Cryptography basics

Cryptography is about the design and analysis of mathematical techniques that enable secure communications in the presence of malicious adversaries.

Basic communications model

In Figure 1.1, entities A (Alice) and B (Bob) are communicating over an unsecured channel. We assume that all communications take place in the presence of an adversary E(Eve) whose objective is to defeat any security services being provided to AandB.

E

A unsecured channel B

Figure 1.1. Basic communications model.

For example, Aand Bcould be two people communicating over a cellular telephone network, and E is attempting to eavesdrop on their conversation. Or, Acould be the web browser of an individual A˜ who is in the process of purchasing a product from an online store B˜ represented by its web site B. In this scenario, the communications channel is the Internet. An adversary Ecould attempt to read the traffic from Ato B thus learning A’s credit card information, or could attempt to impersonate either˜ A˜ or B˜ in the transaction. As a third example, consider the situation where Ais sending an email message to B over the Internet. An adversary E could attempt to read the message, modify selected portions, or impersonate A by sending her own messages to B. Finally, consider the scenario where A is a smart card that is in the process of authenticating its holder A˜ to the mainframe computer Bat the headquarters of a bank. Here, E could attempt to monitor the communications in order to obtain A’s˜ account information, or could try to impersonate A˜ in order to withdraw funds from A’s account. It should be evident from these examples that a communicating entity˜ is not necessarily a human, but could be a computer, smart card, or software module acting on behalf of an individual or an organization such as a store or a bank.

Security goals

Careful examination of the scenarios outlined above reveals the following fundamental objectives of secure communications:

1. Confidentiality: keeping data secret from all but those authorized to see it—messages sent by AtoBshould not be readable byE.

2. Data integrity: ensuring that data has not been altered by unauthorized means—

Bshould be able to detect when data sent by Ahas been modified by E.

3. Data origin authentication: corroborating the source of data—Bshould be able to verify that data purportedly sent by Aindeed originated withA.

4. Entity authentication: corroborating the identity of an entity—B should be convinced of the identity of the other communicating entity.

5. Non-repudiation: preventing an entity from denying previous commitments or actions—when B receives a message purportedly from A, not only is B con-vinced that the message originated with A, but B can convince a neutral third party of this; thus Acannot deny having sent the message to B.

Some applications may have other security objectives such as anonymity of the communicating entities oraccess control(the restriction of access to resources).

Adversarial model

In order to model realistic threats faced by A and B, we generally assume that the adversary E has considerable capabilities. In addition to being able to read all data transmitted over the channel, Ecan modify transmitted data and inject her own data.

Moreover, E has significant computational resources at her disposal. Finally, com-plete descriptions of the communications protocols and any cryptographic mechanisms deployed (except for secret keying information) are known toE. The challenge to cryp-tographers is to design mechanisms to secure the communications in the face of such powerful adversaries.

Symmetric-key cryptography

Cryptographic systems can be broadly divided into two kinds. In symmetric-key schemes, depicted in Figure 1.2(a), the communicating entities first agree upon keying material that is both secret and authentic. Subsequently, they may use a symmetric-key encryption scheme such as the Data Encryption Standard (DES), RC4, or the Advanced Encryption Standard (AES) to achieve confidentiality. They may also use a message au-thentication code (MAC) algorithm such as HMAC to achieve data integrity and data origin authentication.

For example, if confidentiality were desired and the secret key shared by Aand B werek, thenAwould encrypt a plaintext messagemusing an encryption function ENC

and the keykand transmit the resulting ciphertextc=ENC_k(m)to B. On receivingc, Bwould use the decryption function DECand the same keykto recoverm=DEC_k(c). If data integrity and data origin authentication were desired, then Aand Bwould first agree upon a secret keyk, after which A would compute the authentication tagt = MAC_k(m)of a plaintext messagem using a MAC algorithm and the keyk. Awould then sendm andt to B. On receivingm andt, Bwould use the MAC algorithm and the same keyk to recompute the tagt=MAC_k(m)ofm and accept the message as having originated from Aift=t.

E

A unsecured channel B

secret and authenticated channel

(a) Symmetric-key cryptography

E

A unsecured channel B

authenticated channel

(b) Public-key cryptography Figure 1.2. Symmetric-key versus public-key cryptography.

Key distribution and management The major advantage of symmetric-key cryptog-raphy is high efficiency; however, there are significant drawbacks to these systems.

One primary drawback is the so-calledkey distribution problem—the requirement for a channel that is both secret and authenticated for the distribution of keying material.

In some applications, this distribution may be conveniently done by using a physi-cally secure channel such as a trusted courier. Another way is to use the services of an on-line trusted third-party who initially establishes secret keys with all the entities in a network and subsequently uses these keys to securely distribute keying material to communicating entities when required.¹Solutions such as these may be well-suited to environments where there is an accepted and trusted central authority, but are clearly impractical in applications such as email over the Internet.

A second drawback is thekey management problem—in a network of N entities, each entity may have to maintain different keying material with each of the otherN−1 entities. This problem can be alleviated by using the services of an on-line trusted third-party that distributes keying material as required, thereby reducing the need for entities to securely store multiple keys. Again, however, such solutions are not practical in some scenarios. Finally, since keying material is shared between two (or more) entities, symmetric-key techniques cannot be used to devise elegantdigital signature schemes that provide non-repudiation services. This is because it is impossible to distinguish between the actions taken by the different holders of a secret key.²

Public-key cryptography

The notion of public-key cryptography, depicted in Figure 1.2(b), was introduced in 1975 by Diffie, Hellman and Merkle to address the aforementioned shortcomings

1This approach of using a centralized third-party to distribute keys for symmetric-key algorithms to parties as they are needed is used by the Kerberos network authentication protocol for client/server applications.

2Digital signatures schemes can be designed using symmetric-key techniques; however, these schemes are generally impractical as they require the use of an on-line trusted third party or new keying material for each signature.

of symmetric-key cryptography. In contrast to symmetric-key schemes, public-key schemes require only that the communicating entities exchange keying material that is authentic (but not secret). Each entity selects a single key pair(e,d)consisting of a public key e, and a relatedprivate key d(that the entity keeps secret). The keys have the property that it is computationally infeasible to determine the private key solely from knowledge of the public key.

Confidentiality If entityAwishes to send entityBa confidential messagem, she ob-tains an authentic copy ofB’s public keyeB, and uses the encryption function ENCof a public-key encryption scheme to compute the ciphertextc=ENC_eB(m). Athen trans-mitsctoB, who uses the decryption function DECand his private keyd_Bto recover the plaintext:m=DEC_dB(c). The presumption is that an adversary with knowledge only ofe_B (but not ofd_B) cannot decryptc. Observe that there are no secrecy requirements one_B. It is essential only that Aobtain an authentic copy ofe_B—otherwise Awould encryptm using the public keye_E of some entityE purporting to beB, andmwould be recoverable byE.

Non-repudiation Digital signature schemes can be devised for data origin authenti-cation and data integrity, and to facilitate the provision of non-repudiation services.

An entity Awould use the signature generation algorithm SIGNof a digital signature scheme and her private keyd_Ato compute the signature of a message:s=SIGN_dA(m). Upon receivingmands, an entity Bwho has an authentic copy of A’s public keye_A uses a signature verification algorithm to confirm that s was indeed generated from m andd_A. Sinced_A is presumably known only by A, Bis assured that the message did indeed originate from A. Moreover, since verification requires only the non-secret quantitiesm ande_A, the signatures form can also be verified by a third party who could settle disputes if Adenies having signed message m. Unlike handwritten sig-natures, A’s signatures depends on the messagem being signed, preventing a forger from simply appending s to a different message m and claiming that Asigned m. Even though there are no secrecy requirements on the public keye_A, it is essential that verifiers should use an authentic copy ofe_Awhen verifying signatures purportedly generated by A.

In this way, public-key cryptography provides elegant solutions to the three problems with symmetric-key cryptography, namely key distribution, key management, and the provision of non-repudiation. It must be pointed out that, although the requirement for a secret channel for distributing keying material has been eliminated, implement-ing apublic-key infrastructure (PKI) for distributing and managing public keys can be a formidable challenge in practice. Also, public-key operations are usually signifi-cantly slower than their symmetric-key counterparts. Hence, hybrid systems that benefit from the efficiency of symmetric-key algorithms and the functionality of public-key algorithms are often used.

The next section introduces three families of public-key cryptographic systems.