Cryptography

The following sections will take a closer look on some of the popular cryptographic algorithms and how their use contributes to achieving security goals.

Cryptography has a central role in security. Almost all techniques for securing a service use some sort of cryptography. In the past few years there have been major ad-vances in the cryptography area. For example, the advent of the one-way digitally signed hash algorithm opened up opportunities for verifying data integrity with algorithms such as MD5 and SHA-1 and to a lesser extent protect data through obfuscation. Encryp-tion algorithms such as symmetric ciphers have evolved from the government-endorsed DES (Data Encryption Standard) to the latest algorithms such as RC4, IDEA, Blow-fish and the government-endorsed AES (Advanced Encryption Standard). The perhaps most compelling recent achievement in cryptography has been the advent of asymmetric ciphers, which makes the handling of keys easier [18].

A general rule when dealing with cryptography is to use a tried and true published algorithm instead of developing one from scratch. The published algorithms have gone through rigorous testing and any limitations are well known [18].

One-way hash function algorithms

One-way hash functions are algorithms that take as input a message and generate as output a fixed-size number. This number is referred to as the hash value. The purpose is to create a short digest that can be used to verify the integrity of a message. As mentioned earlier, in communication protocols the integrity is verified using checksums or CRC. These methods are fine for detecting corruption due to electronic glitches or some other natural phenomena, but if the corruption comes from an intelligent adversary something stronger is needed. A cryptographically strong one-way hash function is designed in such a way that it is computationally infeasible to find two messages that compute the same hash value [18].

Two examples of popular algorithms are MD5 and SHA-1. MD5 was created by Ron Rivest in 1992 and creates a 128-bit hash value. SHA-1 was created by the National Institute of Standards and Technologies in 1995 and produces a 160-bit hash value.

SHA-1 is slower to compute than MD5 but is considered stronger because it creates a larger hash value [18].

Symmetric ciphers

Symmetric ciphers are mechanisms that transform text in order to conceal its meaning.

They provide two functions: message encryption and message decryption. They are called symmetric since they use the same key for both encryption and decryption. The encryption function takes as input a message and a key value. The output is a seemingly random sequence of bytes. The decryption function takes the sequence of bytes and the same key value as the encryption function and generates as output the original message.

The purpose of a symmetric cipher is to provide message confidentiality. A real challenge when using symmetric ciphers is the distribution of the key value. If the key value is not kept safe during transport, the encrypted data will no longer be safe [18]. This problem, often referred to as key management, will be discussed more in the key management section.

There are plenty of published symmetric ciphers that have held up to a great deal of scrutiny. Some examples are: DES, IDEA, AES, Twofish and RC2 [18].

Symmetric ciphers are available in two types: block ciphers and stream ciphers.

Block ciphers encrypt one block of data at a time, typically 8 bytes or 16 bytes in size, whereas the stream ciphers encrypts a stream of data. Stream ciphers are relatively new and are generally faster than block ciphers. However, since block ciphers have been around longer they are more popular and there are many free choices available. A popular stream cipher is Ron Rivest’s RC4 which is used with SSL in all Web browsers [18].

Asymmetric ciphers

Asymmetric ciphers provide the same two functions as symmetric ciphers: message encryption and message decryption. However, there are two major differences. The first is that the key value used in encryption is different from the one used for decryption.

The two keys are usually referred to as the private key and the public key and together they are referred to as a key pair. The public key is often published in a directory.

The second difference is that asymmetric ciphers are thousands of times slower than symmetric ciphers [18].

However, asymmetric ciphers offer several other advantages over symmetric ciphers.

A key advantage is that it reduces the trouble of key management. When using a symmetric cipher you have to use a separate secure channel to distribute the key value and you cannot be sure how long the key will remain a secret. With an asymmetric cipher you can send your public key over an unsecured line. This is because you can only decrypt messages with the public key that has been encrypted with the associated private key. For example, if Anders want to send a secure message to Klas, he first asks Klas for his public key. Klas then sends his public key to Anders. Anders uses Klas’

public key to encrypt the message and then send the encrypted message to Klas. Klas then uses his private key to decrypt the message. Because only Klas’ private key can decrypt the message the information will be kept a secret [18].

Since asymmetric ciphers are really slow compared to symmetric ciphers you can use the asymmetric cipher to exchange a symmetric key. This way you can reduce both the trouble of key management and the overhead of the asymmetric encryption/decryption.

The exchange of the symmetric key value could be done like this: Anders generates the symmetric key value and encrypts it with Klas’ public key. The only one who can decrypt the key value is Klas and therefore the key value is kept a shared secret between Anders and Klas [18].

The most popular asymmetric cipher is RSA. RSA keys can be authenticated, which prevents man-in-the-middle attacks. Examples of other asymmetric ciphers are Elgamal and ECC [18].

Digital signature

Digital signatures are used to guarantee the integrity of the message sent to a recipient by being a representation of the identity of the message sender. The digital signature consists of a hash value calculated on the message, which then has been encrypted using the private key of an asymmetric cipher [18].

For example, if Klas wants to send a message to Anders but Anders wants to be really sure that Klas is the sender of the message and that the content of the message has not been changed during transport. Klas first calculates a hash value of the message and then encrypts that value with his private key and includes the digital signature in the message. Then the message is sent to Anders, who uses Klas’ public key to decrypt the signature. Anders calculates a hash value of the message and compares the decrypted hash value with the one he calculated. If they match Anders can be sure that Klas is the sender of the message and that the message has not been changed during transport.

The reason why a hash value is calculated and then encrypted instead of encrypting the whole message is performance related. As mentioned in a previous section asymmetric ciphers are quite slow.

Since only Klas’ private key could have generated the digital signature Klas cannot deny that he was the one who created the message. This means that digital signatures ensure non-repudiation [18].

Digital certificates

A digital certificate is a document that uniquely identifies information about a party. It contains a party’s public key plus other identification information that is digitally signed and issued by a trusted third party. The third party is also referred to as a certificate authority (CA). A digital certificate is often called a X.509 certificate and is commonly used to solve problems associated with key management [18].

In a trusted communication using digital certificates, a CA plays the role of the entity that issues a public key certificate. In order to trust a certificate, the relying party has to trust the root certificate. The root certificate is a certificate that is self signed, which means that the certificate contains the CA’s public key and is signed with the CA’s private key. All certificates issued by the CA contain the public key of the entity and is signed by the CA’s private key. One of the most popular CAs is the company VeriSign.

Most of the secure Web sites on the Internet have their certificates verified and signed by VeriSign [18].

Secure socket layer (SSL) and Transport layer security (TLS)

Netscape released SSL 3.0 in 1996 for the purpose of securing data transfered over HTTP between the Web server and the Web client. The design of SSL allows it to also secure any data that is communicated over a connection-orientated, end-to-end reliable protocol, such as TCP/IP. The SSL protocol combine public-key and symmetric-key algorithms to authenticate the server side, optionally authenticate the client side, and secure all communications using encryption between the two sides [18].

The company Certicom, mostly as an attempt to create and official IETF standard protocol out of SSL 3.0, wrote the TLS specification in 1999. There are some differ-ences between TLS and SSL and this means that the two protocols do not interoperate.

However, TLS 1.0 incorporates a mechanism by which a TLS implementation can back down to SSL 3.0 [18].

Common challenges in cryptography

The implementer of a cryptographic algorithm must overcome the challenges involved with cryptography. Some of the most common challenges are described in the following paragraphs.

Random number generation Bad random numbers is fatal for security. For ex-ample, in 1995 a paper written by Ian Goldberg and David Wagner described how one would go about to eavesdrop on a secured SSL session with Netscape 1.2. The imple-mentation of SSL and associated cryptographic tools in Netscape were correct except for one thing; the key values were easily detected because the random number generation was predictable. Netscape fixed the problem by adding more sources of entropy. The first unsecured implementation used only the current daytime clock value, the process id and the parent process id, which made it possible to calculate the key within a few minutes [18].

Many modern operating systems support cryptographically strong pseudorandom number generators. One example is Bruce Schneier’s Yarrow, which offers a platform-independent method of producing strong pseudo-random numbers. Many UNIX -style system use Yarrow to support the device /dev/random [18].

Key management As mentioned in an earlier section, key management is a real chal-lenge within cryptography. One could say that it is the single most debated problem in cryptography. To secure data via encryption, one must exchange a key value to be used in the encryption process. If the communication parties only have an unsecured publicly accessible communication link, a secure exchange of the key value is impossible. How-ever, asymmetric ciphers resolve this issue by providing a mechanism for exchanging the key values used in a symmetric cipher. With asymmetric ciphers a new problem arises and that is how to verify the identities of the communicating parties. This is resolved through the use of digital certificates, which is a sort of trust model. Trust models will be covered in the next section. The most popular solution is X.509 certificates since they are used to secure Web transactions with SSL [18].

Trust models A trust model is the mechanism used by a security architecture to verify the identity of an entity and its associated data, such as name, public key, and so on. The X.509 certificate is an example of a trust model. Identities are vouched for through a hierarchical structure that culminates at the root certificate, which is self-signed by a well-known certificate authority [18].

An other example of a thrust model is the model used by PGP (Pretty Good Privacy), which uses a web of trust instead of a hierarchical trust model. PGP, developed by Phil Zimmerman in 1991, is a program that uses a combination of RSA asymmetric cipher and the IDEA symmetric cipher to secure email. A PGP certificate may contain many signatures, unlike the X.509 certificate. This means that the PGP certificate can be verified using any one of the signatures and the verifier can choose which signature it

trusts the most. Newer versions of PGP support use of X.509 certificates and this allows better interoperability for security providers [18].