Chapter 12: Encryption 211 The lesson here is that the surrounding system is just as important to the overall secu - rity of encryption as the algorithm and the key. PRIVATE KEY ENCRYPTION There are two primary types of encryption: private key and public key. Private key en - cryption requires all parties who are authorized to read the information to have the same key. This then reduces the overall problem of protecting the information to one of protect - ing the key. Private key encryption is the most widely used type of encryption. It provides confidentiality of information and some guarantee that the information was not changed while in transit. What Is Private Key Encryption? Private key encryption is also known as symmetric key encryption because it uses the same key to encrypt information as is needed to decrypt information. Figure 12-2 shows the basic private key encryption function. As you can see from the figure, both the sender and the receiver of the information must have the same key. Private key encryption provides for the confidentiality of the information while it is encrypted. Only those who know the key can decrypt the message. Any change to the message while it is in transit will also be noticed as the decryption will not work properly. Private key encryption does not provide authentication as anyone with the key can cre- ate, encrypt, and send a valid message. Generally speaking, private key encryption is fast and can be easy to implement in hardware or software. Figure 12-2. Private key encryption Substitution Ciphers Substitution ciphers have been around for as much as 2,500 years. The earliest known ex - ample is the Atbash cipher. It was used around 600 B.C. and consisted of reversing the Hebrew alphabet. Julius Caesar used a substitution cipher call the Caesar cipher. This cipher consisted of replacing each letter with the letter three positions later in the alphabet. Therefore “A” would be come “D,” “B” would become “E,” and “Z” would become “C.” As you can see from this example, the substitution cipher operates on the plaintext one letter at a time. As long as both the sender and receiver of the message use the same substitution scheme, the message can be understood. The key for the substitution cipher is either the number of letters to shift, or a completely reordered alphabet. Substitution ciphers suffer from one primary weakness—the frequency of the letters in the original alphabet does not change. In English, the letter “E” is the most frequently used letter. If another letter is substituted for “E,” that letter will be the most frequently used (over the course of many messages). Using this type of analysis, the substitution cipher can be bro - ken. Further development of frequency analysis also shows that certain two- and three- letter combinations also show up frequently. This type of analysis can break any substitu- tion cipher if the attacker gains sufficient ciphertext. One-Time Pads One-time pads (OTPs) are the only theoretically unbreakable encryption system. An OTP is a list of numbers, in completely random order, that is used to encode a message (see Figure 12-3). As its name implies, the OTP is only used once. If the numbers on the OTP are truly random and the OTP is only used once, then the ciphertext provides no mecha- nism to recover the original key (the OTP itself) and therefore, the messages. OTPs are used but only for short messages in very high-security environments. For example, the Soviet Union used OTPs to allow spies to communicate with Moscow. The two main problems with OTPs are the generation of truly random pads and the distribu - tion of the pads themselves. Obviously, if the pads are compromised, so is the informa - tion they will protect. If the pads are not truly random, patterns will emerge that can be used to allow frequency analysis. 212 Network Security: A Beginner’s Guide Figure 12-3. One-time pad operation One other important point about OTPs is that they can only be used once. If they are used more than once, they can be analyzed and broken. This is what happened to some Soviet OTPs during the Cold War. A project called Venona at the National Security Agency was created to read this traffic. Venona intercepts can be examined at the NSA Web site (http://www.nsa.gov). Some encryption systems today claim to mimic OTPs. While this type of system may provide enough security, it may just as well be an easily breakable system that provides little in the way of security. Generally, OTPs are not feasible for use in high-traffic environments. Data Encryption Standard The algorithm for the Data Encryption Standard (DES) was developed by IBM in the early 1970s. The United States National Institute of Standards and Technology (NIST) adopted the algorithm (as FIPS publication 46) for DES in 1977 after it was examined, modified, and approved by NSA. The standard was reaffirmed in 1983, 1988, 1993, and 1999. DES uses a 56-bit key. The key uses seven bits of eight 8-bit bytes (the eighth bit of each byte is used for parity). DES is a block cipher that operates on one 64-bit block of plaintext at a time (see Figure 12-4 for a block diagram of the algorithm). There are 16 rounds of en- cryption in DES with a different sub-key used in each round. The key goes through its own algorithm to derive the 16 sub-keys (see Figure 12-5). In the DES block diagram, you can see several blocks where permutations occur. The standard defines a specific rearrangement of bits for each permutation. The same is true for the sub-key generation algorithm. There are specific bit rearrangements for permuted choice 1 and 2. In Figure 12-4, you can also find a call out of the function “f.” Within the function, there is a block that says “S” boxes. The “S” boxes are table lookups (also de- fined in the standard) that change a 6-bit input into a 4-bit output. There are four modes of operation for DES: ▼ Electronic Code Book This is the basic block encryption where the text and the key are combined to form the ciphertext. Identical input produces identical output in this mode. ■ Cipher Block Chaining In this mode, each block is encrypted as in electronic code book but a third factor, derived from the previous input, is added. In this case, identical input (plaintext) does not produce identical output. ■ Cipher Feedback This mode uses previously generated ciphertext as input to DES. The output is then combined with plaintext to produce new ciphertext. ▲ Output Feedback This mode is similar to cipher feedback but uses DES output and does not chain ciphertext. There are no known attacks against the DES algorithm. However, the 56-bit key has be - come a weakness. The key provides a total of 2 55 potential keys (less a few keys that are known to be weak and not used). With today’s computer systems, this entire key space can be examined within a small amount of time. In 1997, the Electronic Frontier Foundation Chapter 12: Encryption 213 214 Network Security: A Beginner’s Guide Figure 12-4. DES block diagram Chapter 12: Encryption 215 (EFF) announced a computer system that can find a DES key in four days. This system cost $250,000 to build. With today’s hardware systems, the time to brute-force a DES key is far too short to protect information that must be kept secret. Figure 12-5. DES sub-key generation algorithm In fact, in the revised FIPS publication (46-2 and the current 46-3) the NIST acknowl - edged this fact by stating: “Single DES will be permitted for legacy systems only.” Triple DES In 1992, research indicated that DES could be used multiple times to create a stronger en - cryption. Thus was born the concept of Triple DES (TDES). Figure 12-6 shows how TDES works. You will note that the second operation is actually a decryption. This is the key that makes TDES stronger than normal DES. TDES can be used with either three keys or two keys. In the case of two keys, K1 and K3 are equal and K2 is different. TDES is a relatively fast algorithm as it can still be implemented in hardware. It does take three times the overall time as DES since there are three operations occurring. TDES should be used instead of DES for most applications. Password Encryption The standard Unix password encryption scheme is a variation of DES. While the password encryption function is actually a one-way function (you cannot retrieve the plaintext from the ciphertext), I will include a discussion of it here to show how DES can be used in this type of application. Each user chooses a password. The algorithm uses the first eight characters of the password. If the password is longer than eight characters, it is truncated. If the password is shorter than eight characters, it is padded. The password is transformed into a 56-bit number by taking the first 7 bits of each character. The system then chooses a 12-bit num- ber based on the system time. This is called the salt. The salt and the password are used as input into the password encryption function (see Figure 12-7). 216 Network Security: A Beginner’s Guide Figure 12-6. Triple DES functional diagram The salt is used to modify one of the permutation tables in the DES algorithm (the E Permutation) in any of 4,096 different ways based on the number of 1’s in the 12 bits. The initial plaintext is 56 zero bits and the key is the 56 bits derived from the password. The al - gorithm is run 25 times with the input for each stage being the output of the previous stage. The final output is translated into 11 characters and the salt is translated into 2 char- acters and placed before the final output. The chief weakness in this system lies in the password choice. Since most computer users will choose passwords made up of lowercase letters, we have a total of 26 8 possible combinations. This is significantly less than the 2 55 possible DES keys and thus it takes significantly less time and computing power to brute-force passwords on a Unix system. NOTE: Most Unix systems now offer the option of using shadow password files for just this reason. If the encrypted passwords are easy to brute-force, then by hiding the encrypted passwords we can add some amount of security to the system. As with all systems, if the root password is weak or if a root compromise exists on the system, then it does not matter how well the users choose their passwords. The Advanced Encryption Standard: Rijndael In order to replace DES, NIST announced a competition for the Advanced Encryption Standard (AES) in 1997. At the end of 2000, NIST announced that two cryptographers from Belgium, Joan Daemen and Vincent Rijmen, had won the competition with their al - gorithm Rijndael. The algorithm was chosen based on its strength as well as its suitability for high-speed networks and for implementation in hardware. Rijndael is a block cipher that uses keys and blocks of 128, 192, or 256 bits. These key lengths make brute-force attacks computationally infeasible at this time. The algorithm consists of 10 to 14 rounds, depending on the size of the plaintext block and the size of the key. Figure 12-8 shows the computations in each round. Rijndael should appear in many systems in the near future and should be considered as an appropriate alternative to TDES. Chapter 12: Encryption 217 Figure 12-7. The Unix password encryption function Other Private Key Algorithms There are several other private key algorithms available in various security systems. Among them are ▼ IDEA The International Data Encryption Algorithm was developed in Switzerland. IDEA uses a 128-bit key and is also used in Pretty Good Privacy (PGP). ■ RC5 RC5 was developed by Ron Rivest at MIT. It allows for variable length keys. 218 Network Security: A Beginner’s Guide Figure 12-8. Rijndael round functional diagram ■ Skipjack Skipjack was developed by the United States government for use with the Clipper Chip. It uses an 80-bit key, which may be marginal in the near future. ■ Blowfish Blowfish allows for variable length keys up to 448 bits and was optimized for execution on 32-bit processors. ■ CAST-128 CAST-128 uses a 128-bit key. It is used in newer versions of PGP. ▲ GOST GOST is a Russian standard that was developed in answer to DES. It uses a 256-bit key. Any of these algorithms may appear in security products. All of them are likely to be strong enough for general use. Keep in mind that it is not only the algorithm, but also the implementation and the use of the system that define its overall security. PUBLIC KEY ENCRYPTION Public key encryption is a more recent invention than private key encryption. The pri- mary difference between the two types of encryption is the number of keys used in the operation. Where private key encryption uses a single key to both encrypt and decrypt in- formation, public key encryption uses two keys. One key is used to encrypt and a different key is then used to decrypt the information. What Is Public Key Encryption Figure 12-9 shows the basic public key or asymmetric encryption operation. As you can see, both the sender and the receiver of the information must have a key. The keys are related to each other (hence they are called a key pair), but they are different. The relationship Chapter 12: Encryption 219 Figure 12-9. Public key encryption . primary types of encryption: private key and public key. Private key en - cryption requires all parties who are authorized to read the information to have the same key. This then reduces the overall