|
|
|
|||
| |
 |
|
|
Published in ACM SIGSAC Review, Vol. 10, No. 1, Winter 1992. Encryption Bill Neugent* As we place more trust in our computer systems, we must continue to find more ways to make our systems deserving of that trust. Encryption is one of those ways. Background
The Players Encryption is interesting not only because of the technology involved, but also because of the people and agencies involved.
Thomas Jefferson, based on his success as an amateur cryptographer, has been referred to as the Father of American cryptography. Beatrix Potter, as a teenager, wrote a lengthy diary entirely in code (Potter, 1881-1897). The point is that it is possible to have a life and still be a cryptographer. Cryptographers are like a secret cult. In fact, I think they should form a secret society, even though the good names have already been taken by the Odd Fellows, the Skull and Bones society, and Crypto, the French recording company. Another name could be "the exclusive or society" (theos). This name has merit, because it sounds a bit mischievous and exclusive and because "theos" is the Greek word for god. Of course, being cryptographers, they would make known only the acronym -- not its meaning. Outsiders would be left to speculate. Cryptographers say that you can't really build encryption devices until you know how to break them. This brings us to the field of cryptanalysis. Cryptanalysis normally has nothing to do with grave robbing. It is the subject of breaking through encryption systems. Cryptanalysis is simplified when the clear text form of the data is available, as is shown by the following (Kaufman, et al., 1929):
The premier home for cryptographers in the United States is the National Security Agency (NSA). At NSA, mathematicians often work "a good five years ahead of the state of the art" (Bamford, 1982). NSA's role, according to the trade press, is to break through the encryption systems of evil countries, so that we know what the evil countries are plotting against us. NSA's role also is to make our encryption strong, so that evil countries cannot read what we are plotting against them. To ensure that these important roles are adequately fulfilled, Congress allocates to NSA roughly $10 godzillion per year. NSA must work to prevent evil countries from obtaining and using our encryption equipment. It uses several approaches. First, to convince our politicians not to export our equipment, NSA claims that our systems are strong, and that if other countries use them we will not be able to read their mail. This is a good argument for politicians, who enjoy reading other peoples' mail. Second, to convince other countries not to use our equipment, NSA claims that our systems are not strong enough and thus should not be trusted to protect really sensitive data. This discourages foreign countries from using our equipment, because they then think that NSA can penetrate the encryption. These mixed messages have the desired effect of confusing everyone and also reveal something of the complexity of the encryption process. NSA has been accused of being inflexible in its official encryption policies. Part of this might derive from a mind-set sometimes associated with cryptographers. After all, the very term "cryptographer" can readily be interpreted as meaning "one who inscribes tombstones." So it is easy to see how cryptographers might view their proclamations as being “carved in stone,” so to speak. Another criticism is that NSA encryption policies do not reflect real-world concerns. This also is not surprising. As one of the early American military cryptographers said, "We were just a few then in Room 2646, young people who gave ourselves to cryptography with the same ascetic devotion with which young men enter a monastery" (Kahn, 1967). Perhaps something of the culture of isolated asceticism remains.
The National Institute for Standards and Technology (NIST) is responsible for issuing government standards for encryption applied to sensitive unclassified data. To ensure that this weighty responsibility is adequately fulfilled, Congress allocates to NIST roughly $3.47 per year. Congress concedes that more money would be useful, but notes also that you can't solve problems just by throwing money at them. The NIST role in encryption policy is important, because otherwise the policy would be unduly influenced by NSA's work on policy for cryptographic protection of classified data.
Congress is responsible for providing the humor. Normally they do this
with their budget appropriations. On occasions they do it with proposed
Acts. Consider the following from section 2201 of Senate Bill 266 (June
1991):
Well. The introductory phrase clearly is intended to refute critics who say that Congress has no sense at all. However, the rest of the statement tends to support the critics' case. Fortunately, events indicate that nothing is likely to come of this potentially nettlesome proclamation, which truly would be an indecent Act.
NIST established the Data Encryption Standard (DES) in 1977 as the standard encryption algorithm. In collaboration with NSA, a standard key length of 56 bits was established for DES. Especially since earlier DES designs had a 128-bit key length, this reduction was viewed by some as seriously weakening DES (Hellman, July 1979). That was the pessimistic view. The optimistic view was that this shorter key length provided quantitative insight into NSA cryptanalytic capabilities at the time. Of course, NSA insisted at the time that the 56-bit key length was good enough and that it had not installed a Trojan horse in the algorithm. Some did not believe NSA. Perhaps relevant here is H. L. Mencken's remark that "It is hard to believe that a man is telling the truth when you know that you would lie if you were in his place." In 1987 NSA announced that it would not recertify DES in 1988. Presumably this was done on the presumption that anybody could break it by then. Nevertheless, there was a firestorm of criticism from agencies who had finally been convinced to use encryption for the first time, on the argument that here at last was a standard on which they could rely. These agencies did not want to hear that it was no longer reliable. So NSA changed its mind and recertified DES until 1993. It's worth noting that one of the DES designers (Walter Tuchman of IBM) said in 1978 that DES could become inadequate in ten years (Kinnucan, October 1978). This prediction was seconded by NIST in 1979. Recent information, however, has added an intriguing twist to the DES story. The New York Times recently reported that DES is much stronger than people had thought (Kolata, 13 October 1991). Adi Shamir had found an attack on DES that was initially reported as breaking DES, but that actually is only a “slight improvement over laboriously trying every key.” Shamir said that DES is “the strongest possible code of its kind.” He said that his attack method “devastates similar codes,” while only denting DES. Naturally NSA and NIST are reluctant to talk in detail about these matters. That reticence is appropriate and based on long-standing historical precedent. For example, according to Kahn (1979):
Types of Encryption Encryption comes in many forms and serves many purposes. Some of the main types are discussed below.
End-to-end encryption (E3) is to encryption what a total weight reduction plan is to a diet. That is, it's somewhat of an exaggeration, and unless you're careful, it will get you in the end. The problem with the term E3 is that most connections do not actually end at the end, but keep going beyond. In many military systems, the true end normally resides at what is probably best termed the Far Side. E3 is different from link encryption in that you no longer have to trust people who work at packet switches. They no longer can read the text of transactions. All they can read is the traffic header showing where the data came from and where it is going. Of course, they can still blow up the switch and prevent your data from moving. But, then, they could blow you up, too, or you could blow them up. While these possibilities have great cinematic appeal, they basically are real-world considerations, and thus are mathematically irrelevant and of no concern to true mathematicians.
Normally encryption is thought of as being something you do when you transmit data. But encryption has value even if the data is just sitting in a file. It gives you protection in case someone breaks through system defenses and accesses the file. It also enables you to put the file on a floppy disk and mail it without any special protection. These are neat features. The main problem with file encryption is losing the key. Losing the key in file encryption is like losing all your data when your hard disk crashes, except that, with file encryption, your back-up copies probably are lost as well.
This is the most brazen and (to evil forces) the most galling form of encryption, because it gives you part of the solution and dares you to come up with the rest. It's like a defiant challenge or taunt and because of this is an especially satisfying form of encryption. Public-key encryption is like a door with one keyhole and two different keys. Either key can be used to lock or unlock the door. If one is used to lock, the other must be used to unlock. This technique has many applications. First, of course, used on a front door, it is an excellent sobriety test. But its main value comes in computer transactions, where it can be used to sign transactions and thus authenticate the originator, even when the two parties involved have never before interacted. This is possible because one of the two keys used is openly published and known to all. Of course, there still must be some central organization that everyone trusts to ensure that people really are whom they claim to be. This is somewhat similar to the trust we all place in central credit bureaus. Public-key encryption is interesting for two reasons. First, it is a radically different, innovative, and extremely useful form of encryption. Second, it did not originate with NSA. The first truly robust public-key algorithm is RSA (Rivest-Shamir-Adelman), named after its inventors. Notice that the first letter is R, not N. Well, how would you feel if you were the nation's encryption expert and you were totally scooped by a couple of University professors, who then proceeded to market their idea? You might just quietly wait for the resulting products to fail in the marketplace. But what do you do when the products catch on and when the small upstart company positions itself to play the leading international role in managing use of this technology? This calls for some type of response, as discussed in the following paragraph.
One thing you learn in visiting many countries is that you can tell nationalities by the varying digital gestures they use to express displeasure. In effect, each country has its own digital signature. Perhaps this is the sort of gesture NIST had in mind when it announced that it was planning to standardize on El-Gamal rather than RSA as the public-key algorithm for its Digital Signature Standard (DSS). This struck many people as odd, since RSA had become the de facto industry standard algorithm. The decision makes much more sense when you consider NSA's feelings, as noted above, and when you realize what a strong influence NSA has on NIST. You see, NIST had been promising for years that it would establish a DSS, which includes a public-key algorithm and other functions. Such a standard was much needed. I say was, because it has taken so long for a standard to be established that many organizations grew tired of waiting and signed up for what seemed the most logical choice -- RSA and its accompanying functions. NIST's decision, now that it arrives, helps to ensure a diversity of incompatible approaches and represents an interesting interpretation of the word standard. Actually, the NIST decision has had some beneficial effects. Mainly, it has added an element of excitement and even intrigue in what can be a boring topic. After the NIST announcement, the president of RSA Data Security, Inc. wrote a letter to Congress blasting the DSS as being insecure, incomplete, and inflexible. He wrote that NIST’s unwillingness to discuss the technical basis for the DSS “intensifies concern that there is a hidden agenda, such as laying the groundwork for a national public-key cryptosystem that is in fact vulnerable to being broken by NIST and/or NSA” (Bidzos, 20 September 1991). Ron Rivest wrote that security of the DSS is 12, 500 times too weak (Rivest, 26 and 29 October 1991). Martin Hellman wrote that he is “deeply concerned by faults in the technical specifications of the proposed DSS and by its development process” (Hellman, 13 November 1991). The attack developed a new dimension when MacWEEK reported that two Bellcore mathematicians found a serious trapdoor in DSS (Ratcliffe, 10 December 1991). MacWEEK went on to report:
It is not necessary to know anything about encryption to appreciate this situation. People who do know something about encryption find it especially interesting. Integration of Encryption and Computer Security In the past, computer security was used inside computers and encryption was used outside on the transmission lines. Today this boundary is disappearing as file encryption, digital signatures, message integrity, E3, password encryption, and other such things find their way into computers. This change is an improvement, because encryption can strengthen functions such as authentication and access control. But the integration of the two disciplines also carries with it confusion, as two cultures and sets of rules are combined. This intercultural marriage also raises interesting questions. For example, must this be a marriage based on trust (technology)? Under which culture will the children be raised? Since computer security guidance has traditionally been public knowledge, whereas encryption guidance has been shrouded in secrecy, will some computer security guidance now be less available? Will integrated products be less exportable? Even as we bring the two disciplines together, might we still need well-defined boundaries for reasons of modularity, certification, exportability, and assignment of blame? Proposed answers to these questions should be sent to NIST or NSA. Winning answers will be chosen using the same method that was used to choose the DSS. Future Encryption is becoming more pervasive and is being used in more ways as encryption products quietly scuttle into our day-to-day lives. For example, already encryption has started to infiltrate not only our computers, but also our credit cards and telephones. Soon it might appear in our house keys (or cards), garage door openers, drivers licenses, and trash bins (with so many products, some are sure to be losers). Increasingly, encryption is simply there, making our lives easier, much like electricity, gravity, and government. And lest you worry about inadequate government oversight, remember that the agency most responsible is uniquely qualified. What better agency to provide our locks than one whose very existence depends on their ability to break any lock? Footnote * Although I have a degree in mathematics, I consider myself to be a repentant mathematician. One purpose of this paper is to atone for past equ(ivoc)ations. References Bamford, James, 1982, The Puzzle Palace, Houghton Mifflin Company, p. 179. Bidzos, D. James, 20 September 1991, letter to Congress on NIST’s DSS, published also in RISKS-FORUM Digest, 23 September 1991. Hellman, Martin E., July 1979, "DES will be totally insecure within ten years," IEEE Spectrum. Hellman, Martin E., 13 November 1991, letter to NIST on proposed DSS, published also in RISKS-FORUM Digest, 13 November 1991. Kahn, David, 1967, The Codebreakers, New York: Macmillan, pp. 387-388. Kahn, David, Fall 1979, "Cryptology Goes Public," Foreign Affairs. Kaufman, George S., Morrie Ryskind, and The Marx Bros., 1929, Animal Crackers. Kinnucan, Paul, October 1979, "Data encryption gurus: Tuchman and Meyer," MINI-MICRO Systems. Kolata, Gina, 13 October 1991, “Week in Review,” New York Times. Potter, Beatrix, 1881-1897, Beatrix Potter’s Journal, Penguin Books Ltd., Harmondsworth, Middlesex, England. Ratcliffe, Mitch, 10 December 1991, “Trapdoor unhinges DSS security,” MacWEEK. Rivest, Ronald L., 26 and 29 October 1991, “DSA/DSS -- Digital Signatures,” letter to NIST, published also in RISKS-FORUM Digest, 28 and 29 October 1991. Stimson, Henry L. and McGeorge Bundy, 1947, On Active Service in Peace and War, New York: Harper & Brothers, p. 188. United States Senate, June 1991, "Cooperation of Telecommunications Providers with Law Enforcement," Senate Bill 266, The Comprehensive Anti-Terrorist Act of 1991, Washington, DC. ACM COPYRIGHT NOTICE. Copyright © 1992 by the Association for Computing
Machinery, Inc. Permission to make digital or hard copies of part or all
of this work for personal or classroom use is granted without fee provided
that copies are not made or distributed for profit or commercial advantage
and that copies bear this notice and the full citation on the first page.
Copyrights for components of this work owned by others than ACM must be
honored. Abstracting with credit is permitted. To copy otherwise, to republish,
to post on servers, or to redistribute to lists, requires prior specific
permission and/or a fee. Request permissions from Publications Dept, ACM
Inc., fax +1 (212) 869-0481, or permissions@acm.org.
This copy is posted by permission of ACM
and may not be redistributed. |
| www.TaleCatcher.com |
Updated: 20-Oct-2005 |
