■ Skipjack Skipjack was developed by the United States government for use with the Clipper Chip. It uses an 80-bit key, which may be marginal in the near future. ■ Blowfish Blowfish allows for variable length keys up to 448 bits and was optimized for execution on 32-bit processors. ■ CAST-128 CAST-128 uses a 128-bit key. It is used in newer versions of PGP. ▲ GOST GOST is a Russian standard that was developed in answer to DES. It uses a 256-bit key. Any of these algorithms may appear in security products. All of them are likely to be strong enough for general use. Keep in mind that it is not only the algorithm, but also the implementation and the use of the system that define its overall security. PUBLIC KEY ENCRYPTION Public key encryption is a more recent invention than private key encryption. The pri- mary difference between the two types of encryption is the number of keys used in the operation. Where private key encryption uses a single key to both encrypt and decrypt in- formation, public key encryption uses two keys. One key is used to encrypt and a different key is then used to decrypt the information. What Is Public Key Encryption Figure 12-9 shows the basic public key or asymmetric encryption operation. As you can see, both the sender and the receiver of the information must have a key. The keys are related to each other (hence they are called a key pair), but they are different. The relationship Chapter 12: Encryption 219 Figure 12-9. Public key encryption 220 Network Security: A Beginner’s Guide between the keys is such that information encrypted by K1 can only be decrypted by its pair K2. If K2 encrypts the information, it can only be decrypted by K1. In practice, one key is called the private key and the other is called the public key. The private key is kept secret by the owner of the key pair. The public key is published with information as to who the owner is. Another property of public key encryption is that if you have one of the keys of a pair, you cannot compute the other key. If confidentiality is desired, encryption is performed with the public key. That way only the owner of the key pair can decrypt the information since the private key is kept secret by the owner. If authentication is desired, the owner of the key pair encrypts the information with the private key. Only the correct published public key can correctly decrypt the infor - mation and thus only the owner of the key pair could have sent the information. The integ - rity of the information in transit is protected in either operation. The integrity of the information after reception can be checked if the original information was encrypted with the owner’s private key. The downside of public key encryption systems is that they tend to be computationally intensive and thus are much slower than private key systems. However, if we team public key and private key encryption we end up with a much stronger system. The public key sys- tem is used to exchange keys and authenticate both ends of the connection. The private key system is then used to encrypt the rest of the traffic. Diffie-Hellman Key Exchange Whitfield Diffie and Martin Hellman developed their public key encryption system in 1976. The Diffie-Hellman system was developed to solve the problem of key distribution for private key encryption systems. The idea was to allow a secure method of agreeing on a private key without the expense of sending the key through another method. Therefore, they needed a secure way of deciding on a private key using the same method of commu- nication that they were trying to protect. Diffie-Hellman cannot be used to encrypt or decrypt information. The Diffie-Hellman algorithm works like this: 1. Assume we have two people that need to communicate securely and thus need to agree on an encryption key. 2. P1 and P2 agree on two large integers a and b such that 1 < a < b. 3. P1 then chooses a random number i and computes I = a i mod b. P1 sends I to P2. 4. P2 then chooses a random number j and computes J = a j mod b. P2 sends J to P1. 5. P1 computes k1 = J i mod b. TEAMFLY Team-Fly ® Chapter 12: Encryption 221 6. P2 computes k2 = I j mod b. 7. We have k1 = k2 = a ij mod b and thus k1 and k2 are the secret keys to use for the other transmission. NOTE: In the equations, “mod” means remainder. For example, 12 mod 10 is 2. Two is the remainder that is left when 12 is divided by 10. If someone is listening to the traffic on the wire, they will know a, b, I, and J. However, i and j remain secret. The security of the system depends on the difficulty of finding i given I = a i mod b. This problem is called the discrete logarithm problem and is considered to be a hard problem (that is, computationally infeasible with today’s computer equipment) when the numbers are very large. Therefore, a and b must be chosen with care. For example, b and (b–1)/2 should both be prime numbers and at least 512 bits in length. A better choice would be at least 1,024 bits in length. The Diffie-Hellman Key Exchange is used by many security systems to exchange se - cret keys to use for additional traffic. The one weakness in the Diffie-Hellman system is that it is susceptible to a man-in-the-middle attack (see Figure 12-10). If an attacker could place his system in the path of traffic between P1 and P2 and intercept all of the communi- cation, the attacker could then act like P2 when talking to P1 and P1 when talking to P2. Thus, the key exchange would be between P1 and the attacker and P2 and the attacker. However, this type of attack requires significant resources and is very unlikely to occur in the real world. RSA In 1978, Ron Rivest, Adi Shamir, and Len Adleman released the Rivest-Shamir-Adleman (RSA) public key algorithm. Unlike the Diffie-Hellman algorithm, RSA can be used for encryption and decryption. Also unlike Diffie-Hellman, the security of RSA is based on Figure 12-10. Diffie-Hellman man-in-the-middle attack the difficultly of factoring large numbers. This is considered a hard problem when the numbers are very large (512 bits or larger). The basic algorithm for confidentiality is very simple: Ciphertext = (Plaintext) e mod n Plaintext = (Ciphertext) d mod n Private Key = {d, n} Public Key = {e, n} The difficulty in calculating d given e and n provides the security. It is assumed that the owner of the key pair keeps the private key secret and that the public key is published. Therefore, if information is encrypted with the public key, only the owner can decrypt it. It should also be noted that the algorithm can be reversed to provide authentication of the sender. In this case, the algorithm would be Ciphertext = (Plaintext) d mod n Plaintext = (Ciphertext) e mod n Private Key = {d, n} Public Key = {e, n} For authentication, the owner encrypts the information with the private key. Only the owner could do this since the private key is kept secret. Anyone can now decrypt the in- formation and verify that it could have only come from the owner of the key pair. Generating RSA Keys Care must be taken in the generation of RSA keys. To generate an RSA key pair, follow these steps: 1. Choose two prime numbers p and q and keep them secret. 2. Calculate n = pq. 3. Calculate φ(n) = (p – 1)(q – 1). 4. Select e such that e is relatively prime to φ(n). 5. Determine d such that (d)(e) = 1 mod φ(n) and that d < φ(n). The number n should be on the order of a 200-digit number or larger. Therefore, both p and q should be at least 100-digit numbers. Keys for real-world use should be at least 1,024 bits. For sensitive information, 2,048 bits and larger keys should be considered. 222 Network Security: A Beginner’s Guide Chapter 12: Encryption 223 Worked RSA Example To show how RSA generates keys, we will do an example calculation. Keep in mind that I chose numbers that can be relatively easily verified for this example. Real uses of RSA will use much larger numbers. 1. First I choose two prime numbers. In this case, I choose p = 11 and q = 13. 2. Now I calculate n = pq. That means n = (11)(13) = 143. 3. I must now calculate φ(n) = (p – 1)(q – 1) = (11 – 1)(13 – 1) = (10)(12) = 120. 4. I select a number e so that e is relatively prime to φ(n) = 120. For this number, I choose e = 7. 5. I must determine d such that (d)(e) = 1 mod φ(n). Therefore, (d)(7) = 1 mod 120 and d must also be less than 120. We find that d = 103. (103 times 7 equals 721. 721 divided by 120 is 6 with 1 remaining.) 6. The private key is {103, 143}. 7. The public key is {7, 143}. To perform an actual encryption and decryption we can use the original formulas: Ciphertext = (Plaintext) e mod n Plaintext = (Ciphertext) d mod n Let’s assume that I wish to send the message “9.” I use the encryption formula and end up with: Ciphertext = (9) 7 mod 143 = 48 When the encrypted information is received, it is put through the decryption algorithm: Plaintext = (48) 103 mod 143 = 9 Other Public Key Algorithms There are several other public key algorithms that display the same properties as RSA and Diffie-Hellman. We will briefly cover three of the more popular ones in this section. Elgamal Taher Elgamal developed a variant of the Diffie-Hellman system. He enhanced Diffie-Hellman to allow encryption and ended up with one algorithm that could perform encryption and one algorithm that provided authentication. The Elgamal algorithm was not patented (as RSA was) and thus provided a potentially lower-cost alternative. Since this algorithm was based on Diffie-Hellman, the security of the information is based on the difficultly in calculating discrete logarithms. Digital Signature Algorithm The Digital Signature Algorithm (DSA) was developed by the United States government as a standard algorithm for digital signatures (see the next section for more detail on digi - tal signatures). This algorithm is based on Elgamal but only allows for authentication. It does not provide for confidentiality. Elliptic Curve Encryption Elliptic curves were proposed for encryption systems in 1985. It is believed that Elliptic Curve Cryptosystems (ECC) are based on different mathematical principles than either factoring or discrete logarithms. However, more research in this area must be done. There are benefits to using ECCs over RSA or Diffie-Hellman. The biggest benefit is that keys are smaller and thus the computations are faster for the same level of security. For example, the same security of a 1,024-bit RSA key can be found in a 160-bit ECC key. It may be a while before ECCs are generally accepted as there is more research to be per- formed and the existing ECCs are covered under a number of patents. DIGITAL SIGNATURES Digital signatures are not digital images of a handwritten signature. Digital signatures are a form of encryption that provides for authentication. They are growing in popularity and have been touted as a way to move into a completely paperless environment. Presi- dent Clinton even signed a law to allow digital signatures to be used as a legal signature. Even with all of this, digital signatures are widely misunderstood. What Is a Digital Signature? As I said, digital signatures are not the digitized image of a handwritten signature on an electronic document. A digital signature is a method of authenticating electronic infor - mation by using encryption. As was mentioned in the public key encryption section of this chapter, if information is encrypted with a person’s private key, only that person could have encrypted the infor - mation. Therefore, we know that the information must have come from that person if the decryption of the information works properly with that person’s public key. If the de - cryption works properly, we also know that the information did not change during trans - mission, so we have some integrity protection as well. With a digital signature, we want to take this protection one step further and protect the information from modification after it has been received and decrypted. Figure 12-11 shows how this may be done. First, information is put through a message digest or hash function. The hash function creates a checksum of the information. This checksum is then 224 Network Security: A Beginner’s Guide encrypted by the user’s private key. The information and the encrypted checksum are sent to the receiver of the information. When the receiver gets the information, she can also put it through the same hash function. She decrypts the checksum that came with the message and compares the two checksums. If they match, the information has not changed. By keeping the original en - crypted checksum with the information, the information can always be checked for modifications. The security and usefulness of a digital signature depends upon two critical elements: ▼ Protection of the user’s private key ▲ A secure hash function If the user does not protect his private key, then he cannot be sure that only he is using it. If someone else is also using his private key, there is no guarantee that only the user could have signed the information in question. Chapter 12: Encryption 225 Figure 12-11. The digital signature operation Secure Hash Functions Secure hash functions are necessary for digital signatures. A hash function can be called secure if: ▼ The function is one-way. In other words, the function creates a checksum from the information but you cannot create the information from the checksum. ▲ It is very difficult to construct two pieces of information that provide the same checksum when run through the function. The second condition is not easy to satisfy. The checksums in question should also be smaller than the information so as to make it easier to sign, store, and transmit. If this is the case, it must also be true that some large number of different pieces of information will map to the same checksum. What makes the functions secure is the way that all the bits in the original information map to all the bits in the checksum. Thus, if a single bit in the information is changed, a large number of bits in the checksum will also change. Secure hash functions should create a checksum of at least 128 bits. The two most common secure hash functions are MD5, which produces a 128-bit checksum, and SHA, which produces a 160-bit checksum. There are many other hash functions but most of them have been proven insecure. MD5 has been identified as having weaknesses that may allow a computational attack. This attack may allow a second piece of information to be created that will result in the same checksum. SHA was developed by the United States government and is currently believed to be secure. Most security software offers both MD5 and SHA as available options. KEY MANAGEMENT The management of keys is the bane of all encryption systems. The keys are the most valuable information. If I can get a key, I can get (decrypt) everything that is encrypted by that key. In some cases, I may also be able to get succeeding keys. The management of keys is not just about protecting them while in use. It is also about creating strong keys, securely distributing keys to remote users, certifying that they are correct, and revoking them when they have been compromised or expired. Keys and the infrastructure necessary to manage them appropriately can significantly impact an organization’s ability to field an encryption system. While we discuss each of the key management issues in detail, keep in mind that the problems identified must be multi - plied many thousand-fold to meet the needs of a true encryption infrastructure. Key Creation Obviously, keys must be created with care. Certain keys have poor security performance with certain algorithms. For example, a key of all 0’s when used with DES does not pro - 226 Network Security: A Beginner’s Guide