# Encryption: a primer.

TELECOMMUNICATIONS SECURITY is a source of increasing concern for
individuals, corporations, and governments. As the flow of information
from individuals (voice) and machines (fax and computer) increases, so
does the likelihood of exposure to the wrong parties. The volume and the
sensitive content of the information rises as people exchange all kinds
of information over unsecured media in the name of efficiency and
productivity.

Businesspeople say to themselves, "I can't wait until we meet face to face," and "I can't afford the time delay if I send it overnight express mail." However, both statements ignore the question, "Can I afford to lose the confidentiality of the information?"

Worldwide competition is heating up. The KGB readily admitted that it considered economic espionage a major part of its job. Several foreign countries have been identified in Congress as having major commercial and industrial information-gathering programs. Former agents are now in the rent-a-spy business. U.S. intellectual property, new product research, and future marketing programs are becoming a gold mine for others. Corporations like IBM and Corning have testified before Congress about losing information worth millions of dollars to French corporations.

Voice and data telecommunications are targeted. Polls indicate that an average of 60 percent of daily business communications is handled by telephone. Sensitive, proprietary information is communicated by voice, fax, and computer over wirelines, microwave links, satellite systems, and fiber-optic lines.

The alternative to limiting information sent over telecommunication media, such as wireline, microwave, and satellite, is to protect the information flow electronically from end to end. Security managers can close avenues of potential loss by instituting procedures for the routine encryption of information. Cryptography has proven to be highly effective against wiretapping and monitoring public and private networks.

The selected cryptographic approach to securing information is based on the assessment of a number of variables: the value of the information, the length of time the information has value, the cost of the product being used to protect the information, and how secure the information is against attack.

CODES DATE BACK AT LEAST TO THE introduction of hieroglyphics. Hieroglyphics are an excellent example of a closely held code, since their meaning was secret until Napoleon's army found the Rosetta stone. The stone linking hieroglyphics to two known languages provided the decoding key.

Over the centuries coding has been in continuous use in military communications, sometimes to the detriment of forces using the codes for protection. The super-secret Enigma code used by German forces during World War II was regularly analyzed by Allied intelligence. The allied forces' ability to read Enigma may have significantly contributed to their ultimate victory. But if super-secret codes can be broken, why use codes at all? The answer lies in the fact that all ciphers can be broken, given certain information and using enough force.

The strength of a cryptographic method is often measured in terms of work factor--the amount of force that can be brought to bear in the analysis of a problem. Force and time are inverse relationships. The higher the force, the shorter the time. For example, if it takes two people, each with a PC, four hours to break the code, how fast can the code be broken with a mainframe? If the work factor cost is high to reach a solution in an acceptable period of time, then the code is considered resistant to cryptanalysis.

Because codes are not only used to protect information for security purposes, coding is better known than other cryptographics. Radio operators typically compress messages by using groups of letters to represent short sentences. For example, QRL equals, "Are you busy?" and QTR equals, "What is the exact time?" Boy Scouts learn Morse code and semaphore (a system of signaling information with hands, flags, or special apparatus). Citizens band radio users use number equivalents such as 10-4 for an affirmative response and 15 for determining another's location. Whatever the purpose, if a person is not familiar with the code used, the code hides the message.

Replacing words or numbers by code equivalents drawn from a code book and the use of matching code books for decoding constitutes the entire coding process. Saying, "What's your 15?" to someone not familiar with the code book should draw a blank stare. Repetition, however, can reveal the meaning of code words, so better code books use multiple equivalents for the same word.

Equivalents are chosen in a random manner to create a variation that will further obscure the code. Greater protection is provided when no repetition of the code word exists in the same message. If an important word in the message bears repetition in the clear text, it requires using more than one code word equivalent in the coded text.

The greater the number of choices, the larger the book gets. The more people and locations involved, the larger the number of books and the wider the distribution. Coding is not recommended for protecting large amounts of computer data because of the huge demand on storage and look-up time.

Since codes have essentially infinite substitutes available, they are still considered useful in protecting communications, particularly when few people are involved. For large groups, the drawback is in the need to exchange a large amount of information in advance and keep that information private. The exchange and storage of codes is definitely a management problem, not a cryptographic problem.

Code management methods can increase effectiveness. Many methods are available, including time-of-day codes, where the code changes at selected intervals, and one-time codes, which are discarded after each use. Generation, storage, distribution, and code look-up time are all security management problems faced when choosing code as the method of safeguarding information. While similar security management problems are associated with all types of encipherment, the electronic techniques used in scrambling and encryption can make the process virtually transparent to the user.

The term scramble is often misused as a synonym for encryption, encoding, enciphering, and cryptography in general. Misuse is not limited to novices. Experts in cryptography are likely to talk about scrambling the message regardless of the technique. In this discussion scrambling is the hiding of information by frequency transposition or signal inversion, the engineering methods typically used in commercial scramblers.

All scramblers, like codes and ciphers, are not equal. Sophisticated radio equipment scrambles with a wide range of frequency and time distribution techniques that are equal to encipherment in their ability to protect messages against cryptanalysis. The equipment is, however, either expensive or not available to the commercial market.

The difference between commercial scrambling and enciphering is illustrated by applying each process to the word SENSITIVE, for example. Scrambling by transposition might yield ETVNISEIS, while ciphering might yield (*)P @F%!|is greater than~ LJ. Ciphering completely alters the original information, while scrambling simply rearranges the information. While the equipment needed to unscramble a message is relatively inexpensive--less than $1,000--and readily available, deciphering can require nonstandard equipment and cost millions of dollars.

When evaluating one cryptographic process against another, keep in mind that the amount of money spent to code, encrypt, and scramble must be weighed against the value of the information at its discovery. This is one measure of the required goodness of a cryptographic process. On that basis, inexpensive commercial scramblers--$80 to $1,500--can be the right choice for information that requires only short-term protection--one hour to a few days.

For example, where the protection of a potential order for goods that provide $1,500 to the bottom line is at stake, payback on a $1,500 scrambler is provided by a single secure call that blocks a competitor's wiretap translation until the order is signed. If it were a $100-million merger requiring six months to close, the scrambler purchase would need to be reevaluated in light of the cryptoanalytic force that might be applied to gather such valuable data.

THE CODING AND SCRAMBLING PROCESSES deal with whole words or groups of words. Enciphering is usually done at the level of individual characters or electrical (binary) bits of information where substitution completely alters the information.

Imagine a time interval during which a person can operate a switch to enter an electrical pulse--labeled a one--or decide not to enter an electrical pulse--labeled a zero. Each choice of one or zero is equally important, representing one bit of information. The bit string or stream is important later when considering the ability of a cipher to withstand attack. A robust cipher is one that can change the value of 50 percent of the bits in the ciphertext with the change of only one bit anywhere in the plaintext.

Modern encryption is based on the use of algorithms, key variables, binary, and other modular arithmetics. Evaluating the merits of one cryptotechnique against another requires some understanding of the mathematical concept that makes one system withstand attack better than another system.

One of the early substitution ciphers is credited to Julius Caesar. Given twenty-six letters placed in a circle, in sequence A to Z, substitution letters for the original letters are selected by shifting a specified number of places in a specified direction. If the shift were three places to the right, then D would substitute for A, E for B, and so on. In the earlier example the word SENSITIVE in a Caesar cipher is VHQVLWLYH.

The method of attack on the Caesar cipher, testing all displacements to decipher the message, is called a key search. In this case the key value was three. The larger the universe of characters available for use in substitution and the larger the universe of key values, the more difficult the key search. Although a cipher can be attacked in many ways, obtaining the key by any method means victory for the cryptanalyst.

The Caesar cipher, a monoalphabetic substitution, is extremely weak, requiring only that all possible displacements of one to twenty-five letters are tested until meaningful plaintext becomes obvious. The sender would have to avoid words like SENSITIVE with repetitive letters in the substitution that provide additional clues.

The Caesar cipher could have had increased strength by combining code with the ciphering to more deeply encrypt the message. An important class of cryptography called Nomenclatures combined code and cipher in about 1400 A.D. and was used for approximately 450 years. Nomenclature was invented by Leonardo Dato, considered the father of modern cryptography.

Ciphering in modern times using digital computers involves representation of the message by numbers formed by digital bits and the manipulation of those numbers through substitution, transposition, and arithmetic processes related to the algorithm. Faced with high-power computer attacks, modern ciphers use relatively large numbers, that is, mathematical values that create strings of digits where 64, 128, or more digits are common.

A key search is similar to picking six numbers out of forty-two to win the state lottery. Imagine all of the people playing as the equivalent of parallel computers. While the odds of picking the winning six numbers are on the order of 5 million to one, people do win. So to protect the key against attack, a pool of numbers needs to be created that is larger than an exhaustive key search can test economically.

As the power of computers increases, what is considered a large number today may change tomorrow. Since large is a relative term, it should be defined for cryptographic purposes, that is, for selection of the cipher key.

Consider that the number 1,000,000, which in personal terms is still considered large, is represented in decimal form by seven digits. A number with 56 or 128 digits is by comparison a large number. Then, if a number pool for the cipher key were created out of the product of two large numbers, the selection would be from a pool considered computationally secure in today's terms. Furthermore, functions that involve raising numbers to powers of large numbers should be created to increase the difficulty of a key search.

In the hundreds of years since modern ciphers were introduced, the number and variety of techniques tested and applied are only of academic interest and will not be addressed. Of interest here are the current methods and the means to assess their value in a company's applications.

The data encryption standard (DES), which was adopted in 1976, is based on IBM's proprietary encipherment algorithm, Lucifer, which was invented in the early 1970s and offered to the U.S. National Bureau of Standards (NBS) in 1973. NBS is now known as National Institute of Standards and Technology (NIST). IBM agreed to provide nonexclusive, royalty-free licenses for manufacture or sale of DES devices in the United States.

The DES had to meet the general requirements of NBS.

* Provide a high level of security

* Be completely specified and easy to understand

* Demonstrate that security provided by the algorithm not be based on the secrecy of the algorithm

* Be economical to implement in electronic devices

Practical ciphers, those that are economical to implement, are at best conditionally secure--they all can be broken if, as described earlier, enough computational power is available. So analysis of the strength of ciphers depends on evaluating the difficulty of computational tasks and finding methods with the least work factor.

Let's apply one of the methods of attack, exhaustive search, to the DES to evaluate the cost and time required.

Given: Cryptanalyst has corresponding pairs of plaintext and ciphertext and, of course, the algorithm.

Attack: Test all possible keys by enciphering the plaintext and comparing to ciphertext--a key search.

The time needed to exhaust the key domain, which is all possible keys, is related to the encipherment time and the size of the domain. DES uses a 64-bit key of which 56 bits are entered into the appropriate algorithm.

How fast can an encipher and test be done against known ciphertext? For DES, the slowest encipher time is about 0.1 seconds. If only one device is used, the time to test all possible keys is about 228 million years. Using a faster enciphering device (.000005 seconds), it would take 11,000 years. To speed the process up, parallel devices could be used with speeds as fast as .000001 seconds and reduce the time to twenty hours. Then, if on an average the key is found after testing only one-half of the key domain, the process would take only ten hours.

Applying computational power with a mythical machine drives the time to just ten hours. But at what cost? And, is the ten-hour time delay between someone starting the key search and then starting to decrypt all previously gathered information acceptable? It is if the value of the intercepted information exceeds ten hours. For example, insider information about today's stock market that was communicated at market opening is safe if decrypted after the market closed.

In the late 1980s, published estimates for constructing a machine to do an uninterrupted exhaustive key search of DES varied from $20 million to $200 million and the electrical power needed to run it varied in estimate from 2 million to 12 million watts. Informal estimates in 1992 move the lower cost estimate to about $1 million. Clearly, constructing such a machine is still a major task and cost prohibitive.

The cost of wiretapping an unsecured telephone requires from $5 to $100 worth of equipment, and the cost of microwave or satellite monitoring is about $20,0000. Installing an enciphering device can drive the cost for the information gatherer's deciphering equipment extremely high. Large companies now have mainframes and mini-computers that have exceptional power compared to computers even three years old. Parallel machines will provide even more power, however, given additional computing power, the encryption becomes tougher at a faster rate than the code-craking ability.

To defeat a cryptanalyst, the key domain needs to be sufficiently large to make the key search expensive and sufficiently random to prevent successful attack against what is called weak or semi-weak keys. This class of key may leave similarities or patterns that permit decipherment. A robust algorithm, such as DES, processes the plaintext in a way that makes it impossible to find any correlation between ciphertext and plaintext. With DES, the change of value of only one input character of the plaintext will cause the ciphertext to change beyond recognition.

Two examples provide indications of the secureness of DES. First, major banking concerns around the world rely on this algorithm, some for more than fifteen years. Second, no known incident of a successful attack has occurred on DES. If DES becomes suspect, NIST could increase the key length rather than change the algorithm.

Purchasers should remember that DES-equipped products are not necessarily compatible because manufacturers' implementations of the standard are not the same. Several options are within the standard that permit these variations, but equipment cannot automatically mix and match.

COMMERCIAL PROPRIETARY ALGORITHMS, implemented as either hardware or software, are installed in a variety of voice and data security devices. They vary in key length, method of key generation, complexity of processing, and other factors that make a cipher difficult to break. Proprietary algorithms are usually kept secret. However, to ensure that a cipher can resist vigorous attack, the assumption is always made that the enemy has knowledge of the algorithm and copies of corresponding plaintext and ciphertext. It is secrecy of the key that must provide the strength.

If the complexity of the algorithm is based on a mathematical problem that is computationally hard to solve, it has an implied strength. Currently no relative strength tests are based on complexity. Key size and how long it takes to exhaust the key domain set upper limits that best describe cipher strength. Doing an exhaustive key search may be the last option to try if all else fails. All else includes examining the plaintext and ciphertext for weak keys that readily reveal the message.

A question often asked by potential users is: "Is a proprietary algorithm as good as the DES algorithm, and is DES as good as a government classified algorithm?" The answer lies in defining good, and that definition is partly related to who is attacking the algorithm and with what resources.

For an answer, let's measure a Motorola Inc. proprietary algorithm against the DES. DVI is a Motorola proprietary encryption algorithm developed for international application. DVI is widely used in Motorola Land Mobile Product radio systems and in a series of SECTEL telecommunications security products. Like DES, police, government, commercial, and industrial entities around the world depend on DVI security. And like DES, no known successful attacks on DVI have occurred.

Earlier it was observed that DES used a 64-bit key of which only fifty-six are actually entered into the algorithm. DVI also uses a 64-bit key of which all 64 bits are used in the algorithm. Using the exhaustive key search criteria described above for the DES, it is found that for the fastest key searching time (.000001 seconds) and running a million tests in parallel, that a 64-bit key requires 107 days for a full search rather than the 10 hours required at 56 bits. Given that the DVI key is sufficiently random, its strength against a key search is at least as good as DES. The DVI algorithm has added strength by having the user enter a 512-bit second internal key. This second key permits networks to customize their encryptors. Only those with the same internal key and external key can decipher the information.

DVI is just one example of a proprietary algorithm. Proprietary algorithms are not necessarily equal, and all algorithms using a given key length are not necessarily equal. If, for example, the algorithm does not respond to small changes in the clear text, the ciphertext will provide clues to the analyst. Just reading a specification on key lengths is insufficient for the buyer.

BOTH DES AND DVI ARE CALLED symmetric ciphers because the secret key is shared by each communicating pair--sender and receiver. In 1976 W. Diffie and M. E. Hellman proposed a new cipher system, public key, that is now in popular use. Public key is an asymmetrical cipher that allows each sender to provide a public, or nonsecret, key for the encipherment process while holding a secret key for decipherment. The relationship between keys is such that given the encrypt key a person cannot easily derive the decrypt key.

The encipher and decipher keys are related and chosen from a large universe of possible keys. The starting key is a random value that can be generated in the equipment. Anyone given the public encipher key can encipher information and send it to the one person who can perform the decipherment.

The RSA public cipher was named for creators R. L. Rivest, A. Shamir, and L. M. Adleman, all members of Massachusetts Institute of Technology (MIT) Laboratory for Computer Science at that time. In this cipher, the product of two large and different prime numbers is used to form the key. Successful attack by factoring to discover the primes is possible but at huge costs. Since the key is asymmetrical, a session key for each secure call can be generated. A new key for each call creates a high level of security.

Public key ciphering technique is effective but has the drawback of having longer processing times than symmetrical systems. If used as the only cipher in protecting a telephone call, public key ciphering can introduce delays that are distracting. However, the public key method serves as an effective key management system. Two people who have never met and who have never personally exchanged or received secret key information could safely use the public key cipher to exchange secret keys for a cipher like DES. The faster symmetrical cipher could then be used to exchange information.

For the symmetrical key exchange, each participant can contribute a portion of the secret value of the common key. The information is exchanged as public values because, as before, only the holder of the secret portion of the public key can decipher the message. This method of key distribution, allowing two people who have never met or previously exchanged key information to communicate securely, opens up the ability to distribute secure communicating devices globally. But, if two parties have never communicated, how does one party know the other is who he or she should be, and moreover, how does one prevent a third party from interfering with the original message? The answer is to introduce a valid method of authentication.

A general method of authentication is through a registry of public keys. Each sender knows the public key of the receiver, and without the appropriate decryption, a third party cannot properly respond. Another method is to have a central authority, such as a key certification authority, that is able to provide those registered with both a registered public key and a universal public decrypt key. Those who register are given an encrypted message block that is easily read with the universal key but can only be written by the issuing authority. With this capability, two registered users can identify each other as authenticated by the central authority without ever having to meet.

CONFRONTED WITH TTHE NEED TO establish controlled access to sensitive information, it is the information manager's responsibility to assess ways to accomplish the task. Computer hackers popularized the game of illegal entry, accessing and perhaps tainting information files. Stealing commercial secrets is the serious endeavor of well-trained, well-equipped information gatherers. The global monetary stakes can be high.

Consider the pharmaceutical industry, where millions of dollars in research and many years are required to bring a product to market. Total market value may be in the multimillions of dollars. Are competitors willing to invest $100,000 or $500,000 to get this information early? They might be.

The ability of cryptography to protect secret information has evolved over centuries. Before modern computers, cryptanalysis was as much as art form as a science. Cryptanalysts required extraordinary mathematical skills combined with logical ingenuity and intuition. With computers came the ability to apply brute computational force. Given basic information--such as the ciphertext, plaintext, or the algorithm--the faster the computer, the sooner the solution. The cryptographer's answer was to create ciphers that were computationally complex and of a mathematical size as to make brute force analysis costly enough to dissuade interested parties from using that approach.

Selection of the encryption system is based on a good-enough principle, which relates the cost of the system and its strengths to the value of the information to be protected. Once the desired level of protection is selected other choices in the decision-making process should be considered--quality of the device, user friendliness, quality of voice reproduction, connectivity over low-quality transmission media, flexibility, utility, size, and data rates. Strong consideration should be given to the ability of the selected system to handle growing organization needs.

The general reference for this article is D. W. Davies and W. L. Price. Security for Computer Networks: An Introduction to Data Security in Teleprocessing and Electronic Funds Transfer. New York, New York: J. Wiley & Sons, 1984.

Bob Wade is a market development manager of secure telecommunications for Government Electronics Group of Motorola, Inc., in Scottsdale, Arizona.

Businesspeople say to themselves, "I can't wait until we meet face to face," and "I can't afford the time delay if I send it overnight express mail." However, both statements ignore the question, "Can I afford to lose the confidentiality of the information?"

Worldwide competition is heating up. The KGB readily admitted that it considered economic espionage a major part of its job. Several foreign countries have been identified in Congress as having major commercial and industrial information-gathering programs. Former agents are now in the rent-a-spy business. U.S. intellectual property, new product research, and future marketing programs are becoming a gold mine for others. Corporations like IBM and Corning have testified before Congress about losing information worth millions of dollars to French corporations.

Voice and data telecommunications are targeted. Polls indicate that an average of 60 percent of daily business communications is handled by telephone. Sensitive, proprietary information is communicated by voice, fax, and computer over wirelines, microwave links, satellite systems, and fiber-optic lines.

The alternative to limiting information sent over telecommunication media, such as wireline, microwave, and satellite, is to protect the information flow electronically from end to end. Security managers can close avenues of potential loss by instituting procedures for the routine encryption of information. Cryptography has proven to be highly effective against wiretapping and monitoring public and private networks.

The selected cryptographic approach to securing information is based on the assessment of a number of variables: the value of the information, the length of time the information has value, the cost of the product being used to protect the information, and how secure the information is against attack.

CODES DATE BACK AT LEAST TO THE introduction of hieroglyphics. Hieroglyphics are an excellent example of a closely held code, since their meaning was secret until Napoleon's army found the Rosetta stone. The stone linking hieroglyphics to two known languages provided the decoding key.

Over the centuries coding has been in continuous use in military communications, sometimes to the detriment of forces using the codes for protection. The super-secret Enigma code used by German forces during World War II was regularly analyzed by Allied intelligence. The allied forces' ability to read Enigma may have significantly contributed to their ultimate victory. But if super-secret codes can be broken, why use codes at all? The answer lies in the fact that all ciphers can be broken, given certain information and using enough force.

The strength of a cryptographic method is often measured in terms of work factor--the amount of force that can be brought to bear in the analysis of a problem. Force and time are inverse relationships. The higher the force, the shorter the time. For example, if it takes two people, each with a PC, four hours to break the code, how fast can the code be broken with a mainframe? If the work factor cost is high to reach a solution in an acceptable period of time, then the code is considered resistant to cryptanalysis.

Because codes are not only used to protect information for security purposes, coding is better known than other cryptographics. Radio operators typically compress messages by using groups of letters to represent short sentences. For example, QRL equals, "Are you busy?" and QTR equals, "What is the exact time?" Boy Scouts learn Morse code and semaphore (a system of signaling information with hands, flags, or special apparatus). Citizens band radio users use number equivalents such as 10-4 for an affirmative response and 15 for determining another's location. Whatever the purpose, if a person is not familiar with the code used, the code hides the message.

Replacing words or numbers by code equivalents drawn from a code book and the use of matching code books for decoding constitutes the entire coding process. Saying, "What's your 15?" to someone not familiar with the code book should draw a blank stare. Repetition, however, can reveal the meaning of code words, so better code books use multiple equivalents for the same word.

Equivalents are chosen in a random manner to create a variation that will further obscure the code. Greater protection is provided when no repetition of the code word exists in the same message. If an important word in the message bears repetition in the clear text, it requires using more than one code word equivalent in the coded text.

The greater the number of choices, the larger the book gets. The more people and locations involved, the larger the number of books and the wider the distribution. Coding is not recommended for protecting large amounts of computer data because of the huge demand on storage and look-up time.

Since codes have essentially infinite substitutes available, they are still considered useful in protecting communications, particularly when few people are involved. For large groups, the drawback is in the need to exchange a large amount of information in advance and keep that information private. The exchange and storage of codes is definitely a management problem, not a cryptographic problem.

Code management methods can increase effectiveness. Many methods are available, including time-of-day codes, where the code changes at selected intervals, and one-time codes, which are discarded after each use. Generation, storage, distribution, and code look-up time are all security management problems faced when choosing code as the method of safeguarding information. While similar security management problems are associated with all types of encipherment, the electronic techniques used in scrambling and encryption can make the process virtually transparent to the user.

The term scramble is often misused as a synonym for encryption, encoding, enciphering, and cryptography in general. Misuse is not limited to novices. Experts in cryptography are likely to talk about scrambling the message regardless of the technique. In this discussion scrambling is the hiding of information by frequency transposition or signal inversion, the engineering methods typically used in commercial scramblers.

All scramblers, like codes and ciphers, are not equal. Sophisticated radio equipment scrambles with a wide range of frequency and time distribution techniques that are equal to encipherment in their ability to protect messages against cryptanalysis. The equipment is, however, either expensive or not available to the commercial market.

The difference between commercial scrambling and enciphering is illustrated by applying each process to the word SENSITIVE, for example. Scrambling by transposition might yield ETVNISEIS, while ciphering might yield (*)P @F%!|is greater than~ LJ. Ciphering completely alters the original information, while scrambling simply rearranges the information. While the equipment needed to unscramble a message is relatively inexpensive--less than $1,000--and readily available, deciphering can require nonstandard equipment and cost millions of dollars.

When evaluating one cryptographic process against another, keep in mind that the amount of money spent to code, encrypt, and scramble must be weighed against the value of the information at its discovery. This is one measure of the required goodness of a cryptographic process. On that basis, inexpensive commercial scramblers--$80 to $1,500--can be the right choice for information that requires only short-term protection--one hour to a few days.

For example, where the protection of a potential order for goods that provide $1,500 to the bottom line is at stake, payback on a $1,500 scrambler is provided by a single secure call that blocks a competitor's wiretap translation until the order is signed. If it were a $100-million merger requiring six months to close, the scrambler purchase would need to be reevaluated in light of the cryptoanalytic force that might be applied to gather such valuable data.

THE CODING AND SCRAMBLING PROCESSES deal with whole words or groups of words. Enciphering is usually done at the level of individual characters or electrical (binary) bits of information where substitution completely alters the information.

Imagine a time interval during which a person can operate a switch to enter an electrical pulse--labeled a one--or decide not to enter an electrical pulse--labeled a zero. Each choice of one or zero is equally important, representing one bit of information. The bit string or stream is important later when considering the ability of a cipher to withstand attack. A robust cipher is one that can change the value of 50 percent of the bits in the ciphertext with the change of only one bit anywhere in the plaintext.

Modern encryption is based on the use of algorithms, key variables, binary, and other modular arithmetics. Evaluating the merits of one cryptotechnique against another requires some understanding of the mathematical concept that makes one system withstand attack better than another system.

One of the early substitution ciphers is credited to Julius Caesar. Given twenty-six letters placed in a circle, in sequence A to Z, substitution letters for the original letters are selected by shifting a specified number of places in a specified direction. If the shift were three places to the right, then D would substitute for A, E for B, and so on. In the earlier example the word SENSITIVE in a Caesar cipher is VHQVLWLYH.

The method of attack on the Caesar cipher, testing all displacements to decipher the message, is called a key search. In this case the key value was three. The larger the universe of characters available for use in substitution and the larger the universe of key values, the more difficult the key search. Although a cipher can be attacked in many ways, obtaining the key by any method means victory for the cryptanalyst.

The Caesar cipher, a monoalphabetic substitution, is extremely weak, requiring only that all possible displacements of one to twenty-five letters are tested until meaningful plaintext becomes obvious. The sender would have to avoid words like SENSITIVE with repetitive letters in the substitution that provide additional clues.

The Caesar cipher could have had increased strength by combining code with the ciphering to more deeply encrypt the message. An important class of cryptography called Nomenclatures combined code and cipher in about 1400 A.D. and was used for approximately 450 years. Nomenclature was invented by Leonardo Dato, considered the father of modern cryptography.

Ciphering in modern times using digital computers involves representation of the message by numbers formed by digital bits and the manipulation of those numbers through substitution, transposition, and arithmetic processes related to the algorithm. Faced with high-power computer attacks, modern ciphers use relatively large numbers, that is, mathematical values that create strings of digits where 64, 128, or more digits are common.

A key search is similar to picking six numbers out of forty-two to win the state lottery. Imagine all of the people playing as the equivalent of parallel computers. While the odds of picking the winning six numbers are on the order of 5 million to one, people do win. So to protect the key against attack, a pool of numbers needs to be created that is larger than an exhaustive key search can test economically.

As the power of computers increases, what is considered a large number today may change tomorrow. Since large is a relative term, it should be defined for cryptographic purposes, that is, for selection of the cipher key.

Consider that the number 1,000,000, which in personal terms is still considered large, is represented in decimal form by seven digits. A number with 56 or 128 digits is by comparison a large number. Then, if a number pool for the cipher key were created out of the product of two large numbers, the selection would be from a pool considered computationally secure in today's terms. Furthermore, functions that involve raising numbers to powers of large numbers should be created to increase the difficulty of a key search.

In the hundreds of years since modern ciphers were introduced, the number and variety of techniques tested and applied are only of academic interest and will not be addressed. Of interest here are the current methods and the means to assess their value in a company's applications.

The data encryption standard (DES), which was adopted in 1976, is based on IBM's proprietary encipherment algorithm, Lucifer, which was invented in the early 1970s and offered to the U.S. National Bureau of Standards (NBS) in 1973. NBS is now known as National Institute of Standards and Technology (NIST). IBM agreed to provide nonexclusive, royalty-free licenses for manufacture or sale of DES devices in the United States.

The DES had to meet the general requirements of NBS.

* Provide a high level of security

* Be completely specified and easy to understand

* Demonstrate that security provided by the algorithm not be based on the secrecy of the algorithm

* Be economical to implement in electronic devices

Practical ciphers, those that are economical to implement, are at best conditionally secure--they all can be broken if, as described earlier, enough computational power is available. So analysis of the strength of ciphers depends on evaluating the difficulty of computational tasks and finding methods with the least work factor.

Let's apply one of the methods of attack, exhaustive search, to the DES to evaluate the cost and time required.

Given: Cryptanalyst has corresponding pairs of plaintext and ciphertext and, of course, the algorithm.

Attack: Test all possible keys by enciphering the plaintext and comparing to ciphertext--a key search.

The time needed to exhaust the key domain, which is all possible keys, is related to the encipherment time and the size of the domain. DES uses a 64-bit key of which 56 bits are entered into the appropriate algorithm.

How fast can an encipher and test be done against known ciphertext? For DES, the slowest encipher time is about 0.1 seconds. If only one device is used, the time to test all possible keys is about 228 million years. Using a faster enciphering device (.000005 seconds), it would take 11,000 years. To speed the process up, parallel devices could be used with speeds as fast as .000001 seconds and reduce the time to twenty hours. Then, if on an average the key is found after testing only one-half of the key domain, the process would take only ten hours.

Applying computational power with a mythical machine drives the time to just ten hours. But at what cost? And, is the ten-hour time delay between someone starting the key search and then starting to decrypt all previously gathered information acceptable? It is if the value of the intercepted information exceeds ten hours. For example, insider information about today's stock market that was communicated at market opening is safe if decrypted after the market closed.

In the late 1980s, published estimates for constructing a machine to do an uninterrupted exhaustive key search of DES varied from $20 million to $200 million and the electrical power needed to run it varied in estimate from 2 million to 12 million watts. Informal estimates in 1992 move the lower cost estimate to about $1 million. Clearly, constructing such a machine is still a major task and cost prohibitive.

The cost of wiretapping an unsecured telephone requires from $5 to $100 worth of equipment, and the cost of microwave or satellite monitoring is about $20,0000. Installing an enciphering device can drive the cost for the information gatherer's deciphering equipment extremely high. Large companies now have mainframes and mini-computers that have exceptional power compared to computers even three years old. Parallel machines will provide even more power, however, given additional computing power, the encryption becomes tougher at a faster rate than the code-craking ability.

To defeat a cryptanalyst, the key domain needs to be sufficiently large to make the key search expensive and sufficiently random to prevent successful attack against what is called weak or semi-weak keys. This class of key may leave similarities or patterns that permit decipherment. A robust algorithm, such as DES, processes the plaintext in a way that makes it impossible to find any correlation between ciphertext and plaintext. With DES, the change of value of only one input character of the plaintext will cause the ciphertext to change beyond recognition.

Two examples provide indications of the secureness of DES. First, major banking concerns around the world rely on this algorithm, some for more than fifteen years. Second, no known incident of a successful attack has occurred on DES. If DES becomes suspect, NIST could increase the key length rather than change the algorithm.

Purchasers should remember that DES-equipped products are not necessarily compatible because manufacturers' implementations of the standard are not the same. Several options are within the standard that permit these variations, but equipment cannot automatically mix and match.

COMMERCIAL PROPRIETARY ALGORITHMS, implemented as either hardware or software, are installed in a variety of voice and data security devices. They vary in key length, method of key generation, complexity of processing, and other factors that make a cipher difficult to break. Proprietary algorithms are usually kept secret. However, to ensure that a cipher can resist vigorous attack, the assumption is always made that the enemy has knowledge of the algorithm and copies of corresponding plaintext and ciphertext. It is secrecy of the key that must provide the strength.

If the complexity of the algorithm is based on a mathematical problem that is computationally hard to solve, it has an implied strength. Currently no relative strength tests are based on complexity. Key size and how long it takes to exhaust the key domain set upper limits that best describe cipher strength. Doing an exhaustive key search may be the last option to try if all else fails. All else includes examining the plaintext and ciphertext for weak keys that readily reveal the message.

A question often asked by potential users is: "Is a proprietary algorithm as good as the DES algorithm, and is DES as good as a government classified algorithm?" The answer lies in defining good, and that definition is partly related to who is attacking the algorithm and with what resources.

For an answer, let's measure a Motorola Inc. proprietary algorithm against the DES. DVI is a Motorola proprietary encryption algorithm developed for international application. DVI is widely used in Motorola Land Mobile Product radio systems and in a series of SECTEL telecommunications security products. Like DES, police, government, commercial, and industrial entities around the world depend on DVI security. And like DES, no known successful attacks on DVI have occurred.

Earlier it was observed that DES used a 64-bit key of which only fifty-six are actually entered into the algorithm. DVI also uses a 64-bit key of which all 64 bits are used in the algorithm. Using the exhaustive key search criteria described above for the DES, it is found that for the fastest key searching time (.000001 seconds) and running a million tests in parallel, that a 64-bit key requires 107 days for a full search rather than the 10 hours required at 56 bits. Given that the DVI key is sufficiently random, its strength against a key search is at least as good as DES. The DVI algorithm has added strength by having the user enter a 512-bit second internal key. This second key permits networks to customize their encryptors. Only those with the same internal key and external key can decipher the information.

DVI is just one example of a proprietary algorithm. Proprietary algorithms are not necessarily equal, and all algorithms using a given key length are not necessarily equal. If, for example, the algorithm does not respond to small changes in the clear text, the ciphertext will provide clues to the analyst. Just reading a specification on key lengths is insufficient for the buyer.

BOTH DES AND DVI ARE CALLED symmetric ciphers because the secret key is shared by each communicating pair--sender and receiver. In 1976 W. Diffie and M. E. Hellman proposed a new cipher system, public key, that is now in popular use. Public key is an asymmetrical cipher that allows each sender to provide a public, or nonsecret, key for the encipherment process while holding a secret key for decipherment. The relationship between keys is such that given the encrypt key a person cannot easily derive the decrypt key.

The encipher and decipher keys are related and chosen from a large universe of possible keys. The starting key is a random value that can be generated in the equipment. Anyone given the public encipher key can encipher information and send it to the one person who can perform the decipherment.

The RSA public cipher was named for creators R. L. Rivest, A. Shamir, and L. M. Adleman, all members of Massachusetts Institute of Technology (MIT) Laboratory for Computer Science at that time. In this cipher, the product of two large and different prime numbers is used to form the key. Successful attack by factoring to discover the primes is possible but at huge costs. Since the key is asymmetrical, a session key for each secure call can be generated. A new key for each call creates a high level of security.

Public key ciphering technique is effective but has the drawback of having longer processing times than symmetrical systems. If used as the only cipher in protecting a telephone call, public key ciphering can introduce delays that are distracting. However, the public key method serves as an effective key management system. Two people who have never met and who have never personally exchanged or received secret key information could safely use the public key cipher to exchange secret keys for a cipher like DES. The faster symmetrical cipher could then be used to exchange information.

For the symmetrical key exchange, each participant can contribute a portion of the secret value of the common key. The information is exchanged as public values because, as before, only the holder of the secret portion of the public key can decipher the message. This method of key distribution, allowing two people who have never met or previously exchanged key information to communicate securely, opens up the ability to distribute secure communicating devices globally. But, if two parties have never communicated, how does one party know the other is who he or she should be, and moreover, how does one prevent a third party from interfering with the original message? The answer is to introduce a valid method of authentication.

A general method of authentication is through a registry of public keys. Each sender knows the public key of the receiver, and without the appropriate decryption, a third party cannot properly respond. Another method is to have a central authority, such as a key certification authority, that is able to provide those registered with both a registered public key and a universal public decrypt key. Those who register are given an encrypted message block that is easily read with the universal key but can only be written by the issuing authority. With this capability, two registered users can identify each other as authenticated by the central authority without ever having to meet.

CONFRONTED WITH TTHE NEED TO establish controlled access to sensitive information, it is the information manager's responsibility to assess ways to accomplish the task. Computer hackers popularized the game of illegal entry, accessing and perhaps tainting information files. Stealing commercial secrets is the serious endeavor of well-trained, well-equipped information gatherers. The global monetary stakes can be high.

Consider the pharmaceutical industry, where millions of dollars in research and many years are required to bring a product to market. Total market value may be in the multimillions of dollars. Are competitors willing to invest $100,000 or $500,000 to get this information early? They might be.

The ability of cryptography to protect secret information has evolved over centuries. Before modern computers, cryptanalysis was as much as art form as a science. Cryptanalysts required extraordinary mathematical skills combined with logical ingenuity and intuition. With computers came the ability to apply brute computational force. Given basic information--such as the ciphertext, plaintext, or the algorithm--the faster the computer, the sooner the solution. The cryptographer's answer was to create ciphers that were computationally complex and of a mathematical size as to make brute force analysis costly enough to dissuade interested parties from using that approach.

Selection of the encryption system is based on a good-enough principle, which relates the cost of the system and its strengths to the value of the information to be protected. Once the desired level of protection is selected other choices in the decision-making process should be considered--quality of the device, user friendliness, quality of voice reproduction, connectivity over low-quality transmission media, flexibility, utility, size, and data rates. Strong consideration should be given to the ability of the selected system to handle growing organization needs.

The general reference for this article is D. W. Davies and W. L. Price. Security for Computer Networks: An Introduction to Data Security in Teleprocessing and Electronic Funds Transfer. New York, New York: J. Wiley & Sons, 1984.

Bob Wade is a market development manager of secure telecommunications for Government Electronics Group of Motorola, Inc., in Scottsdale, Arizona.

Printer friendly Cite/link Email Feedback | |

Title Annotation: | Safe Communications in the 1990s |
---|---|

Author: | Wade, Bob |

Publication: | Security Management |

Date: | Mar 1, 1993 |

Words: | 4201 |

Previous Article: | Who are the forgotten soldiers? |

Next Article: | Understanding the people puzzle. |

Topics: |