer as it was, NSA modified it several strange ways to create DES. While Lucifer's size was 128 bits, DES has a key of only 56 bits, so that it is far more vulnerable to "brute-force" attack. Such an attack is mounted by trying all possible keys- in this case all 56-digit binary numbers- to see which one works. There are 2(to the 56th)- about 7 X 10(to the 16th)- possibilities. Large as this number may seem, it is tens of millions of times smaller than the number of possible keys in ciphers approved for military use. The original 128-bit key would be much more secure, for it presents 2 (to the 128th) possibilities- about 3 X 10 (to the 38th). Even with today's supercomputers, brute-force attacks would be out of the question. NSA's weakening of Lucifer appears to have been deliberate. According to David Kahn, the noten who wrote The Codebreakers, Lucifer set off a debate within NSA. "The codebreaking side wanted to make sure that the cipher was weak enough for the NSA to solve it when used by foreign nations and companies," he wrote in Foreign Affairs. On the other hand, "the code-making side wanted any cipher it was certifying for use by Americans to be truly good." Kahn says the resulting "bureaucratic compromise" made the key shorter. Alan Konheim, former manager of IBM's Lucifer research project, recollects, "If they [NSA] had had their way, they would have had 32 bits.... I was told at one time that they wanted 40 bits, and at IBM we agreed that 40 was not enough." At the same time that NSA shortened Lucifer's key, it used classified criteria to redesign several numberical tables known as "substition boxes" or "S-boxes." When a bitstream (a stream of binary digits) comes into DES, it's broken into chunks. The bits in each chunk are repeatedly permuted (that is, rearanged) in a way that depends upon both the key and the numbers in the S-boxes. These boxes are thus crucial to the strength of DES, and NSA's critics feel that the changed in them make the system vulnerable to a "cryptoanalytic" attack. In other words, the boxes may now conceal a trap door- a secret numberical regularity that allows NSA to decipher any DES-encrypted text even without the key. NSA's refusal to publish the criteria under which it redesigned the S-boxes has reinforced the critics' fears. Despite persistent rumors, a trap door has never been found. Years of analysis at institutions including Bell Labs; the Catholic University in Leuven, Belgium; and the Center for Mathematics and Computer Science in Amsterdam have failed to either vindicate or convict NSA. However, mathematicians have unearthed several peculiar properties in the S-boxes- for example, certain numerical irregularities that weren't present in IBM's original design. And they've demonstrated the possibility of introducing hidden regularities into the S-boxes that weaken the algorithm. Still, no one has managed to use these findings to mount a successful cryptoanalytic attack on DES. They may mean nothing. But since NSA has never declassified the criteria for redesigning the S-boxes, it's not certain. Because of lingering suspicions, the Swiss and Scandinavians have turned elsewhere for their civilian encryption systems. The controversy over DES eventually subsided, but in late 1985 NSA suddenly and gracelessly abandoned the system. Directly contradicting years of reassurances, Walter Deely, NSA's deputy director for communications security, told Science that he "wouldn't bet a plugged nickel on the Soviet Union not breaking [DES]." Said Barton O'Brien, sales manager for RSA Data Security, "People in the industry feel betrayed." And according to Herb Bright of Computation Planning Associates, quite an uproar ensued in the normally quiet halls of the American National Standards Institute when NSA announced its new ciphers. Bankers were particualarly upset, since they were comm of encrypting electronic funds transfers. NSA was later compelled to announce that DES would remain certified for such transfers. NSA's new shift raises even more issues. The agency has still declined to declassify evidence that would settle the question of DES's strength. If an avenue of cryptoanalytic attack has been found, then isn't NSA wrong to let banks continue using DES? And if the problem is a brute-force attack, then isn't it a consequence of the reduced key length? Why not just make the key longer? NSA officials say they don't want to trust the rising volume of sensitive data to DES, because all of its major elements except the criteria for S-box design have been widely published. Yet cryptologist are trained to be dubious, and they will never trust a classified cipher. They have more confidence in mathematical interactability. A cipher will be trusted if it is open to require solving a very difficult numerical problem. Such ciphers do in fact exist and they enjoy a freedom from suspicion that NSA's new ciphers can never hope to share. Historical evidence suggests that intelligence agencies do promote flawed ciphers under cover. In the most famous case, British Intelligence secretly broke the German ENIGMA machines during World War II. "After World War II, Britain rounded up thousands of ENIGMA machines that Germany had used and sold them to some of the emerging nations," writes David Kahn. This allowed Britain to "keep tabs on what each country was planning." The fact that ENIGMA had been broken in the 1940s remained classified until 1974. In The Puzzle Palace, a study of NSA, investigative reporter James Bamford says that the agency has similarly attempted to exploit a secret cipher. In 1957 NSA covertly send William Friedman, a cryptologist, to meet his old friend Boris Hagelin, then a major supplier of cryptomachins. "Hagelin was asked to supply to NSA [with] details about various improvements and modifications... made to cipher machines his companies had supplied to other governments, including, especially, the member countries of NATO." Bamford was not able to learn whether Hagelin cooperated. But NSA's attempt to build a trap door into an encryption system can only abet suspicions about its new ciphers. Cryptography Goes Public Over the last decade, NSA has had some success in its efforts to classify sensitive cryptographic research. Yet know-how has spread anyway. Mathematicians doing basic research with no thought of secrecy may find that their work has significant cryptographic implications. For instance, complexity theory examines problems not to solve them but to understand how hard they really are. Since truly hard problems provide the basis for strong ciphers whose inner workings are open to inspection, complexity theory is one conduit through which cryptology has "gone public," in Kahn's words. Today, all but the poorest nations secure high-level dispatches behind ciphers that can be broken only with the greatest difficulty. Intelligence agencies are often on unclassified communications- and to studying who calls rather than what they say. Intelligence agencies can also be foiled when their adversaries are low-tech: Iran sidesteps U.S. electronic espionage by sending sensitive information by hand. But while governments are becoming more secure, individuals are becoming more vulnerable. The use of electronic mail and interactive cable TV is increasing, and the technology for tapping phone conversations is improving. In The Rise of the Computer State, New York Times reporter David Burnham writes that the high cost of paying people to listen to conversations may be as significant a deterrent to wiretaps as legal strictures. Wiretaps are more widespread in low-wage countries such as the Soviet Union and India. This bodes ill, for voice-recognition technology is making automated wiretapping much easier. Computers can now screen calls and notify human agents only upon encountering designated words. If used to establish a decentralized cryptosystem in the telecommunications network, public-key cryptology could go a long way toward preventing wiretaps. Public-key systems also enable users to sign messages with unforgetable electronic signatures. As Hellman puts it, such signatures are "like written signatures in that they're easily produced by the legitimate signer, easily recognized by any recipient, and yet impossible, from a practical point of view, to forge." To send messages using such a signature, you publish the decryption half of a two-part key. Only if a message is "signed" with the secret encryption half will decryption yeld a meaningful cleartext. Like conventional encryption systems, public-key systems can be based on a variety of algorithms. The best-known public-key algorithm is RSA (after Riverst, Shamir, and Adleman, the mathematicians who developed it). It is based on the difficulty of factoring prime numbers, a problem that mathematicians have been studying for thousands of years without fundamental progress. Factoring small numbers is simple: 40 can be factored into 10 and 4 (since 10 X 4 = 40) or even into 20 and 2 (since 20 X 2 = 40). But factoring even slightly larger numbers is much harder. Factoring 5,893 (produced by multiplying 71 and 83) requires a number of trials. and because 71 and 83 are both prime numbers (divisible only by themselves and by 1), there's only a single answer. To break an RSA-based cipher, you have to factor an enormous number, which can be hundreds of digits long, into so-called "cryptographic primes"- primes that can themselves be hundreds of digits long. Factoring the product, which is embedded in the public key, into its component primes- a process necessary to break the cipher- is effectively impossible, even with supercomputers. And no conceivable breakthroughs in computer technology will make any difference: factoring will remain hard until there is a breakthrough in number theory, a breakthrough that may not even be in the cards. However, once a user obtains cryptographic primes- a number of sourcmpany marketing a cryptosystem, could provide them- only limited computer power is necessary to multiply them together and perform the other operations necessary to generate keys. Users could do this provately on microcomputers- without the aid of a centralized authority such as NSA. $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ NOTA: This article has given vital information on cryptology. Some of the things pointed out were flaws in the DES, how encryption works, and how to