Tik-110.501 Seminar on Network Security

Practical Cryptosystems and their Strength

Janne Frösen

Department of Computer Science

Helsinki University of Technology

Janne.Frosen@hut.fi

2.11.1995


Abstract

Practical Cryptosystems include several algorithms, out of which many are currently used in applications. Some algorithms are more secure than others, while some have already been proved weak. This paper gives a brief view to many algorithms currently in use, and gives somewhat more details on the most widely used (such as DES and RSA), also trying to predict their strength in the future applications.


Table of Contents

  1. Basic Terminology
  2. Introduction to Practical Cryptosystems
  3. Different Cryptosystems
  4. Conclusions
  5. References


Basic Terminology

Some general terms used in cryptography

Plaintext or Cleartext The original data. This may be a text message, file or a stream of communication
Encryption Encoding a message so that hides it hides the contents from outsiders
Ciphertext The encrypted message
Decryption Retrieving the plaintext from ciphertext
Cipher A method of encryption and decryption
Key A key is usually used in encrypting, decrypting is only possible by knowing the key
Cryptography Art or science of encoding data and keeping the message secret
Cryptoanalysis Art of breaking ciphertext without knowing the key
Cryptology Branch of mathemathics that studies cryptographic methods

Some US instances linked with cryptology

NSA National Security Agency
NIST National Institute of Standards and Technology


Introduction to Practical Cryptosystems

Cryptography is formally the art of encoding data in a way that only the intended recipient can decode it, and know that the message is authentic and unchanged. Cryptography means different things to different people. Small children play with simple ciphers and substitution secret languages, bigger children play with crypto puzzles. Some people are concerned with privacy for various reasons and use different methods to encrypt sensitive data, with standard unix "crypt" or "rot-13" variants. None of these have anything to do with strong encryption and real data security.

Strong encryption is not a technical standard, it means your encryption cannot be broken by current known methods within feasible time without the data being outdated. Strong encryption can be used to protect your sensitive data against organized crime, government and multinational corporations - all instances with virtually unlimited resources. That has been a cause to recent tries to outlaw strong encryption.

Strong encryption brings many possible applications in daily life. Different applications that require privacy, trust and access control should all use strong encryption methods when possible. Applications include things like electronic money [AUK95] [SAA95], secure communications [PES95] [PUL95] [HEI95], passwords, and many others. It is in people's own interest that different legal/medical/personal data about their person stays confidential to the instances that have a permit to collect the databases (finnish Tietoturvalaki).


Different Cryptosystems

Some cryptograhic methods rely on the secrecy of the algorithms used in the cipher (security by obscurity). These ciphers are only of historical interest and are not adequate for a real-world situation.

All modern algorithms use a key to control the encryption and decryption. The message can only be decrypted if the key matches the one it was encrypted with. The key used for decryption can be different from the key used in encryption, and this divides the algorithms in symmetric (or secret-key) and asymmetric (or public-key) classes.

Modern cryptographic algorithms are meant to be executed by computers or specialized hardware devices for which there are several different cryptographic algorithms and methods. This paper concentrates on those commonly used in data encryption today.


Symmetric Algorithms

Symmetric algorithms, also called secret-key algorithms, use the same key for both encryption and decryption (or in some cases the key is easily derivable from the other). The key is not to be leaked to outside enemmies (hence the name) and should be changed often and be sufficiently random.

Different symmetric algorithms use different length keys, usually a longer key means higher security.

Symmetric algorithms can be further divided into two categories: stream ciphers which take and encrypt one bit of plaintext at a time, and block ciphers which take a number of bits (typically 64) and encrypt them as a single block. Most ciphers belong to the block cipher class.

Symmetric algorithms are generally faster than asymmetric ones and use a much shorter key.

Asymmetric Algorithms


Cryptographic Hash Functions

A cryptographic hash function generates a fixed-size hash value from a message of any length. The idea is to generate a hash value that cannot be used to trace back the original message. The typical applications include things like secret numbers on ATM cards etc.


Zero Knowledge Systems

Abstractly, a zero knowledge proof is an interactive proof with a prover and a verifier, where the prover convinces the verifier of a statement (with high probability) without revealing any information about how to go about proving that statement. A mathematical proof is found at [ZER95].

Zero knowledge proofs can be used for authentication before exchanging key information. Details about the zero knowledge systems can be found in Hannu Aronsson's paper [HAA95].


Conclusions

The best applications combine different cryptosystems. The primary advantage of public-key cryptography is increased security: the private keys do not ever need to transmitted or revealed to anyone. In a secret-key system, by contrast, there is always a chance that an enemy could discover the secret key while it is being transmitted.

Another major advantage of public-key systems is that they can provide a method for digital signatures and authentication. Secret key systems would require a third party for this.

A disadvantage of using public-key cryptography for encryption is speed.

For encryption, the best solution is to combine public- and secret-key systems in order to get both the security advantages of public-key systems and the speed advantages of secret-key systems. The public-key system can be used to encrypt a secret key which is then used to encrypt the bulk of a file or message.


References

WWW Links
  1. [PUL95] Arto Pulkki: The IP Security Architecture
  2. [PES95] Pekka Pessi: Secure Multicast
  3. [HAA95] Hannu Aronsson: Zero Knowledge Protocols
  4. [AUK95] Petri Aukia: Models of Electronic Commerce
  5. [SAA95] Janne Saarela: Mechanisms of Electronic Money
  6. [RSA95] RSA Data Security Inc. Home
  7. [FAQ95] FAQ Today's Cryptology (RSA)
  8. [YLO95] Tatu Ylonen: Crypto Page
  9. [ZER95] Bennet S. Yee: Zero Knowledge explanation
  10. [BRE95] Damien Doligez: SSL (Netscape, RC4) breaking page"

Books
  1. [SCH94] Bruce Schneier, Applied Cryptography, John Wiley & Sons, Inc., 1994


Janne Frösen / jaf@hut.fi