2.4 - Applications of Cryptography

Copyright(c), 1990, 1995 Fred Cohen - All Rights Reserved

Historically, cryptography was used to assure only secrecy. Wax seals, signatures, and other physical mechanisms were typically used to assure integrity of the media and authenticity of the sender. With the advent of electronic funds transfer, the applications of cryptography for integrity began to surpass its use for secrecy. Electronic cash came into being from cryptography, and the electronic credit card and debit card sprung into widespread use. The advent of public key cryptography introduced the possibility of digital signatures, and other related concepts such as electronic credentials. In the information age, cryptography has become one of the major methods for protection in all applications.

Cryptographic protocols have only recently come under intensive study, and as of this time, they are not sufficiently well developed to provide a great deal of assurance. There are several protocols that offer provable properties, primarily those designed for use with the OTP. The problem with proving properties of protocols under other schemes is that the mathematics is extremely complex for the RSA, and there is no sound mathematical basis for the DES. Much research is under way at this time in the field of protocol analysis and verification, and it is likely that once this field stabilizes, cryptographic protocols will follow suit.

Several special purpose cryptographic protocols have been developed and demonstrated sound. Most notably, the RSA key distribution protocol, a public key poker playing protocol, an OTP based dining cryptographers protocol, and the protocol used for verifying the nuclear test ban treaty [Chaum83] [Simmons81] .

A typical cryptographic protocol failure is encountered in the use of the RSA [Jonge85] . It seems that if an attacker can choose the plaintext to be signed under an RSA signature system, observe the result of the signature, and then iterate the process, it is possible to get the signer to reveal the private key in a very small number of signatures (about 1 signature per bit of the key). Thus an unmodified RSA signature system requires a sound protocol to be safely used.

Secrecy in Transmission

Most current secrecy systems for transmission use a private key system for transforming transmitted information because it is the fastest method that operates with reasonable assurance and low overhead.

If the number of communicating parties is small, key distribution is done periodically with a courier service and key maintenence is based on physical security of the keys over the period of use and destruction after new keys are distributed.

If the number of parties is large, electronic key distribution is usually used. Historically, key distribution was done with a special key-distribution-key (also known as a master-key) maintained by all parties in secrecy over a longer period of time than the keys used for a particular transaction. The "session-key" is generated at random either by one of the parties or by a trusted third party and distributed using the master-key.

The problem with master-key systems is that if the master-key is successfully attacked, the entire system collapses. Similarly, if any of the parties under a given master-key decides to attack the system, they can forge or intercept all messages throughout the entire system. Many complex private-key systems for reducing some of these problems have been proposed and used for various applications.

With the advent of public-key systems, secrecy can be maintained without a common master-key or a large number of keys. Instead, if Bob wants to communicate with Alice, Bob sends Alice a session-key encrypted with Alice's public key. Alice decrypts the session-key and uses that over the period of the transaction.

These are examples of cryptographic protocols, methods for communicating while attaining a particular cryptographic objective. These protocols are used primarily to deal with key management and system misuse problems. Many other protocols are applied to eliminate other attacks on these systems.

Secrecy in Storage

Secrecy in storage is usually maintained by a one-key system where the user provides the key to the computer at the beginning of a session, and the system then takes care of encryption and decryption throughout the course of normal use. As an example, many hardware devices are available for personal computers to automatically encrypt all information stored on disk. When the computer is turned on, the user must supply a key to the encryption hardware. The information cannot be read meaningfully without this key, so even if the disk is stolen, the information on it will not be useable.

Secrecy in storage has its problems. If the user forgets a key, all of the information encrypted with it becomes permanently unuseable. The information is only encrypted while in storage, not when in use by the user. This leaves a major hole for the attacker. If the encryption and decryption are done in software, or if the key is stored somewhere in the system, the system may be circumvented by an attacker. Backups of encrypted information are often stored in plaintext because the encryption mechanism is only applied to certain devices.

Integrity in Transmission

Many of the users of communication systems are not as much concerned about secrecy as about integrity. In an electronic funds transfer, the amount sent from one account to another is often public knowledge. What the bank cares about is that only proper transfers can take place. If an active tapper could introduce a false transfer, funds would be moved illicitly. An error in a single bit could literally cause millions of dollars to be erroneously credited or debited. Cryptographic techniques are widely used to assure that intentional or accidental modification of transmitted information does not cause erroneous actions to take place.

A typical technique for assuring integrity is to perform a checksum of the information being transmitted and transmit the checksum in encrypted form. Once the information and encrypted checksum are received, the information is again checksummed and compared to the transmitted checksum after decryption. If the checksums agree, there is a high probability that the message is unaltered. Unfortunately, this scheme is too simple to be of practical value as it is easily forged. The problem is that the checksum of the original message is immediately apparent and a plaintext message with an identical checksum can be easily forged. Designing strong cryptographic checksums is therefore important to the assurance of integrity in systems of this sort.

The key distribution problem in a one-key system is as before, but an interesting alternative is presented by the use of public keys. If we generate a single public-key for the entire system and throw away the private key that would go with it, we can make the checksum impossible to decrypt. In order to verify the original message, we simply generate a new checksum, encrypt with the public key, and verify that the encrypted checksum matches. This is known as a one-way function because it is hard to invert.

Actual systems of this sort use high quality cryptographic checksums and complext key distribution and maintenance protocols, but there is a trend towards the use of public keys for key maintenance.

Integrity in Storage

Integrity against random noise has been the subject of much study in the fields of fault tolerant computing and coding theory, but only recently has the need for integrity of stored information against intentional attack become a matter for cryptography.

The major mean of assuring integrity of stored information has historically been access control. Access control includes systems of locks and keys, guards, and other mechanisms of a physical or logical nature. The recent advent of computer viruses has changed this to a significant degree, and the use of cryptographic checksums for assuring the integrity of stored information is now becoming widespread.

As in the case of integrity in transmission, a cryptographic checksum is produced and compared to expectations, but storage media tends to have different properties than transmission media. Transmitted information is typically more widely available over a shorter period of time, used for a relatively low volume of information, and accessed at a slower rate than stored information. Thees parameters cause different tradeoffs in how cryptosystems are used.

Authentication of Identity

Authenticating the identity of individuals or systems to each other has been a problem for a very long time. Simple passwords have been used for thousands of years to prove identity. More complex protocols such as sequences of keywords exchanged between sets of parties are often shown in the movies or on television. Cryptography is closely linked to the theory and practice of using passwords, and modern systems often use strong cryptographic transforms in conjunction with physical properties of individuals and shared secrets to provide highly reliable authentication of identity.

Determining good passwords falls into the field known as key selection. In essence, a password can be thought of as a key to a cryptosystem that allows encryption and decryption of everything that the password allows access to. In fact, password systems have been implemented in exactly this way in some commercial products.

The selection of keys has historically been a cause of cryptosystem failure. Although we know from Shannon that H(K) is maximized for a key chosen with an equal probability of each possible value (i.e. at random), in practice when people choose keys, they choose them to make them easy to remember, and therefore not at random. This is most dramatically demonstrated in the poor selection that people make of passwords.

On many systems, passwords are stored in encrypted form with read access available to all so that programs wishing to check passwords needn't be run by privileged users. A side benefit is that the plaintext passwords don't appear anywhere in the system, so an accidental leak of information doesn't compromise system wide protection.

A typical algorithm for transforming any string into an encrypted password is designed so that it takes 10 or more msec/transformation to encode a string. By simple calculation, if only capital letters were allowed in a password, it would take .26 seconds to check all the one letter passwords, 6.76 seconds to check all the 2 letter passwords, 4570 seconds for the 4 letter passwords, and by the time we got to 8 letter passwords, it would take about 2*10**9 seconds (24169 days, over 66 years).

For passwords allowing lower case letters, numbers, and special symbols, this goes up considerably. Studies over the years have consistently indicated that key selection by those without a knowledge of protection is very poor. In a recent study [highland86] , 21% of the users on a computer system had 1 character passwords, with up to 85% having passwords of 1/2 the maximum allowable length, and 92% having passwords of 4 characters or less. These results are quite typical, and dramatically demonstrate that 92% of all passwords could be guessed on a typical system in just over an hour.

Several suggestions for getting unpredictable uniform random numbers include the use of low order bits of Geiger counter counts, the use of the time between entries at a keyboard, low order bits of the amount of light in a room as measured by a light sensitive diode, noisy diode output, the last digit of the first phone number on a given page of a telephone book, and digits from transcendental numbers such as Pi.

Credentialing Systems

A credential is typically a document that introduces one party to another by referencing a commonly known trusted party. For example, when credit is applied for, references are usualy requested. The credit of the references is checked and they are contacted to determine the creditworthiness of the applicant. Credit cards are often used to credential an individual to attain further credit cards. A driver's license is a form of credential, as is a passport.

Electronic credentials are designed to allow the credence of a claim to be verified electronically. Although no purely electronic credentialing systems are in widespread use at this time, many such systems are being integrated into the smart-card systems in widespread use in Europe. A smart-card is simply a credit-card shaped computer that performs cryptographic functions and stores secret information. When used in conjunction with other devices and systems, it allows a wide variety of cryptographic applications to be performed with relative ease of use to the consumer.

Electronic Signatures

Electronic signatures, like their physical counterparts, are a means of providing a legally binding transaction between two or more parties. To be as useful as a physical signature, electronic signatures must be at least as hard to forge, at least as easy to use, and accepted in a court of law as binding upon all parties to the transaction.

The need for these electronic signatures is especially accute in business dealings wherein the parties to a contract are not in the same physical vacinity. For example, in an international sale of an airplane, signatures are typically required from two bankers, two companies, two insurance agencies, two attorneys, two governments, and often several other parties. The contracts are hundreds of pages long, and signatures must be attained within a relatively shoert period of time on the same physical document. Faxcimily signatures are not legally binding in all jurisdictions, and the sheer length of a document precludes all parties reading the current copy as they meet at the table to affix signatures. Under current law, all parties must meet in one location in order to complete the transaction. In a transatlantic sale, $100,000 in costs can easily be encurred in such a meeting.

An effort in Europe is currently underway to replace physical signatures with electronic signatures based on the RSA cryptosystem. If this effort succeeds, it will allow many millions of dollars to be saved, and launch the era of digital signatures into full scale motion. It will also create a large savings for those who use the system, and therefore act to force others to participate in order to remain competitive.

Electronic Cash

There are patents under force throughout the world today to allow electronic information to replace cash money for financial transactions between individuals. Such a system involves using cryptography to keep the assets of nations in electronic form. Clearly the ability to forge such a system would allow national economies to be destroyed in an instant. The pressure for integrity in such a system is staggaring.

Threshold Systems

Thresholding systems are systems designed to allow use only if a minimal number of parties agree to said use. For example, in a nuclear arms situation, you might want a system wherein three out of five members of the joint chiefs of staff agree. In a banking situation, a safe might only be openned if 4 out of the authorized 23 people allowed to open the safe were present. Such systems preclude a single individual acting alone, while allowing many of the parties to a transaction to be absent without the transaction being halted.

Most threshold systems are based on encryption with keys which are distributed in parts. The most common technique for partitioning a key into parts is to form the key as the solution to N equations in N unknowns. If N independent equations are known, the key can be determined by solving the simultaneous equations. If less than N equations are known, the key can be any value since there is still an independent variable in the equations. Any number can be chosen for N and equations can be held by separate individuals. The same general concept can be used to form arbitrary combinations of key requirements by forming ORs and ANDs of encryptions using different sets of keys for different combinations of key holders [Shamir79] . The major difficulties with such a system lie in the key distribution problem and the large number of keys necessary to achieve arbitrary key holder combinations.

Systems Using Changing Keys

Shannon has shown us that given enough reuse of a key, it can eventually be determined. It is thus common practice to regularly change keys to limit the exposure due to successful attack on any given key. A common misconception is that changing a key much more often than the average time required to break the cryptosystem, provides an increased margin of safety.

If we assume the key is chosen at random, and that the attacker can check a given percentage of the keys before a key change is made, it is only a matter of time before one of the keys checked by the attacker happens to correspond to one of the random keys. If the attacker chooses keys to attack at random without replacement over the period of key usage, and begins again at the beginning of each period, it is 50% likely that a currently valid key will be found by the time required to try 50% of the total number of keys, regardless of key changes. Thus if a PC could try all the DES keys in 10 years, it would be 50% likely that a successful attack could be launched in 5 years of effort. The real benefit of key changes is that the time over which a broken key is useful is limited to the time till the next key change. This is called limiting the exposure from a stolen key.

Hardware to Support Cryptography

Historically, cryptography has been carried out through the use of cryptographic devices. The use of these devices derives from the difficulty in performing cryptographic transforms manually, the severe nature of errors that result from the lack of redundancy in many cryptographic systems, and the need to make the breaking of codes computationally difficult.

In WWII, the ENIGMA machine was used by the Germans to encode messages, and one of the first computers ever built was the BOMB, which was designed to break ENIGMA cryptograms. Modern supercomputers are used primarily by the NSA to achieve the computational advantage necessary to break many modern cryptosystems. The CRAY could be easily used to break most password enciphering systems, RSA systems with keys of length under about 80 (circa 1986) are seriously threatened by the CRAY, and even the DES can be attacked by using special purpose computer hardware. [Diffie77] Many devices have emerged in the marketplace for the use of cryptography to encrypt transmissions, act as cryptographic keys for authentication of identification, protect so called debit cards and smart cards, and implementing electronic cash money systems.