|
|
|
|
|
|
|
||||||||||||||||||||||||||
|
|
|
|
|||
|
|
WHY COMMUNICATION AND DATA SECURITY?
PRIVACY SOFTWARE MADE EASY
Protection of data - be it private or business - is one of the most important topics of modern communication. Information is carried throughout the world on laptops, PDAs and USB sticks. The amount of data sent via the Internet increases daily. All this information is in danger of being eavesdropped on. For businesses a financial risk, for private users an emotional one as well - both have a lot to lose. The solution: Since 1996, Frankfurt based privacy specialist Steganos offers highly secure, easy to use solutions to protect and secure both static data and online connections.
Using encryption solutions by Steganos, hiding your data from others is a piece of cake - extremely important in case of hardware loss or theft. Hardware is replaceable. Your data is not.
Using Steganos tools, you can surf absolutely securely and anonymously, and up- and download data or exchange e-mails without being eavesdropped on. Thanks to the so-called Virtual Private Network (VPN) product family, nobody - neither the owner of the HotSpot, your provider, nor hackers - is able to spy on you anymore.
In today’s world there is every day a tremendous amount of confidential information, meant for specific persons or groups of persons, stored in computer systems and transferred over worldwide telecommunication networks. This information is directly accessible to practically anybody willing to spend some time and efforts in tapping and spoofing.
The necessary equipment to allow eavesdroppers to listen to telephone conversations, tap fax messages, pick-up computer data or radio transmissions, read E-Mails, etc., is today at the reach of almost everybody. For example, equipment can be purchase in almost any radio shop for less than $30.- that will allow to listen to conversation from car telephone, between walkies-talkies, between civilian and military air to air or between air to ground communications. Radio amateurs are even better equipped. They, very often, have highly sensitive HF-Receivers with TTYs, computers and associated electronics which can pick-up the ARQ-signals transmitted mainly from embassies to headquarters.
There are also organisations specialised in eavesdropping such as the ones operated by the governments of practically every country in the world. To mention only one (because it is the best known), the National Security Agency in the US, is spending 5 to 10 billion dollars per year to maintain a world wide network of highly sensitive radio receivers, 35’000 persons at Fort Mead and 100’000 persons abroad whose functions are to listen, evaluate, classify and report. Here more then anywhere else, the quote KNOWLEDGE IS POWER finds its application.
No doubts that information transmitted to headquarters from diplomats during their foreign assignments is of great value to the guest government. This is the reason embassies and diplomatic missions are the first target of interceptors and eavesdroppers.
Of course not only government agencies are interested in information but also the industry. Industrial spying is a daily activity that brings in billions of dollars to the detriment of the careless companies that let there business executives exchange top information per fax or mobile telephones or worse still per e-mails.
The dangers and temptations are not less important where big amounts of money are involved such as in banking or stock-market transactions.
The worldwide mobile telephone system offers a limited confidentiality service with big problems if security is your concern:
- it applies only to the radio access link and does not provide for end-to-end security - once the messages have left the radio path they travel unencrypted
- there is no privacy from the network operator - why should you trust him?
- when calling from a foreign country the calls are routed via several operators thus aggravating point 1) and 2) and leaving your confidential information in the hands of a wider audience
- the ciphering algorithm used in the Phone-system is supposed to be confidential - for how long and how secure is it?
The danger is so real that in the US lawyers and doctors are prohibited by law to discuss clients and cases over a car phone
Security can only be achieved through end-to-end digital high security encryption, as SSL piping can provide, leaving no doubts on the actual ciphering and the key handling procedures.
General Considerations on Cryptology (for those who are interested)
Introduction
The problem
Symmetrical system
Asymmetrical system
One Time Key Pad
Perfect Secrecy
Some security consideration
Some definitions
Pseudo Random Bit Generation
Pseudo-random generator unpredictable to the left
Public Key System (Asymmetrical System)
Electronic Code Book (ECB)
Cipher Block Chaining (CBC)
Cipher Feedback (CFB)
Output Feedback (OFB)
Introduction
For thousands of years, cryptography, has been the art of providing secure communications over insecure channels, and cryptanalysis has been the art of breaking into such communications. Historically, cryptology (the combined art of cryptography and cryptanalysis) has been almost exclusively in the hands of the military and diplomats. With the advent of the computer revolution, and more importantly of society in which vast amounts of personal, financial, commercial and technological information are stored in computer data bank and transferred over computer networks, the necessity for "civilian" cryptography has become overwhelming. To put it in the words of Kahn: "Cryptography, in 1945 a nation's most closely held secret, has gone public".
Who is going to win the age-old battle between cryptography and cryptanalysis?
Great (non-specialist) minds of past centuries disagree. In his "Dictionnaire philosophique" (1769), Voltaire wrote: "Ceux qui se vantent de lire les lettres chiffrées sont de plus grands charlatants que ceux qui se vanteraient d'entendre une langue qu'il n'ont point apprise". Loosely translated, this says: "Cryptanalysts are a bunch of charlatans, even more so than Champollion!" (Champollion, Jean François, 1790-1882. At the age of 16 he read before the academy of Grenoble a paper in which he maintained that Coptic, the native spoken language of Egypt from the early Christian era to the 7th century, was the ancient language of Egypt). The opposite opinion is voiced by Edgar Allan Poe in his famous tale The Gold-Bug (1843): "It may well be doubted whether human ingenuity can construct an enigma of the kind [cryptogram] which human ingenuity may not, by proper application, resolve".
It is now clear that Voltaire was wrong: most historical cryptosystems have been badly broken, sometimes with spectacular consequences. On the other hand, there are crypto systems that have been proven to be unbreakable, regardless of the cryptanalyst's "ingenuity". The current opinion is that the increase in computing power, witnessed since 1945 until today, places cryptographers in an unprecedentedly favourable position, to the detriment of cryptanalysts. This is a very ironic turn because the Colossus, which was the first electronic computer in history, was specifically built for the purpose of crypanalysing German ciphers (ENIGMA).
Mathematicians have worked at finding objective criteria for the security of cryptosystems, thereby transforming this ancient art into an exact science.
In the past decade, computer scientists have worked at basing the security of cryptography on the recent theory of computational complexity instead of Shannon's information theory. The basic difference is that Shannon's theory lives on the hope that the cryptanalyst will not have enough information to decipher a cryptogram, while computational complexity only expects the cryptanalyst not to have enough time to do so.
It would help if you were already familiar with the concept of cryptography in general and public key cryptography in particular. Nonetheless, here are a few introductory remarks about public and secret key cryptography.
BACK
The problem
Suppose I want to send you a message, but I don't want anyone but you to be able to read it. I can "encrypt", or "encipher" the message, which means I scramble it up in a hopelessly complicated way, rendering it unreadable to anyone except you, the intended recipient of the message. I use a randomly generated secret cryptographic "key" to encrypt the message, and you have to use the same secret key to decipher or "decrypt" it. Obviously, before you can decipher you must receive the secret key in a "safe way", what is not so simple if you are not living just next door, because anyone capable of tapping my message could tap the secret key as well if I am not sending it over a perfectly secure channel. At least that's how it works in conventional "single-key" cryptosystems.
BACK
Symmetrical system (or conventional)
In conventional cryptosystems, a single key is used for both encryption and decryption. This means that a key must be initially transmitted via secure channels so that both parties can know it before encrypted messages can be sent over insecure channels. This may be inconvenient and very expensive if you have to use special couriers, as frequent key change is the security corner stone of such a system.
BACK
Asymmetrical system (or public key)
In public key cryptosystems, everyone has two related complementary keys, a publicly revealed key and a secret key. The secret key unlocks the code that the public key makes and vice versa. Knowing the public key does not help you deduce the corresponding secret key. The public key can be published and widely disseminated across a communications network. This protocol provides privacy without the need for the same kind of secure channels that a conventional crypto system requires.
Anyone can use a recipient's public key to encrypt a message to that person, and that recipient uses his own corresponding secret key to decrypt that message. No one but the recipient can decrypt it, because no one else has access to that secret key. Not even the person who encrypted the message can decrypt it!
In the above described process, the recipient cannot determine the true origin of the message, because anyone can use his public key to encipher a message and pretend to be somebody else. Consequently, authentication is required and is also possible.
Sender and recipient have to both produce a key pair (one public and one secret), exchange their public keys and keep their individual secret keys well guarded.
Then, the sender's own secret key can be used to encrypt a message, thereby "signing" it. This creates a digital signature of a message, which the recipient (or anyone else) can check by using the sender's public key todecrypt it. This proves that the sender was the true originator of the message, and that the message has not been subsequently altered by anyone else, because the sender alone possesses the secret key that made that signature. Forgery of a signed message is unfeasible, and the sender cannot later disavow his signature.
These two ciphering processes can be combined to provide both privacy and authentication by first signing a message with your own secret key, then encrypting the signed message with the recipient's public key. The recipient reverses these steps by firstdecrypting the message with his own secret key, then checking the enclosed signature with your public key. These steps are done automatically by the recipient's software.
Because the public key encryption algorithm is very slow compare to conventional single-key encryption and that only short message can be efficiently encrypted, for high security ciphering systems (the higher the security the slower the ciphering process becomes), a "message digests" is used to form the signatures and is encrypted by the secret key.
A message digest is a 128-bit cryptographically strong one-way hash function of the message. It is somewhat analogous to a "checksum" or CRC error checking code, in that it compactly "represents" (like a finger print) the message and is used to detect changes in the message. Unlike checksums and CRCs, however, it is computationally unfeasible for an attacker to devise a substitute message that would produce an identical message digest.
There is the possibility to use a faster conventional single-key encryption to encrypt the "plaintext" with a randomly produced secret key, encrypt the secret key with a public encryption algorithm, and send the public ciphered secret key along with the normally ciphered text.
This method should be as much as possible avoided in high security ciphering systems. Transmitting the key, even ciphered, along with the message is questionable.
Despite of this, for convenience, software packages provide oft this possibility. The KEY to be put in the cipher is ciphered and signed with the PUBLIC Key algorithm. As additional precaution, it is ciphered in Cipher Block Chaining mode! When you decide to use this method, always use the highest avaiable security level of your public key system.
Besides the use of high quality algorithms, the work of the cryptographer consist of putting as many barriers as possible between himself and the cryptanalyst. Putting the key (ciphered) in the cipher reduces all possible barriers to only one.
Shannon defines it this way: a crypto system achieves perfect secrecy if knowledge of the ciphertext yield no information whatsoever on the corresponding plaintext. This is of course a very ideal statement that can only be satisfied with the so called ONE TIME KEY PAD, all other systems will give "some" information about the plaintext, but all efforts in the design of a good crypto system should tend in the direction of Shannon's statement and give as little information as possible.
In public key systems, public keys are kept in individual "key certificates" that include the key owner's user ID (which is the name of the station or of the person that distributed the key), a date stamp of when the key pair was distributed, and the actual key material. Public key certificates contain the public key material, while secret key certificates contain the secret key material. Each secret key is encrypted with a private password, in case it gets stolen. A key file (a database), contains one or more of these key certificates. Public key files contain public key certificates, and secret key files contain secret key certificates. The keys are also referenced by a "key ID" or "check", which is an 128 bit message digest (finger print) of the public key.
BACK
One Time Key Pad
The origins of the system go back to 1917, when MIT graduate Gilbert Vernam proposed a new idea for enciphering teletype communications to his employers at American Telephone & Telegraph. At the time the teletype utilised 32-character and control code alphabet consisting of 5 ON or OFF electrical pulses each and known as the Baudot Code after its Belgian inventor, J.Baudot.
On the teletype tape, current-ON is represented by a punched hole, while current-OFF is simply a space through which no electricity would flow when the tape was run through the machine. Vernam's idea was to run a second synchronised key-tape during transmission, which would cause the Baudot value of the character on the message tape to be electronically XORed with the corresponding value of the key-tape (just think of a space as 0 and a punched hole as a 1 and you have a full-fledged binary system). This would produce an encrypted output of the plaintext. At the receiving end, an identical tape would be synchronised to run along with the incoming message, and the teletype would automatically turn out the decrypted message.
The encrypting tape consisted of random or pseudo random Baudot characters, but as they were necessarily limited by practical size, repeated use carried the danger that careful cryptanalysis would spot recurring pattern and reveal the key string. A particular solution utilised two eight-foot key-tape in such a way that there output mimicked that of a single 8000-foot key tape before the particular key sequence began to repeat itself. But with large scale use over a major system, even this measure becomes vulnerable to careful and patient cryptanalysis. Ironically, research into the Vernam's system by Major Joseph Mauborgne of the US Army's Signal Corps produced what is the world's only unbreakable cipher.
BACK
Perfect Secrecy
The idea has earned many title but "random map", "one time system", "random key" or "one time key pad" are the most common.
Take a sequence of totally randomly generated numbers and use them as the enciphering key to be XORed with the plaintext message. This random key must be at least as long as the message and the same key must not be use more than once. The result is a unique encipherment of a single message which will, all things being equal, defy any and all attempts at cryptanalysis working from the cipher text alone. But the flaw lies in general security and not in any weakness of the cipher or any theoretical concern of cryptology, because there is a the large amount of key material to transmit over a secure channel, at sometimes.
Nonetheless, perfect secrecy crypto system are used in practice for very sensitive applications such as the red Telephone between Washington and Moscow.
BACK
Some security consideration
The main cryptanalytic threat on conventional secret-key cryptosystems comes from the high redundancy of the source language, allowing various kinds of statistical attacks. Shannon suggests two basic cryptographic methods "for frustrating a statistical analysis": diffusion and confusion.
The purpose of diffusion is to dissipate the source language redundancy found in the cleartext by spreading it out over the whole ciphertext. This can be achieved in two distinct ways. A transposition cipher rearranges the order in which letters (or bits) are written in the message. A simple instance is the permutation (1->3, 2->5, 3->4, 4->1, 5->2) applied to clear text "hello" yields "lolhe". Here the secret key is the permutation and longer cleartexts are enciphered using one of the "modes of operation" explained below. Although this does not affect single letter frequencies, and still being easy to break, it does obscure the frequencies of bigrams (two letter groups), trigrams, and so on.
An other approach is to regard each letter as an integer modulo 26 and perform for each cipher letter an averaging operation over a certain range of message letters and reduce modulo 26. The effect of all this is that the cryptanalyst needs to intercept a much longer cryptogram before he can attempt statistical decipherment.
The purpose of confusion is to make the relation between the key and the cipher text as complex as possible and ensure that every ciphered character will depend on virtually the entire key. So the cryptanalyst will not gain much useful information on the key from statistical studies of the cipher text. This is usually brought about by the complex substitution techniques on letter blocks. An alternative is to use a different substitution on each position of the cleartext, but this brings us back to the perfect secrecy and the one time key pad!
Taken separately, neither diffusion nor confusion is a very good technique, but combined together they become much stronger and yield what is called a "product cipher", mainly used in "block ciphering" such as the Data Encryption Standard.
Some of the main quality design criterions of block ciphers are the following:
- Each output bit must be dependant on each input bit. This means that the functions describing each output bit must have at least all input bits as input variables. Such a function is called complete.
- The change of one input bit should change at least half of all output bits. This is called the "avalanche effect".
- No output linear dependence between input and output bits should exist.
- As long as no information on the input bits is known, no information whatsoever should be available on the output bits. This will be accomplished when each of the possible output message has the same occurrence within the set of all possible messages. This is the case in a bijective substitution, because each output message occurs only once in the set of all possible output messages.
It is here stressed that the above mentioned criterions are necessary but not sufficient too guarantee quality and security.
BACK
Some definitions
Transposition:
Shuffling of the plaintext characters.
Substitution :
Replacement of the plaintext characters by characters of the cipher character set.
Product cipher:
Combination of transposition and substitution.
Monographic Substitution:
Each character of the plaintext is replaced by one character of the cipher character set.
Polygraphic Substitution:
Character groups of the plaintext are replaced by character groups of the cipher character set.
Homophon Substitution:
Each character of the plaintext is replaced by several characters of the cipher character set.
Polyalphabetic Substitution:
Ciphering through the use of several independent simple substitution, whereas the choice of the substitution is position dependent.
Entropy:
The Entropy is a measure of the information content of a message. The lower the entropy, the higher the information content, the higher the entropy, the lower the information content. For example, a truly random character stream has a maximum entropy; it is like chaos and has no information content, whereas information content is related to order and redundancy.
BACK
Pseudo Random Bit Generation
A sequence is pseudo-random if it appears to be patternless and random, although it was produced by a purely deterministic process known as a pseudo-random generator. Such generators are given a truly random starting sequence known as the seed, and they are to deterministically produce from it a much longer pseudo-random sequence. In this sense, one may view pseudo-random generators as "amplifiers" of randomness.
Randomness and cryptography are very strongly related. The prime purpose of cryptosystems is to transform non-random meaningful plaintexts into an apparently random jumble. A pseudo-random generator is cryptographically strong if the sequence it produces from a short secret seed is essentially as good as a truly random sequence for the purpose being used as a one-time key pad as is discussed above. By "essentially as good" we mean that no feasible computation can allow the cryptanalyst to learn any information on the plaintext from eavesdropping on the ciphertext (except with a vanishingly small probability). In other words, it behaves as if it offered Shannon's perfect secrecy as long as the cryptanalyst does not spend an inordinate amount of time.
BACK
Pseudo-random generator unpredictable to the left.
A pseudo-random generator is unpredictable to the left if a cryptanalyst who knows how the generator works but does not know which seed is actually used cannot do better than tossing a fair coin in order to guess the first bit produced by the generator upon seeing the sequence generated subsequently. We do not know if such a generator do exist, but a first candidate was proposed by Blum and Micali, who proved that their generator is unpredictable to the left under the assumption that it is unfeasible to extract discrete logarithms. The full relevance of pseudo-random generators unpredictable to the left was established by Yao, who proved that any such generator is cryptographically strong. Such a generator is the Blum Blum and Shub Generator (called BBS-Generator). It is based on Blum integers (n) that are the product of two distinct prime numbers p and q, both of which are congruent to 3 modulo 4.
The discrete logarithm problem stated above is the same as finding the factorisation of n in a product of primes. It follows that the BBS generator is unpredictable to the left under the assumption that it is hard to factor n. A 200 digit n (about 670 bits) is considered as being "hard" to factor in the full cryptographic sense of it and as being secure. Much more so if n is bigger than 300 digits long and not known
BACK.
Public Key System (Asymmetrical System)
Ciphering with a PUBLIC KEY system, allows ciphered text communications WITHOUT having to exchange secret keys! This is very convenient and enhance security since there is no risk of compromising the secret keys during key transfer or distribution.
To use a Public Key System, a MODULE must be produced. This module, call it n, must be large enough and be the product of two large prime numbers, call them p and q. These two prime numbers must be kept secret. We have then n = p q.
The public enciphering key, call it e, is a randomly produced number which is relatively prime to p-1 and q-1. The deciphering key, call it d, must be calculated and is the only integer satisfying the congruence ed = 1 mod m, with m = phi(n) = (p-1)(p+1). Such that:
Cipher = Message ^ e MOD n and
Message = Cipher ^ d MOD n
where ^ indicates the exponent operation.
It is seen from above that for both the ciphering and the deciphering process the same module n is needed, but different keys are used.
SECRET KEY is => d
PUBLIC KEYs are => e and n
It is only important to know that to each module n correspond one or several pairs of ciphering/deciphering keys. The Enciphering Key "e" and the Module "n" used to produce it can be made public without any danger, but the deciphering key must be kept secret.
In the following, we will talk about user GROUPS or simply GROUPS. A GROUP is nothing else than a group of users using the same MODULE n. Within the same GROUP (same module n) there may be one unique Public Enciphering Key and one unique (group secret) Secret Deciphering Key. This however would deter the purpose of the public key system, since an exchange of secret information (p and q or the secret Deciphering Key itself) must take place.
In practice a basic system will be such that each user will produce its own public and secret key pair, based on a common module (can be made public), and make his public key available to everybody in the group. Each one keeps a table of the public key of each Group member and cipher with the public key of that particular member he wants to communicate with.
If the Group wishes to have a common Deciphering Key for broadcasting purposes, the SAME public key “e” and SAME module “n” must be used, the secret Deciphering Key (to decipher broadcasted messages) must then be exchanged using a courier.
=> NEVER use different key pairs to broadcast the same message!. The system could then be broken.
=> NEVER send the same message to different persons if these persons do not have the same keys.
This a general rule in communication security.
=> NEVER cipher the same message with different keys. To one given message must correspond only one given cipher!
A public key system does not inherently provides for authentication (the positive identification of the person or station transmitting the message) because everybody could use public keys from somebody. It is however possible to overcome this problem by first ciphering with the secret key of the Sending Station (origin) and ciphering once more with the public key of the receiving Station. At the other end, the Remote Station, will first decipher with its own secret key and second with the public key of the transmitting station. If the message can so be recovered then the transmitter is positively identified.
In practice, because ciphering with public key system is slow, only a small part of the message will be doubly ciphered. This small message part must uniquely identify the message itself and is called the Message Digest calculated with a One-Way Hash Function and is appended to the actual message. The Message Digest is ciphered with the secret key of the sending station and is so "signed". It identifies the transmitter and authenticates the message itself. Then the complete message (actual message + ciphered Message Digest) is ciphered with the public key.
To produce a set of Public Keys a MODULE, a PUBLIC key and a SECRET key have to be generated.
The length of the MODULE (n) determines the block size of the cipher, the length of the keys, the achieved security and the ciphering speed.
n bigger than 25 digits => Low Security ( 90 bits )
n bigger than 50 digits => Reduced Security ( 180 bits )
n bigger than 100 digits => Secure ( 360 bits )
n bigger than 200 digits => High Security ( 720 bits )
n bigger that 300 digits => Very High Security (1024 bits )
To break a PUBLIC Key System, n has to be available and factored in a product of primes. This is known as the factoring problem and there is no known algorithm capable of accomplishing this job in a reasonable amount of time.
A 200 digit n (about 670 bits) is considered as being "hard" to factor in the full cryptographic sense of it and as being very secure for all practical purpose against a single attacker (as opposed to attackers using computer networks). Commonly used 512-bits modules can be considered as vulnerable to an organisation willing to spend a few million dollars and wait for a few months of computational time. With more than 1024 bits you can sleep tight for the next few years.
BACK
Electronic Code Book (ECB)
Block ciphering is the successive ciphering of plaintext blocks. Each block is a "slice" of the plain text whose length is normally equal to the length that the ciphering algorithm can handle in one ciphering run. The ciphering algorithm takes a plain text block as input and puts a ciphered block out. The ciphered block is KEY-dependent. This simple method of successive block ciphering is known as "Electronic Code Book" (ECB) and is to be avoided as much as possible because two identical slices of ciphered text indicate to the cryptanalyst that the two corresponding slices of plaintext are also identical. Such information can be a valuable starting point at figuring out the plain text.
BACK
Cipher Block Chaining (CBC)
Cipher Block Chaining makes good use of the concept of diffusion: each block of ciphertext depends on all the plain text seen before. It prevents the tamperer from cutting and pasting previously transmitted ciphertexts and is so good for authentication (making sure that the received ciphertext was not modified on the way). This mode has also a "self-synchronising" feature, in the sense that only a few blocks of the plaintext will decipher incorrectly if there is a transmission error, if the encipherment or decipherment process makes an occasional error or even if a block of text is lost altogether without detection.
The plaintext is split in blocks where each block is XORed with the previously ciphered block, before being itself ciphered. The first block of the plaintext (there is no previous ciphertext block here) is XORed with a randomly produced initialisation vector (IV) that could be transmitted with the ciphertext or be a part of the enciphering/deciphering keys. The IV does not need to be secret nor unique.
Cipher Feedback (CFB)
In the cipher feedback mode the plaintext isdecomposed in blocks that can be smaller than the algorithm block size. With an algorithm that can handle say 8 characters at a time, the actual ciphering could be made, for example, one character at a time. In this last case, it would work as follows:
- Produce a random character block (lets call it the initialisation vector: IV) equal to the algorithm block size (8 characters in this example)
- Cipher the IV with the algorithm and its key
- XOR the left-most character of the ciphered result with the character of the plaintext, resulting in a ciphered character
- The so obtained ciphered character is also appended at the end of the IV and the first character of the IV is dropped, keeping the length of the IV at a constant value of 8
- Repeat steps 2) to 4) until the whole plaintext is ciphered
Remark: The initialisation vector produced in step 1) must be unique i.e. different for each ciphered text produced with the same key but it does not need to be kept secret.
The CFB mode is like CBC mode self-synchronising, there is no security improvement over CBC and it is slower. It is good if single characters or bits have to be individually ciphered as is the case in stream cipher or in the ciphering of data bases.
BACK
Output Feedback (OFB)
This mode is similar to CFB except that the leftmost character of the previous output block (instead of the ciphered output character) is moved to the right most position of the IV
