2.3 - Assessment of Modern Cryptosystems

2.3 - Assessment of Modern Cryptosystems

Copyright(c), 1990, 1995 Fred Cohen - All Rights Reserved

Given a wide variety of commercially available cryptosystems, we are left with the monumental problem of determining the suitability of these systems for use in an environment. As we will see, the current state-of-the-art leaves much to be desired.

At this time, there is no comprehensive theory for establishing the credibility of a cryptosystem. Shannon's workload concept is a step in the right direction, but it leaves us with the problem of determining workload and provides no method of doing this. Cryptanalysis is usually performed by finding successively cleverer methods of attack. Since there is no feasible means of finding the optimal attack strategy against a system, we are always left with the possibility that tomorrow a clever cryptanalyst will find a very fast method of breaking the scheme we use safely today. The one exception is a system where the unicity distance is never reached, the one-time-pad.

The cryptosystem itself is only a small part of the environment which maintains cryptographic protection. The environment as a whole determines the effectiveness of cryptographic protection. The strategy normally used to make decisions is to analyze how a system works in an environment relative to other factors. We generally come up with a set of conditions under which the cryptosystem will be adequate, and then explain that we cannot make certain those conditions exist now or will exist in the future.

It is hard to overemphasize the need for an expert in the design of a cryptographic transform. History shows time and again that loss of life, limb, and fortune follow the non expert use of cryptography. There are only 3 major transforms available today that offer a reasonable degree of practical safety, and each of these can be broken if improperly used. These transforms are the one-time-pad (OTP), the data encryption standard (DES), and the Rivest, Shamir, Adleman (RSA) public-key system. We now review each in some depth.

The One-Time-Pad

The Data Encryption Standard

The Rivest, Shamir, Adleman Public-Key Cryptosystem

Cryptographic transforms themselves are not adequate to lead to secure use. History shows us that any system will fall under concerted attack if it is not properly used. The key management problems pointed out earlier are only the tip of the iceberg when it comes to proper use of these systems. Furthermore, as in the case of the transforms, there is no comprehensive theory regarding how these systems are to be used. In effect, each protocol for use of a cryptographic scheme is shown to meet some set of criteria that is important to the application. At the heart of this analysis, is an expert who may or may not have enough expertise to do the job.

For any system, there is a comprehensive list of properties of interest that can be formed by taking all of the different parts of the system given in the model of how it works, and assessing which should or should not be determinable by which of the others. Each property must be evaluated in the application at hand to determine if it is important, and if it is fulfilled by the implementation.

As an example, let's take the simple model of a cryptosystem and see how complicated the analysis becomes. We start by extracting all of the elements from figure 2.8. This leaves the following list:


A, B, T Transforms:

Te, Td Keys:

Ke, Kd Forms:


From this list, we can form all sets of interactions that can take place with every combination of A, B, and T knowing every possible combination of Te, Td, Ke, Kd, P, and C. This produces 2**9 possible situations, each of which must be individually analysed to determine what if any additional information can be gleaned by each party. Once this is completed, we must compare these situations to the desired set of possibilities to determine whether or not a proposed solution will work.

All of this ignores time effects, what happens if errors occur, the levels of exposure associated with particular events, how the system is to be managed to assure these properties, etc. This is only a simple case of two communicating parties and one tapper. Immagine the analysis in a situation with thousands of users, a global network, key management at and distribution to remote sites, and all of the other factors in a modern telecommunications system, and you begin to understand the problem with attaining optimal systems.

As a result of this difficulty, people have derived a set of methods that provide desirable properties. They combine these methods to provide combinations of these properties, and claim the parts are independent of each other to reduce the complexity of analysis. We will now discuss some of the methods that have been studied and what they provide in the way of desirable properties.