Technical Writing: Cryptography and Encryption by Ian Barry

Technical Writing:
CRYPTOGRAPHY and ENCRYPTION.

Ian Barry - 14th November 1997.

This piece of writing was completed for a first-year computer science university undergraduate assignment in technical writing. It forms approximately 2500 words of my own writing of what I consider to be interesting and informative information concernin g the exciting subject of cryptology. For your assistance I have underlined relavent cryptology jargon where it is explained. If you have any queries mail me at ian@bits.bris.ac.uk.

Contents:

Cryptography and Encryption Introduction
Symmetric 'secret' Key Cryptosystems
Asymmetric 'public' Key Cryptosystems
Data Authentication
Data Integrity
Code Breaking
Different Cryptosystems
- RSA
- PGP
- DES
- Clipper
Relevant Links
Bibliography

Cryptography and Encryption Introduction.

Cryptography is the art of encryption. It is the science of storing a message in a form only those you can trust can read, by making it unreadable for those you do not.

Encryption is the method by which a message is converted into an unreadable form; cipher-text, from its readable form; plain-text. For this to be possible the encryption engine, (the piece of software or hardware that encrypts the me ssage), is dependant upon a piece of information -- the encryption key. Following from this; decryption is the method by which the encrypted or cipher-text message is converted into its readable or pain-text forrm. Similarly the decrypt on engine requires a decryption key.

In cryptography the encryption key and the decryption key need not be the same. When they are the cryptosystem is known as a symmetric key system, and when they are not, we have a asymmetric key system.

Symmetric Key Cryptosystems.

Symmetric key cryptosystems, or secret-key systems exist where the same key serves as the encryption and decryption key. This obviously leads onto the problem of secure key exchange (how to tell the recipient of your message t he secret key that is being used). Because if messages between your two selves are being monitored, the whole point of encryption in the first place, then certainly it would be difficult to transfer the key between the two parties without the third-party getting hold of it. If any third party were to obtain the secret-key this would defeat the entire point of encrypting messages between yourself and the person to whom you want to talk to, as any third party with the key could decrypt and therefore read any messages flying between yourselves. This third party could also alter any message changing hands between the first and second person, as well as being able to create new messages and send them to either the first or second person pretending to be the other, and neither side would be the wiser. This immediate problem leads onto data integrity and data authentication; described later.

Asymmetric Key Cryptosystems.

The asymmetric key cryptosystem, or public-key system was developed as a result of the problem with symmetric key systems (described above), by Martin Hellman and Whitfield Diffie in 1976. In this system there each person has two keys; their pu blic key, and their private key. Their public key is common knowledge and is often published on the internet. On the other hand, their private key is kept secret and individual to that person, it is never relayed to anyone.
< br> A public-key cryptosystem works as follows; if person A wants to send a message to person B, then A encrypts his message using B's public key. B then decrypts the message using his private key. Since the public key is public, anyone can send an encrypte d message to B. But since B's private key remains private, only B can decrypt those messages.

Although public key cryptography in theory solves the problem of secure key exchange, it does in general have a couple of disadvantages compared to symmetric (or secret) key systems.

Firstly, there is the problem of speed, public-key cryptosystems are much slower than their private-key neighbours. If the message to be encrypted is small, for example an email, then fine, whereas in the case of several megabytes of data, the encryption or decryption process can take much longer.

Secondly there is a problem with the authenticity of public keys; if your friend wishes to send a message to you, and you have your public key stored in a key database somewhere on the internet or other public database, then your friend can get a copy of what is claimed to be your public key and send you a message. The problem is with public keys stored on the internet that claim to belong to particular people, how do you really know that this is their public key?

What is your public and private key? Well your secret key is a pair of big prime numbers, and your public key is an even bigger composite number that's the product of these primes. Thus your public and private keys are the inverse of each other.

Symmetric Key vs. Asymmetric Key.

In some situations, public-key cryptography is not necessary and asymmetric cryptography alone is sufficient. This includes environments where secure key exchange can take place, for example by users meeting in private. It also includes environments where a single body knows and manages all the keys, e.g., a closed banking system. Since this body knows everyone's keys already, there is not much advantage for some to be public and others private. Also, public-key cryptography is usually not necessary in a single-user environment. For example, if you want to keep your personal files encrypted, you can do so with any secret-key encryption algorithm using, say, your personal password as the secret key. In general, public-key cryptography is best suited for an open multi-user environment.

Public-key cryptography is not meant to replace secret-key cryptography, but rather to supplement it, to make it more secure. In fact the first use of public-key cryptography was for secure key exchange in an otherwise secret-key syste m; this is still one of its primary functions.

Data Authentication.

Data authentication is the verification of the sender of a message. If your public key is easily obtainable, then anybody can send you a message pretending to be somebody else.

This leads onto digital signatures, or electronic signatures which I shall explain using our original example where person A wants to send person B a message, but this time, person B wants to be sure that it was person A that sent him the message, and not somebody else pretending to be person A. The following can take place so that person B cannot be in any doubt over who sent him this message;

person A encrypts the message with his private key,
he then encrypts the message with person B's public key,
the message is then sent to person B,
person B decrypts the message with his private key (only person B can so this),
he then decrypts it using person A's public key.
Thus the message must have come from person A as person A is the only person who can encrypt a message with person A's private key.

If we continue from the above example: Person B could keep a copy of the message encrypted with person A's private key (he obtains this at step 4; as soon as he decrypts the message with his private key, as person A's private key is the inverse of his pu blic key,) he could then send this to person C, as proof for person C that person A said what person B is claiming person A said, and person C would be sure that person B is not making it all up. The following would have to occur; (these steps overwrite the above steps from step 5,)

person B writes a message for person C including the message he has obtained after step 4 in the previous list,
person B then encrypts the message with his private key,
and again with person C's public key,
the message is then sent from person B to person C,
person C decrypts the message with his private key,
he then decrypts the message with person B's public key (he is now sure that this message came from person B),
he then decrypts the message with person A's public key (he is now sure that person B is not falsely quoting person A.

Data Integrity.

Data integrity is similar to data verification, but it is the verification that the contents of a plain-text message have not been accidentally or intentionally changed while the message was en-route. Basically the sender puts a check-sum at the bottom o f the message encrypted with his private key. Anybody wanting to check the integrity of the message can decrypt the check-sum with the sender's public key and check that the check-sum matches the document.

A check-sum is a string created from the content of the document. An example of the simplest check-sum would be a one if the sum of the all the letters in he document was even or a zero otherwise.

Code Breaking.

There are two basic ways of cracking encrypted codes. One is by brute force - simply going through every single combination of a code or key until eventually the right combination is found. The other is to look for faults in the mathematical logic - the algorithm - at the heart of the encryption mechanism, which can show themselves in a lack of randomness in the encrypted message.

For well-established modern algorithms, a 'brute force' search of all possible keys is usually the only method. This is because modern codes are enormously powerful. If the algorithm is sound, the power of a code is determined by the length of its key (since this determines how many possible combinations there are). Cracking these can be a lengthy and involved process.

Recently a French Ph.D. student managed to break a message coded with a 40-bit key in eight days, but he had to use about 120 computers to do this. Commonly used encryption systems might have a key length of 128 bits (binary digits, or 0s and 1s) or more. To attack such a code by brute force, a 128-bit key length would present a decipherer with a search through approximately 1,000,000,000,000,000,000,000,000,000,000,000,000
(one million million million million million million) possible variations. Even with a very large super computer working 24 hours a day, this task would take a great many years.

Different Cryptosystems

RSA.

RSA is a public-key cryptosystem for both encryption and authentication; it was invented in 1977 by Ron Rivest, Adi Shamir, and Leanard Adleman. RSA is combined with a secret-key cryptosystem, such as DES, to encrypt messages. A typical RSA signature is a few hundred bytes long. RSA is widely used today in many commercial products like secure telephones, ethernet cards and smart cards, as well as planned operating systems from Microsoft, Apple, Sun and Novel.
More information about RSA can be found at http://www.rsa.com.
PGP.

PGP stands for Pretty Good Privacy. PGP Inc. is a company that provide data encryption solutions to many private individuals and businesses. PGP is a public-key or asymmetric key cryptosystem, and it was developed by Phil Zimmerman in 1991. It is widely-used and presumed unbreakable as the maths behind it is so strong. Phil Zimmerman has been in and out of court a number of times over he last few years concerning his software, mainly because until recently, under US law, it was prohibited to export encryption systems with keys over a certain number of bits long. Phil Zimmerman wants powerful encryption to be freely available to the masses - unfortunately the US government do not! As Phil Zimmerman once said "if privacy is outlawed, only outlaws will have privacy."
A lot of information is available on PGP, and although the company's site, http://www.pgp.com, does provide some information (you can actually download a demo of their product), the full story is available elsewhere (see links). An article I read recently from the newsgroup alt.privacy makes very interesting reading concerning the suggested backdoor in versions of PGP. A lot of these types of articles go around the internet, as nobody can be sure exactly what is going on in the world of cryptology.
DES.

DES stands for Data Encryption Standard, an encryption engine defined and endorsed by the US government in 1977 as an official standard. It was originally developed at IBM. DES has been extensively studied over the last15 years and is one of the most wel l known widely used cryptosystems.
DES is a secret-key, symmetric cryptosystem; i.e. when used for communication, both the sender and receiver must know the same secret key, which is used both to encrypt and decrypt the message.
It has been suggested that a special purpose computer could be built capable of breaking DES by exhaustive search in a reasonable amount of time. Later, a method was shown that allows improvement over exhaustive search if memory space is plentiful, after an exhaustive precomputation. These ideas suggested doubts about the security of DES. There were also accusations that the NSA (National Security Agency - equivalent to the UK's GCHQ for the US) had intentionally weakened DES.

Clipper.

Clipper is an secret-key encryption chip developed and sponsored by the US government. It was designed to balance the concerns of federal law enforcement agencies with those of the public and industry. The law enforcement agencies in the US such as the NSA (National Security Agency - equivalent to the UK's GCHQ), wish to have access to the communications of suspected criminals, for example by wire-tapping; these needs are threatened by secure cryptography. Industry and the public however want secure communications, and look to cryptography to provide it.

A picture of the 28-pin clipper chip from a Texas Instruments ethernet card.

Clipper has been proposed as a US government standard; it would then be used by anyone doing business with the federal government as well as for communications within the government. Anybody else wishing to use it would be allowed to do so. But there is a significant disadvantage of using this system - in that the FBI would have access to a space key so they could decrypt all messages encrypted with the Clipper chip. Certainly suspected criminals wont use this system whe n there are so many other more-secure cryptographic systems available. Anyhow who wants the FBI looking at everything we are doing?

Relavent Links.

I suggest having a look at these web sites, and I especially recommend browsing the newsgroups as very interesting, informative and up-to-date articles on the pulse of the cyryptography industry (if it is an industry) are abundant.
There are a thousand more relevant and interesting sites that I have not listed, I suggest going to a search engine such as altavista or infoseek and searching under the words cryptography, encryption, clipper, pgp, or any other words that spring into your mind.

Bibliography.

I used a number of sources to write this piece of technical writing, first and foremost I used my general knowledge of the subject of cryptography along with the following two books :

Garfinkel, Simson.
PGP : Pretty Good Privacy.
O'Reilly, c1995.
Schneier, Bruce.
Applied cryptography : protocols, algorithms and source code in C. 2nd ed. c1996.

All copyrights respected. E.&.O.E. Ian Barry - ian@bits.bris.ac.uk
This page was last updated on 14th November 1997.