diff --git a/05-Cryptology/05-Cryptology.md b/05-Cryptology/05-Cryptology.md new file mode 100644 index 0000000..c41d4c5 --- /dev/null +++ b/05-Cryptology/05-Cryptology.md @@ -0,0 +1,1593 @@ +5. Cryptology + + 5.1. copyright + THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666, + 1994-09-10, Copyright Timothy C. May. All rights reserved. + See the detailed disclaimer. Use short sections under "fair + use" provisions, with appropriate credit, but don't put your + name on my words. + + 5.2. SUMMARY: Cryptology + 5.2.1. Main Points + - gaps still exist here...I treated this as fairly low + priority, given the wealth of material on cryptography + 5.2.2. Connections to Other Sections + - detailed crypto knowledge is not needed to understand many + of the implications, but it helps to know the basics (it + heads off many of the most wrong-headed interpretations) + - in particular, everyone should learn enough to at least + vaguely understand how "blinding" works + 5.2.3. Where to Find Additional Information + + a dozen or so major books + - Schneier, "Applied Cryptography"--is practically + "required reading" + - Denning + - Brassard + - Simmons + - Welsh, Dominic + - Salomaa + - "CRYPTO" Proceedings + - Other books I can take or leave + - many ftp sites, detailed in various places in this doc + - sci.crypt, alt.privacy.pgp, etc. + - sci.crypt.research is a new group, and is moderated, so it + should have some high-quality, technical posts + - FAQs on sci.crypt, from RSA, etc. + - Dave Banisar of EPIC (Electronic Privacy Information + Center) reports: "...we have several hundred files on + encryption available via ftp/wais/gopher/WWW from cpsr.org + /cpsr/privacy/crypto." [D.B., sci.crypt, 1994-06-30] + 5.2.4. Miscellaneous Comments + - details of algorithms would fill several books...and do + - hence, will not cover crypto in depth here (the main focus + of this doc is the implications of crypto, the + Cypherpunkian aspects, the things not covered in crypto + textbooks) + - beware of getting lost in the minutiae, in the details of + specific algorithms...try to keep in the mind the + _important_ aspects of any system + + 5.3. What this FAQ Section Will Not Cover + 5.3.1. Why a section on crypto when so many other sources exist? + - A good question. I'll be keeping this section brief, as + many textbooks can afford to do a much better job here than + I can. + - not just for those who read number theory books with one + hand + 5.3.2. NOTE: This section may remain disorganized, at least as + compared to some of the later sections. Many excellent + sources on crypto exist, including readily available FAQs + (sci.crypt, RSADSI FAQ) and books. Schneier's books is + especially recommended, and should be on _every_ Cypherpunk's + bookshelf. + + 5.4. Crypto Basics + 5.4.1. "What is cryptology?" + - we see crypto all around us...the keys in our pockets, the + signatures on our driver's licenses and other cards, the + photo IDs, the credit cards + + cryptography or cryptology, the science of secret + writing...but it's a lot more...consider I.D. cards, locks + on doors, combinations to safes, private + information...secrecy is all around us + - some say this is bad--the tension between "what have you + got to hide?" and "none of your business" + - some exotic stuff: digital money, voting systems, advanced + software protocols + - of importance to protecting privacy in a world of + localizers (a la Bob and Cherie), credit cards, tags on + cars, etc....the dossier society + + general comments on cryptography + - chain is only as strong as its weakest link + - assume opponnent knows everything except the secret key + - + - Crypto is about economics + + Codes and Ciphers + + Simple Codes + - Code Books + + Simple Ciphers + + Substitution Ciphers (A=C, B=D, etc.) + - Caesar Shift (blocks) + + Keyword Ciphers + + Vigenre (with Caesar) + + Rotor Machines + - Hagelin + - Enigma + - Early Computers (Turing, Colossus) + + Modern Ciphers + + 20th Century + + Private Key + + One-Time Pads (long strings of random numbers, + shared by both parties) + + not breakable even in principle, e.g., a one-time + pad with random characters selected by a truly + random process (die tosses, radioactive decay, + certain types of noise, etc.) + - and ignoring the "breakable by break-ins" + approach of stealing the one-time pad, etc. + ("Black bag cryptography") + - Computer Media (Floppies) + + CD-ROMs and DATs + - "CD ROM is a terrible medium for the OTP key + stream. First, you want exactly two copies of + the random stream. CD ROM has an economic + advantage only for large runs. Second, you want + to destroy the part of the stream already used. + CD ROM has no erase facilities, outside of + physical destruction of the entire disk." + [Bryan G. Olson, sci.crypt, 1994-08-31] + + DES--Data Encryption Standard + - Developed from IBM's Lucifer, supported by NSA + - a standard since 1970s + + But is it "Weak"? + + DES-busting hardware and software studied + + By 1990, still cracked + - But NSA/NIST has ordered a change + + Key Distribution Problem + + Communicating with 100 other people means + distributing and securing 100 keys + - and each of those 100 must keep their 100 keys + secure + - no possibility of widespread use + + Public Key + + 1970s: Diffie, Hellman, Merkle + + Two Keys: Private Key and Public Key + + Anybody can encrypt a message to Receiver with + Receiver's PUBLIC key, but only the Receiver's + PRIVATE key can decrypt the message + + Directories of public keys can be published + (solves the key distribution problem) + + Approaches + + One-Way Functions + - Knapsack (Merkle, Hellman) + + RSA (Rivest, Shamir, Adleman) + - relies on difficulty of factoring + large numbers (200 decimal digits) + - believed to be "NP-hard" + + patented and licensed to "carefully + selected" customers + - RSA, Fiat-Shamir, and other + algorithms are not freely usable + - search for alternatives continues + 5.4.2. "Why does anybody need crypto?" + + Why the Need + - electronic communications...cellular phones, fax + machines, ordinary phone calls are all easily + intercepted...by foreign governments, by the NSA, by + rival drug dealers, by casual amateurs + + transactions being traced....credit card receipts, + personal checks, I.D. cards presented at time of + purchase...allows cross-referencing, direct mail data + bases, even government raids on people who buy greenhouse + supplies! + - in a sense, encryption and digital money allows a + return to cash + - Why do honest people need encryption? Because not + everyone is honest, and this applies to governments as + well. Besides, some things are no one else's business. + - Why does anybody need locks on doors? Why aren't all + diaries available for public reading? + + Whit Diffie, one of the inventors of public key + cryptography (and a Cypherpunk) points out that human + interaction has largely been predicated on two important + aspects: + - that you are who you say you are + - expectation of privacy in private communications + - Privacy exists in various forms in various cultures. But + even in police states, certain concepts of privacy are + important. + - Trust is not enough...one may have opponents who will + violate trust if it seems justified + + The current importance of crypto is even more striking + + needed to protect privacy in cyberspace, networks, etc. + - many more paths, links, interconnects + - read Vinge's "True Names" for a vision + + digital money...in a world of agents, knowbots, high + connectivity + - (can't be giving out your VISA number for all these + things) + + developing battle between: + - privacy advocates...those who want privacy + - government agencies...FBI, DOJ, DEA, FINCEN, NSA + + being fought with: + - attempts to restrict encryption (S.266, never passed) + - Digital Telephony Bill, $10K a day fine + - trial balloons to require key registration + - future actions + + honest people need crypto because there are dishonest + people + - and there may be other needs for privacy + - Phil Zimmerman's point about sending all mail, all letters, + on postcards--"What have you got to hide?" indeed! + - the expectation of privacy in out homes and in phone + conversations + + Whit Diffie's main points: + + proving who you say you are...signatures, authentications + - like "seals" of the past + - protecting privacy + - locks and keys on property and whatnot + + the three elements that are central to our modern view of + liberty and privacy (a la Diffie) + - protecting things against theft + - proving who we say we are + - expecting privacy in our conversations and writings + 5.4.3. What's the history of cryptology? + 5.4.4. Major Classes of Crypto + - (these sections will introduce the terms in context, though + complete definitions will not be given) + + Encryption + - privacy of messages + - using ciphers and codes to protect the secrecy of + messages + - DES is the most common symmetric cipher (same key for + encryption and decryption) + - RSA is the most common asymmetric cipher (different keys + for encryption and decryption) + + Signatures and Authentication + - proving who you are + - proving you signed a document (and not someone else) + + Authentication + + Seals + + Signatures (written) + + Digital Signatures (computer) + - Example: Numerical codes on lottery tickets + + Using Public Key Methods (see below) + - Digital Credentials (Super Smartcards) + - Tamper-responding Systems + + Credentials + - ID Cards, Passports, etc. + + Biometric Security + - Fingerprints, Retinal Scans, DNA, etc. + + Untraceable Mail + - untraceable sending and receiving of mail and messages + - focus: defeating eavesdroppers and traffic analysis + - DC protocol (dining cryptographers) + + Cryptographic Voting + - focus: ballot box anonymity + - credentials for voting + - issues of double voting, security, robustness, efficiency + + Digital Cash + - focus: privacy in transactions, purchases + - unlinkable credentials + - blinded notes + - "digital coins" may not be possible + + Crypto Anarchy + - using the above to evade gov't., to bypass tax + collection, etc. + - a technological solution to the problem of too much + government + + Security + + Locks + - Key Locks + + Combination Locks + - Cardkey Locks + + Tamper-responding Systems (Seals) + + Also known as "tamper-proof" (misleading) + - Food and Medicine Containers + - Vaults, Safes (Alarms) + + Weapons, Permissive Action Links + - Nuclear Weapons + - Arms Control + - Smartcards + - Currency, Checks + + Cryptographic Checksums on Software + - But where is it stored? (Can spoof the system by + replacing the whole package) + + Copy Protection + - Passwords + - Hardware Keys ("dongles") + - Call-in at run-time + + Access Control + - Passwords, Passphrases + - Biometric Security, Handwritten Signatures + - For: Computer Accounts, ATMs, Smartcards + 5.4.5. Hardware vs. Software + - NSA says only hardware implementations can really be + considered secure, and yet most Cypherpunks and ordinary + crypto users favor the sofware approach + - Hardware is less easily spoofable (replacement of modules) + - Software can be changed more rapidly, to make use of newer + features, faster modules, etc. + - Different cultures, with ordinary users (many millions) + knowing they are less likely to have their systems black- + bag spoofed (midnight engineering) than are the relatively + fewer and much more sensitive military sites. + 5.4.6. "What are 'tamper-resistant modules' and why are they + important?" + - These are the "tamper-proof boxes" of yore: display cases, + vaults, museum cases + - that give evidence of having been opened, tampered with, + etc. + + modern versions: + - display cases + - smart cards + + chips + - layers of epoxy, abrasive materials, fusible links, + etc. + - (goal is to make reverse engineering much more + expensive) + - nuclear weapon "permissive action links" (PALs) + 5.4.7. "What are "one way functions"?" + - functions with no inverses + - crypto needs functions that are seemingly one-way, but + which actually have an inverse (though very hard to find, + for example) + - one-way function, like "bobbles" (Vinge's "Marooned in + Realtime") + 5.4.8. When did modern cryptology start? + + "What are some of the modern applications of cryptology?" + + "Zero Knowledge Interactive Proof Systems" (ZKIPS) + - since around 1985 + - "minimum disclosure proofs" + + proving that you know something without actually + revealing that something + + practical example: password + + can prove you have the password without actually + typing it in to computer + - hence, eavesdroppers can't learn your password + - like "20 questions" but more sophisticated + - abstract example: Hamiltonian circuit of a graph + + Digital Money + + David Chaum: "RSA numbers ARE money" + - checks, cashiers checks, etc. + - can even know if attempt is made to cash same check + twice + + so far, no direct equivalent of paper currency or + coins + - but when combined with "reputation-based systems," + there may be + + Credentials + + Proofs of some property that do not reveal more than + just that property + - age, license to drive, voting rights, etc. + - "digital envelopes" + + Fiat-Shamir + - passports + + Anonymous Voting + - protection of privacy with electronic voting + - politics, corporations, clubs, etc. + - peer review of electronic journals + - consumer opinions, polls + + Digital Pseudonyms and Untraceable E-Mail + + ability to adopt a digital pseudonym that is: + - unforgeable + - authenticatable + - untraceable + - Vinge's "True Names" and Card's "Ender's Game" + + Bulletin Boards, Samizdats, and Free Speech + + banned speech, technologies + - e.g., formula for RU-486 pill + - bootleg software, legally protected material + + floating opinions without fears for professional + position + - can even later "prove" the opinions were yours + + "The Labyrinth" + - store-and-forward switching nodes + + each with tamper-responding modules that decrypt + incoming messages + + accumulate some number (latency) + + retransmit to next address + - and so on.... + + relies on hardware and/or reputations + + Chaum claims it can be done solely in software + - "Dining Cryptographers" + 5.4.9. What is public key cryptography? + 5.4.10. Why is public key cryptography so important? + + The chief advantage of public keys cryptosystems over + conventional symmetric key (one key does both encryption + and decryption) is one _connectivity_ to recipients: one + can communicate securely with people without exchanging key + material. + - by looking up their public key in a directory + - by setting up a channel using Diffie-Hellman key exchange + (for example) + 5.4.11. "Does possession of a key mean possession of *identity*?" + - If I get your key, am I you? + - Certainly not outside the context of the cryptographic + transaction. But within the context of a transaction, yes. + Additional safeguards/speedbumps can be inserted (such as + biometric credentials, additional passphrases, etc.), but + these are essentially part of the "key," so the basic + answer remains "yes." (There are periodically concerns + raised about this, citing the dangers of having all + identity tied to a single credential, or number, or key. + Well, there are ways to handle this, such as by adopting + protocols that limit one's exposure, that limits the amount + of money that can be withdrawn, etc. Or people can adopt + protocols that require additional security, time delays, + countersigning, etc.) + + This may be tested in court soon enough, but the answer for + many contracts and crypto transactions will be that + possession of key = possession of identity. Even a court + test may mean little, for the types of transactions I + expect to see. + - That is, in anonymous systems, "who ya gonna sue?" + - So, guard your key. + 5.4.12. What are digital signatures? + + Uses of Digital Signatures + - Electronic Contracts + - Voting + - Checks and other financial instruments (similar to + contracts) + - Date-stamped Transactions (augmenting Notary Publics) + 5.4.13. Identity, Passports, Fiat-Shamir + - Murdoch, is-a-person, national ID cards, surveillance + society + + "Chess Grandmaster Problem" and other Frauds and Spoofs + - of central importance to proofs of identity (a la Fiat- + Shamir) + - "terrorist" and "Mafia spoof" problems + 5.4.14. Where else should I look? + 5.4.15. Crypto, Technical + + Ciphers + - traditional + - one-time pads, Vernams ciphers, information-theoretically + secure + + "I Have a New Idea for a Cipher---Should I Discuss it + Here?" + - Please don't. Ciphers require careful analysis, and + should be in paper form (that is, presented in a + detailed paper, with the necessary references to show + that due diligence was done, the equations, tables, + etc. The Net is a poor substitute. + - Also, breaking a randomly presented cipher is by no + means trivial, even if the cipher is eventually shown + to be weak. Most people don't have the inclination to + try to break a cipher unless there's some incentive, + such as fame or money involved. + - And new ciphers are notoriously hard to design. Experts + are the best folks to do this. With all the stuff + waiting to be done (described here), working on a new + cipher is probably the least effective thing an amateur + can do. (If you are not an amateur, and have broken + other people's ciphers before, then you know who you + are, and these comments don't apply. But I'll guess + that fewer than a handful of folks on this list have + the necessary background to do cipher design.) + - There are a vast number of ciphers and systems, nearly + all of no lasting significance. Untested, undocumented, + unused--and probably unworthy of any real attention. + Don't add to the noise. + - What is DES and can it be broken? + + ciphers + - RC4, stream cipher + + DolphinEncrypt + - + + "Last time Dolphin Encrypt reared its insecure head + in this forum, + - these same issues came up. The cipher that DE uses + is not public and + - was not designed by a person of known + cryptographicc competence. It + - should therefore be considered extremely weak. + + + RSA + - What is RSA? + - Who owns or controls the RSA patents? + - Can RSA be broken? + - What alternatives to RSA exist? + + One-Way Functions + - like diodes, one-way streets + - multiplying two large numbers together is + easy....factoring the product is often very hard + - (this is not enough for a usable cipher, as the recipient + must be able to perform the reverse operation..it turns + out that "trapdoors" can be found) + - Digital Signatures + + Digital Cash + - What is digital cash? + - How does digital cash differ from VISA and similar + electronic systems? + - Clearing vs. Doublespending Detection + - Zero Knowledge + - Mixes and Remailers + - Dining Cryptographers + + Steganography + - invisible ink + - microdots + - images + - sound files + + Random Number Generators + + von Neumann quote about living in a state of sin + - also paraphrased (I've heard) to include _analog_ + methods, presumably because the nonrepeating (form an + initial seed/start) nature makes repeating experiments + impossible + + Blum-Blum-Shub + + How it Works + - "The Blum-Blum-Shub PRNG is really very simple. + There is source floating around on the crypto ftp + sites, but it is a set of scripts for the Unix bignum + calculator "bc", plus some shell scripts, so it is + not very portable. + + "To create a BBS RNG, choose two random primes p and + q which are congruent to 3 mod 4. Then the RNG is + based on the iteration x = x*x mod n. x is + initialized as a random seed. (x should be a + quadratic residue, meaning that it is the square of + some number mod n, but that can be arranged by + iterating the RNG once before using its output.)" + [Hal Finney, 1994-05-14] + - Look for blum-blum-shub-strong-randgen.shar and related + files in pub/crypt/other at ripem.msu.edu. (This site + is chock-full of good stuff. Of course, only Americans + are allowed to use these random number generators, and + even they face fines of $500,000 and imprisonment for + up to 5 years for inappopriate use of random numbers.) + - source code at ripem ftp site + - "If you don't need high-bandwidth randomness, there are + several good PRNG, but none of them run fast. See the + chapter on PRNG's in "Cryptology and Computational + Number Theory"." [Eric Hughes, 1994-04-14] + + "What about hardware random number generators?" + + Chips are available + - + + "Hughes Aircraft also offers a true non-deterministic + chip (16 pin DIP). + - For more info contact me at kephart@sirena.hac.com" + <7 April 94, sci.crypt> + + "Should RNG hardware be a Cypherpunks project?" + - Probably not, but go right ahead. Half a dozen folks + have gotten all fired up about this, proposed a project- + -then let it drop. + - can use repeated applications of a cryptographic has + function to generate pretty damn good PRNs (the RSAREF + library has hooks for this) + + "I need a pretty good random number generator--what + should I use?" + - "While Blum-Blum-Shub is probably the cool way to go, + RSAREF uses repeated iterations of MD5 to generate its + pseudo-randoms, which can be reasonably secure and use + code you've probably already got hooks from perl + for.[BillStewart,1994-04-15] + + Libraries + - Scheme code: ftp://ftp.cs.indiana.edu/pub/scheme- + repository/scm/rand.scm + + P and NP and all that jazz + - complexity, factoring, + + can quantum mechanics help? + - probably not + + Certification Authorities + - heierarchy vs. distributed web of trust + - in heierarchy, individual businesses may set themselves + up as CAs, as CommerceNet is talking about doing + + Or, scarily, the governments of the world may insist that + they be "in the loop" + - several ways to do this: legal system invocation, tax + laws, national security....I expect the legal system to + impinge on CAs and hence be the main way that CAs are + partnered with the government + - I mention this to give people some chance to plan + alternatives, end-runs + - This is one of the strongest reasons to support the + decoupling of software from use (that is, to reject the + particular model RSADSI is now using) + 5.4.16. Randomness + - A confusing subject to many, but also a glorious subject + (ripe with algorithms, with deep theory, and readily + understandable results). + + Bill Stewart had a funny comment in sci.crypt which also + shows how hard it is to know if something's really random + or not: "I can take a simple generator X[i] = DES( X[i-1], + K ), which will produce nice random white noise, but you + won't be able to see that it's non-random unless you rent + time on NSA's DES-cracker." [B.S. 1994-09-06] + - In fact, many seemingly random strings are actually + "cryptoregular": they are regular, or nonrandom, as soon + as one uses the right key. Obviously, most strings used + in crypto are cryptoregular in that they _appear_ to be + random, and pass various randomness measures, but are + not. + + "How can the randomness of a bit string be measured?" + - It can roughly be estimated by entropy measures, how + compressible it is (by various compression programs), + etc. + - It's important to realize that measures of randomness + are, in a sense, "in the eye of the beholder"--there just + is no proof that a string is random...there's always room + for cleverness, if you will + + Chaitin-Kolmogoroff complexity theory makes this clearer. + To use someone else's words: + - "Actually, it can't be done. The consistent measure of + entropy for finite objects like a string or a (finite) + series of random numbers is the so-called ``program + length complexity''. This is defined as the length of + the shortest program for some given universal Turing + machine + which computes the string. It's consistent in the + sense that it has the familiar properties of + ``ordinary'' (Shannon) entropy. Unfortunately, it's + uncomputable: there's no algorithm which, given an + arbitrary finite string S, computes the program-length + complexity of S. + + Program-length complexity is well-studied in the + literature. A good introductory paper is ``A Theory of + Program Size Formally Identical to Information Theory'' + by G. J. Chaitin, _Journal of the ACM_, 22 (1975) + reprinted in Chaitin's book _Information Randomness & + Incompleteness_, World Scientific Publishing Co., + 1990." [John E. Kreznar, 1993-12-02] + + "How can I generate reasonably random numbers?" + - I say "reasonably" becuae of the point above: no number + or sequence is provably "random." About the best that can + be said is that a number of string is the reuslt of a + process we call "random." If done algorithimically, and + deterministically, we call this process "pseudo-random." + (And pseudorandom is usually more valuable than "really + random" because we want to be able to generate the same + sequence repeatedly, to repeat experiments, etc.) + 5.4.17. Other crypto and hash programs + + MDC, a stream cipher + - Peter Gutman, based on NIST Secure Hash Algorithm + - uses longer keys than IDEA, DES + - MD5 + - Blowfish + - DolphinEncrypt + 5.4.18. RSA strength + - casual grade, 384 bits, 100 MIPS-years (Paul Leyland, 3-31- + 94) + - RSA-129, 425 bits, 4000 MIPS-years + - 512 bits...20,000 MIPS-years + - 1024 bits... + 5.4.19. Triple DES + - "It involves three DES cycles, in encrypt-decrypt-encrypt + order. THe keys used may be either K1/K2/K3 or K1/K2/K1. + The latter is sometimes caled "double-DES". Combining + two DES operations like this requires twice as much work to + break as one DES, and a lot more storage. If you have the + storage, it just adds one bit to the effective key size. " + [Colin Plumb, colin@nyx10.cs.du.edu, sci.crypt, 4-13-94] + 5.4.20. Tamper-resistant modules (TRMs) (or tamper-responding) + + usually "tamper-indicating", a la seals + - very tough to stop tampering, but relatively easy to see + if seal has been breached (and then not restored + faithfully) + - possession of the "seal" is controlled...this is the + historical equivalent to the "private key" in a digital + signature system, with the technological difficulty of + forging the seal being the protection + + usually for crypto. keys and crypto. processing + - nuclear test monitoring + - smart cards + - ATMs + + one or more sensors to detect intrusion + - vibration (carborundum particles) + - pressure changes (a la museum display cases) + - electrical + - stressed-glass (Corning, Sandia) + + test ban treaty verification requires this + - fiber optic lines sealing a missile... + - scratch patterns... + - decals.... + + Epoxy resins + - a la Intel in 1970s (8086) + + Lawrence Livermore: "Connoisseur Project" + - gov't agencies using this to protect against reverse + engineering, acquisition of keys, etc. + + can't stop a determined effort, though + - etches, solvents, plasma ashing, etc. + - but can cause cost to be very high (esp. if resin + formula is varied frequently, so that "recipe" can't be + logged) + + can use clear epoxy with "sparkles" in the epoxy and + careful 2-position photography used to record pattern + - perhaps with a transparent lid? + + fiber optic seal (bundle of fibers, cut) + - bundle of fibers is looped around device, then sealed and + cut so that about half the fibers are cut; the pattern of + lit and + unlit fibers is a signature, and is extremely difficult + to reproduce + - nanotechnology may be used (someday) + 5.4.21. "What are smart cards?" + - Useful for computer security, bank transfers (like ATM + cards), etc. + - may have local intelligence (this is the usual sense) + - microprocessors, observor protocol (Chaum) + + Smart cards and electronic funds transfer + - Tamper-resistant modules + + Security of manufacturing + - some variant of "cut-and-choose" inspection of + premises + + Uses of smart cards + - conventional credit card uses + - bill payment + - postage + - bridge and road tolls + - payments for items received electronically (not + necessarily anonymously) + + 5.5. Cryptology-Technical, Mathematical + 5.5.1. Historical Cryptography + + Enigma machines + - cracked by English at Bletchley Park + - a secret until mid-1970s + + U.K. sold hundreds of seized E. machines to embassies, + governments, even corporations, in late 1940s, early + 1950s + - could then crack what was being said by allies + + Hagelin, Boris (?) + - U.S. paid him to install trapdoors, says Kahn + + his company, Crypto A.G., was probably an NSA front + company + - Sweden, then U.S., then Sweden, then Zug + - rotor systems cracked + 5.5.2. Public-key Systems--HISTORY + + Inman has admitted that NSA had a P-K concept in 1966 + - fits with Dominik's point about sealed cryptosystem boxes + with no way to load new keys + - and consistent with NSA having essentially sole access to + nation's top mathematicians (until Diffies and Hellmans + foreswore government funding, as a result of the anti- + Pentagon feelings of the 70s) + - Merkle's "puzzle" ideas, circa mid-70s + - Diffie and Hellman + - Rivest, Shamir, and Adleman + 5.5.3. RSA and Alternatives to RSA + + RSA and other P-K patents are strangling development and + dissemination of crypto systems + - perhaps out of marketing stupidity, perhaps with the help + of the government (which has an interest in keeping a + monopoly on secure encryption) + + One-way functions and "deposit-only envelopes" + - one-way functions + - deposit-only envelopes: allow additions to envelopes and + only addressee can open + - hash functions are easy to implement one-way functions + (with no need for an inverse) + 5.5.4. Digital Signatures + + Uses of Digital Signatures + - Electronic Contracts + - Voting + - Checks and other financial instruments (similar to + contracts) + - Date-stamped Transactions (augmenting Notary Publics) + - Undeniable digital signatures + + Unforgeable signatures, even with unlimited computational + power, can be achieved if the population is limited (a + finite set of agents) + - using an untraceable sending protocol, such as "the + Dining Cryptographers Problem" of Chaum + 5.5.5. Randomness and incompressibility + + best definition we have is due to Chaitin and Kolmogoroff: + a string or any structure is "random" if it has no shorter + description of itself than itself. + - (Now even specific instances of "randomly generated + strings" sometimes will be compressible--but not very + often. Cf. the works of Chaitin and others for more on + these sorts of points.) + 5.5.6. Steganography: Methods for Hiding the Mere Existence of + Encrypted Data + + in contrast to the oft-cited point (made by crypto purists) + that one must assume the opponent has full access to the + cryptotext, some fragments of decrypted plaintext, and to + the algorithm itself, i.e., assume the worst + - a condition I think is practically absurd and unrealistic + - assumes infinite intercept power (same assumption of + infinite computer power would make all systems besides + one-time pads breakable) + - in reality, hiding the existence and form of an encrypted + message is important + + this will be all the more so as legal challenges to + crypto are mounted...the proposed ban on encrypted + telecom (with $10K per day fine), various governmental + regulations, etc. + - RICO and other broad brush ploys may make people very + careful about revealing that they are even using + encryption (regardless of how secure the keys are) + + steganography, the science of hiding the existence of + encrypted information + - secret inks + - microdots + - thwarting traffic analysis + - LSB method + + Packing data into audio tapes (LSB of DAT) + + LSB of DAT: a 2GB audio DAT will allow more than 100 + megabytes in the LSBs + - less if algorithms are used to shape the spectrum to + make it look even more like noise + - but can also use the higher bits, too (since a real- + world recording will have noise reaching up to perhaps + the 3rd or 4th bit) + + will manufacturers investigate "dithering" circuits? + (a la fat zero?) + - but the race will still be on + + Digital video will offer even more storage space (larger + tapes) + - DVI, etc. + - HDTV by late 1990s + + Messages can be put into GIFF, TIFF image files (or even + noisy faxes) + - using the LSB method, with a 1024 x 1024 grey scale image + holding 64KB in the LSB plane alone + - with error correction, noise shaping, etc., still at + least 50KB + - scenario: already being used to transmit message through + international fax and image transmissions + + The Old "Two Plaintexts" Ploy + - one decoding produces "Having a nice time. Wish you were + here." + - other decoding, of the same raw bits, produces "The last + submarine left this morning." + - any legal order to produce the key generates the first + message + + authorities can never prove-save for torture or an + informant-that another message exists + - unless there are somehow signs that the encrypted + message is somehow "inefficiently encrypted, suggesting + the use of a dual plaintext pair method" (or somesuch + spookspeak) + - again, certain purist argue that such issues (which are + related to the old "How do you know when to stop?" + question) are misleading, that one must assume the + opponent has nearly complete access to everything except + the actual key, that any scheme to combine multiple + systems is no better than what is gotten as a result of + the combination itself + - and just the overall bandwidth of data... + + Several programs exist: + - Stego + - etc. (described elsewhere) + 5.5.7. The Essential Impossibility of Breaking Modern Ciphers and + Codes + - this is an important change from the past (and from various + thriller novels that have big computers cracking codes) + - granted, "unbreakable" is a misleading term + + recall the comment that NSA has not really broken any + Soviet systems in many years + - except for the cases, a la the Walker case, where + plaintext versions are gotten, i.e., where human screwups + occurred + - the image in so many novels of massive computers breaking + codes is absurd: modern ciphers will not be broken (but the + primitive ciphers used by so many Third World nations and + their embassies will continue to be child's play, even for + high school science fair projects...could be a good idea + for a small scene, about a BCC student who has his project + pulled) + + But could novel computational methods crack these public + key ciphers? + + some speculative candidates + + holographic computers, where large numbers are + factored-or at least the possibilities are somehown + narrowed-by using arrays that (somehow) represent the + numbers to be factored + - perhaps with diffraction, channeling, etc. + - neural networks and evolutionary systems (genetic + algorithms) + - the idea is that somehow the massive computations can be + converted into something that is inherently parallel + (like a crystal) + + hyperspeculatively: finding the oracle for these problems + using nonconventional methods such as ESP and lucid + dreaming + - some groups feel this is worthwhile + 5.5.8. Anonymous Transfers + - Chaum's digital mixes + - "Dining Cryptographers" + + can do it with exchanged diskettes, at a simple level + - wherein each person can add new material + + Alice to Bob to Carol....Alice and Carol can conspire to + determine what Bob had added, but a sufficient "mixing" + of bits and pieces is possible such that only if + everybody conspires can one of the participants be caught + - perhaps the card-shuffling results? + + may become common inside compute systems... + - by this vague idea I mean that various new OS protocols + may call for various new mechanisms for exchanging + information + 5.5.9. Miscellaneous Abstract Ideas + - can first order logic predicates be proven in zero + knowledge? + - Riemannn hypothesis + + P = NP? + - would the universe change? + - Smale has shown that if the squares have real numbers in + them, as opposed to natural numbers (integers), then P = + NP; perhaps this isn't surprising, as a real implies sort + of a recursive descent, with each square having unlimited + computer power + + oracles + - speculatively, a character asks if Tarot cards, etc., + could be used (in addition to the normal idea that such + devices help psychologically) + - "a cascade of changes coming in from hundreds of + decimal places out" + + Quantum cryptography + - bits can be exchanged-albeit at fairly low + efficiencies-over a channel + - with detection of taps, via the change of polarizations + + Stephen Wiesner wrote a 1970 paper, half a decade before + the P-K work, which outlined this-not published until + much later + - speculate that the NSA knew about this and quashed the + publication + + But could novel computational methods crack these public + key ciphers? + + some speculative candidates + + holographic computers, where large numbers are + factored-or at least the possibilities are somehown + narrowed-by using arrays that (somehow) represent the + numbers to be factored + - perhaps with diffraction, channeling, etc. + - neural networks and evolutionary systems (genetic + algorithms) + - the idea is that somehow the massive computations can be + converted into something that is inherently parallel + (like a crystal) + + hyperspeculatively: finding the oracle for these problems + using nonconventional methods such as ESP and lucid + dreaming + - some groups feel this is worthwhile + - links to knot theory + - "cut and choose" protocols (= zero knowledge) + + can a "digital coin" be made? + - this is formally similar to the idea of an active agent + that is unforgeable, in the sense that the agent or coin + is "standalone" + + bits can always be duplicated (unless tied to hardware, + as with TRMs), so must look elsewhere + + could tie the bits to a specific location, so that + duplication would be obvious or useless + - the idea is vaguely that an agent could be placed in + some location...duplications would be both detectable + and irrelevant (same bits, same behavior, + unmodifiable because of digital signature) + + coding theory and cryptography at the "Discrete + Mathematics" + - http://www.win.tue.nl/win/math/dw/index.html + 5.5.10. Tamper-resistant modules (TRMs) (or tamper-responding) + + usually "tamper-indicating", a la seals + - very tough to stop tampering, but relatively easy to see + if seal has been breached (and then not restored + faithfully) + - possession of the "seal" is controlled...this is the + historical equivalent to the "private key" in a digital + signature system, with the technological difficulty of + forging the seal being the protection + + usually for crypto. keys and crypto. processing + - nuclear test monitoring + - smart cards + - ATMs + + one or more sensors to detect intrusion + - vibration (carborundum particles) + - pressure changes (a la museum display cases) + - electrical + - stressed-glass (Corning, Sandia) + + test ban treaty verification requires this + - fiber optic lines sealing a missile... + - scratch patterns... + - decals.... + + Epoxy resins + - a la Intel in 1970s (8086) + + Lawrence Livermore: "Connoisseur Project" + - gov't agencies using this to protect against reverse + engineering, acquisition of keys, etc. + + can't stop a determined effort, though + - etches, solvents, plasma ashing, etc. + - but can cause cost to be very high (esp. if resin + formula is varied frequently, so that "recipe" can't be + logged) + + can use clear epoxy with "sparkles" in the epoxy and + careful 2-position photography used to record pattern + - perhaps with a transparent lid? + + fiber optic seal (bundle of fibers, cut) + - bundle of fibers is looped around device, then sealed and + cut so that about half the fibers are cut; the pattern of + lit and + unlit fibers is a signature, and is extremely difficult + to reproduce + - nanotechnology may be used (someday) + + 5.6. Crypto Programs and Products + 5.6.1. PGP, of course + - it's own section, needless to say + 5.6.2. "What about hardware chips for encryption?" + - Speed can be gotten, for sure, but at the expense of + limiting the market dramatically. Good for military uses, + not so good for civilian uses (especially as most civilians + don't have a need for high speeds, all other things being + equal). + 5.6.3. Carl Ellison's "tran" and mixing various ciphers in chains + - "tran.shar is available at ftp.std.com:/pub/cme + - des | tran | des | tran | des + - to make the job of the attacker much harder, and to make + differential cryptanalyis harder + - "it's in response to Eli's paper that I advocated prngxor, + as in: + des | prngxor | tran | des | tran | des + with the DES instances in ECB mode (in acknowledgement of + Eli's attack). The prngxor destroys any patterns from the + input, which was the purpose of CBC, without using the + feedback path which Eli exploited."[ Carl Ellison, 1994-07- + 15] + 5.6.4. The Blum-Blum-Shub RNG + - about the strongest algorithmic RNG we know of, albeit slow + (if they can predict the next bit of BBS, they can break + RSA, so.... + - ripem.msu.edu:/pub/crypt/other/blum-blum-shub-strong- + randgen.shar + 5.6.5. the Blowfish cipher + + BLOWFISH.ZIP, written by Bruce Schneier,1994. subject of an + article in Dr. Dobb's Journal: + - ftp.dsi.unimi.it:/pub/security/crypt/code/schneier- + blowfish.c.gz + + 5.7. Related Ideas + 5.7.1. "What is "blinding"?" + + This is a basic primitive operation of most digital cash + systems. Any good textbook on crypto should explain it, and + cover the math needed to unerstand it in detail. Several + people have explained it (many times) on the list; here's a + short explanation by Karl Barrus: + - "Conceptually, when you blind a message, nobody else can + read it. A property about blinding is that under the + right circumstances if another party digitally signs a + blinded message, the unblinded message will contain a + valid digital signature. + + "So if Alice blinds the message "I owe Alice $1000" so + that it reads (say) "a;dfafq)(*&" or whatever, and Bob + agrees to sign this message, later Alice can unblind the + message Bob signed to retrieve the original. And Bob's + digital signature will appear on the original, although + he didn't sign the original directly. + + "Mathematically, blinding a message means multiplying it + by a number (think of the message as being a number). + Unblinding is simply dividing the original blinding + factor out." [Karl Barrus, 1993-08-24] + + And another explanation by Hal Finney, which came up in the + context of how to delink pharmacy prescriptions from + personal identity (fears of medial dossiers(: + - "Chaum's "blinded credential" system is intended to solve + exactly this kind of problem, but it requires an + extensive infrastructure. There has to be an agency + where you physically identify yourself. It doesn't have + to know anything about you other than some physical ID + like fingerprints. You and it cooperate to create + pseudonyms of various classes, for example, a "go to the + doctor" pseudonym, and a "go to the pharmacy" pseudonym. + These pseudonyms have a certain mathematical relationship + which allows you to re-blind credentials written to one + pseudonym to apply to any other. But the agency uses + your physical ID to make sure you only get one pseudonym + of each kind....So, when the doctor gives you a + prescription, that is a credential applied to your "go to + the doctor" pseudonym. (You can of course also reveal + your real name to the doctor if you want.) Then you show + it at the pharmacy using your "go to the pharmacy" + pseudonym. The credential can only be shown on this one + pseudonym at the pharamacy, but it is unlinkable to the + one you got at the doctor's. " [Hal Finney, 1994-09-07] + 5.7.2. "Crypto protocols are often confusing. Is there a coherent + theory of these things?" + - Yes, crypto protocols are often expressed as scenarios, as + word problems, as "Alice and Bob and Eve" sorts of + complicated interaction protocols. Not exactly game theory, + not exactly logic, and not exactly anything else in + particular...its own area. + - Expert systems, proof-of-correctness calculi, etc. + - spoofing, eavesdropping, motivations, reputations, trust + models + + In my opinion, much more work is needed here. + - Graphs, agents, objects, capabilities, goals, intentions, + logic + - evolutionary game theory, cooperation, defection, tit-for- + tat, ecologies, economies + - mostly ignored, to date, by crypto community + 5.7.3. The holder of a key *is* the person, basically + - that's the bottom line + - those that worry about this are free to adopt stronger, + more elaborate systems (multi-part, passphrases, biometric + security, limits on account access, etc.) + - whoever has a house key is essentially able to gain access + (not saying this is the legal situation, but the practical + one) + 5.7.4. Strong crypto is helped by huge increases in processor power, + networks + + Encryption *always wins out* over cryptanalysis...gap grows + greater with time + - "the bits win" + + Networks can hide more bits...gigabits flowing across + borders, stego, etc. + - faster networks mean more "degrees of freedom," more + avenues to hide bits in, exponentially increasing efforts + to eavesdrop and track + - (However, these additional degrees of freedome can mean + greater chances for slipping up and leaving clues that + allow correlation. Complexity can be a problem.) + + "pulling the plug" hurts too much...shuts down world + economy to stop illegal bits ("naughty bits"?) + - one of the main goals is to reach the "point of no + return," beyond which pulling the plug hurts too much + - this is not to say they won't still pull the plug, damage + be damned + 5.7.5. "What is the "Diffie-Hellman" protocol and why is it + important?" + + What it is + - Diffie-Hellman, first described in 1976, allows key + exchange over insecure channels. + + Steve Bellovin was one of several people to explaine D-H + to the list (every few months someone does!). I'm + including his explanation, despite its length, to help + readers who are not cryptologists get some flavor of the + type of math involved. The thing to notice is the use of + *exponentiations* and *modular arithmetic* (the "clock + arithmetic" of our "new math" childhoods, except with + really, really big numbers!). The difficulty of inverting + the exponention (the discrete log problem) is what makes + this a cryptographically interesting approach. + - "The basic idea is simple. Pick a large number p + (probably a prime), and a base b that is a generator of + the group of integers modulo p. Now, it turns out that + given a known p, b, and (b^x) mod p, it's extremely + hard to find out x. That's known as the discrete log + problem. + + "Here's how to use it. Let two parties, X and Y, pick + random numbers x and y, 1 < x,y < p. They each + calculate + + (b^x) mod p + + and + + (b^y) mod p + + and transmit them to each other. Now, X knows x and + (b^y) mod p, so s/he can calculate (b^y)^x mod p = + (b^(xy)) mod p. Y can do the same calculation. Now + they both know (b^(xy)) mod p. But eavesdroppers know + only (b^x) mod p and (b^y) mod p, and can't use those + quantities to recover the shared secret. Typically, of + course, X and Y will use that shared secret as a key to + a conventional cryptosystem. + + "The biggest problem with the algorithm, as outlined + above, is that there is no authentication. An attacker + can sit in the middle and speak that protocol to each + legitimate party. + + "One last point -- you can treat x as a secret key, and + publish + (b^X) mod p as a public key. Proof is left as an + exercise for + the reader." [Steve Bellovin, 1993-07-17] + - Why it's important + + Using it + + Matt Ghio has made available Phil Karn's program for + generating numbers useful for D-H: + - ftp cs.cmu.edu: + /afs/andrew.cmu.edu/usr12/mg5n/public/Karn.DH.generator + + Variants and Comments + + Station to Station protocol + - "The STS protocol is a regular D-H followed by a + (delicately designed) exchange of signatures on the key + exchange parameters. The signatures in the second + exchange that they can't be separated from the original + parameters.....STS is a well-thought out protocol, with + many subtleties already arranged for. For the issue at + hand, though, which is Ethernet sniffing, it's + authentication aspects are not required now, even + though they certainly will be in the near future." + [Eric Hughes, 1994-02-06] + 5.7.6. groups, multiple encryption, IDEA, DES, difficulties in + analyzing + 5.7.7. "Why and how is "randomness" tested?" + - Randomness is a core concept in cryptography. Ciphers often + fail when things are not as random as designers thought + they would be. + - Entropy, randomness, predictablility. Can never actually + _prove_ a data set is random, though one can be fairly + confident (cf. Kolmogorov-Chaitin complexity theory). + - Still, tricks can make a random-looking text block look + regular....this is what decryption does; such files are + said to be cryptoregular. + + As to how much testing is needed, this depends on the use, + and on the degree of confidence needed. It may take + millions of test samples, or even more, to establish + randomness in set of data. For example: + - "The standard tests for 'randomness' utilized in govt + systems requires 1X10^6 samples. Most of the tests are + standard probability stuff and some are classified. " + [Wray Kephart, sci.crypt, 1994-08-07] + - never assume something is really random just becuase it + _looks_ random! (Dynamic Markov compressors can find + nonrandomness quickly.) + 5.7.8. "Is it possible to tell if a file is encrypted?" + - Not in general. Undecideability and all that. (Can't tell + in general if a virus exists in code, Adleman showed, and + can't tell in general if a file is encrypted, compressed, + etc. Goes to issues of what we mean by encrypted or + compressed.) + + Sometimes we can have some pretty clear signals: + - headers are attached + - other characteristic signs + - entropy per character + + But files encrypted with strong methods typically look + random; in fact, randomness is closely related to + encyption. + + regularity: all symbols represented equally, in all bases + (that is, in doubles, triples, and all n-tuples) + - "cryptoregular" is the term: file looks random + (regular) until proper key is applied, then the + randomness vaDCharles Bennett, "Physics of Computation + Workshop," 1993] + - "entropy" near the maximum (e.g., near 6 or 7 bits per + character, whereas ordinary English has roughly 1.5-2 + bits per character of entropy) + 5.7.9. "Why not use CD-ROMs for one-time pads?" + - The key distribution problem, and general headaches. Theft + or compromise of the keying material is of course the + greatest threat. + - And one-time pads, being symmetric ciphers, give up the + incredible advantages of public key methods. + - "CD ROM is a terrible medium for the OTP key stream. + First, you want exactly two copies of the random stream. + CD ROM has an economic advantage only for large runs. + Second, you want to destroy the part of the stream already + used. CD ROM has no erase facilities, outside of physical + destruction of the entire disk." [Bryan G. Olson, + sci.crypt, 1994-08-31] + - If you have to have a one-time pad, a DAT makes more sense; + cheap, can erase the bits already used, doesn't require + pressing of a CD, etc. (One company claims to be selling CD- + ROMs as one-time pads to customers...the security problems + here should be obvious to all.) + + 5.8. The Nature of Cryptology + 5.8.1. "What are the truly basic, core, primitive ideas of + cryptology, crypto protocols, crypto anarchy, digital cash, + and the things we deal with here?" + - I don't just mean things like the mechanics of encryption, + but more basic conceptual ideas. + 5.8.2. Crypto is about the creation and linking of private spaces... + 5.8.3. The "Core" Ideas of Cryptology and What we Deal With + - Physics has mass, energy, force, momentum, angular + momentum, gravitation, friction, the Uncertainty Principle, + Complementarity, Least Action, and a hundred other such + concepts and prinicples, some more basic than others. Ditto + for any other field. + + It seems to many of us that crypto is part of a larger + study of core ideas involving: identity, proof, complexity, + randomness, reputations, cut-and-choose protocols, zero + knowledge, etc. In other words, the buzzwords. + - But which of these are "core" concepts, from which others + are derived? + - Why, for example, do the "cut-and-choose" protocols work + so well, so fairly? (That they do has been evident for a + long time, and they literally are instances of Solomonic + wisdom. Game theory has explanations in terms of payoff + matrices, Nash equilibria, etc. It seems likely to me + that the concepts of crypto will be recast in terms of a + smaller set of basic ideas taken from these disparate + fields of economics, game theory, formal systems, and + ecology. Just my hunch.) + + statements, assertions, belief, proof + - "I am Tim" + + possession of a key to a lock is usually treated as proof + of... + - not always, but that's the default assumption, that + someone who unlocks a door is one of the proper + people..access privileges, etc. + 5.8.4. We don't seem to know the "deep theory" about why certain + protocols "work." For example, why is "cut-and-choose," where + Alice cuts and Bob chooses (as in fairly dividing a pie), + such a fair system? Game theory has a lot to do with it. + Payoff matrices, etc. + - But many protocols have not been fully studied. We know + they work, but I think we don't know fully why they work. + (Maybe I'm wrong here, but I've seen few papers looking at + these issues in detail.) + - Economics is certainly crucial, and tends to get overlooked + in analysis of crypto protocols....the various "Crypto + Conference Proceedings" papers typically ignore economic + factors (except in the area of measuring the strength of a + system in terms of computational cost to break). + - "All crypto is economics." + - We learn what works, and what doesn't. My hunch is that + complex crypto systems will have emergent behaviors that + are discovered only after deployment, or good simulation + (hence my interest in "protocol ecologies"). + 5.8.5. "Is it possible to create ciphers that are unbreakable in any + amount of time with any amount of computer power?" + + Information-theoretically secure vs. computationally-secure + + not breakable even in principle, e.g., a one-time pad + with random characters selected by a truly random process + (die tosses, radioactive decay, certain types of noise, + etc.) + - and ignoring the "breakable by break-ins" approach of + stealing the one-time pad, etc. ("Black bag + cryptography") + - not breakable in "reasonable" amounts of time with + computers + - Of course, a one-time pad (Vernam cipher) is theoretically + unbreakable without the key. It is "information- + theoretically secure." + - RSA and similar public key algorithms are said to be only + "computationally-secure," to some level of security + dependent on modulus lenght, computer resources and time + available, etc. Thus, given enough time and enough computer + power, these ciphers are breakable. + - However, they may be practically impossible to break, given + the amount of energy in the universe.Not to split universes + here, but it is interesting to consider that some ciphers + may not be breakable in _our_ universe, in any amount of + time. Our universe presumably has some finite number of + particles (currently estimated to be 10^73 particles). This + leads to the "even if every particle were a Cray Y-MP it + would take..." sorts of thought experiments. + + But I am considering _energy_ here. Ignoring reversible + computation for the moment, computations dissipate energy + (some disagree with this point). There is some uppper limit + on how many basic computations could ever be done with the + amount of free energy in the universe. (A rough calculation + could be done by calculating the energy output of stars, + stuff falling into black holes, etc., and then assuming + about kT per logical operation. This should be accurate to + within a few orders of magnitude.) I haven't done this + calculation, and won't today, but the result would likely + be something along the lines of X joules of energy that + could be harnessed for computation, resulting in Y basic + primitive computational steps. + + I can then find a modulus of 3000 digits or 5000 digits, or + whatever,that takes more than this number of steps to + factor. + + Caveats: + + 1. Maybe there are really shortcuts to factoring. Certainly + improvements in factoring methods will continue. (But of + course these improvements are not things that convert + factoring into a less than exponential-in-length + problem...that is, factoring appears to remain "hard.") + + 2. Maybe reversible computations (a la Landauer, Bennett, + et. al.) actually work. Maybe this means a "factoring + machine" can be built which takes a fixed, or very slowly + growing, amount of energy. + + 3. Maybe the quantum-mechanical idea of Shore is possible. + (I doubt it, for various reasons.) + + I continue to find it useful to think of very large numbers + as creating "force fields" or "bobbles" (a la Vinge) around + data. A 5000-decimal-digit modulus is as close to being + unbreakable as anything we'll see in this universe. + + 5.9. Practical Crypto + 5.9.1. again, this stuff is covered in many of the FAQs on PGP and + on security that are floating around... + 5.9.2. "How long should crypto be valid for?" + + That is, how long should a file remain uncrackable, or a + digital signature remain unforgeable? + - probabalistic, of course, with varying confidence levels + - depends on breakthroughs, in math and in computer power + + Some messages may only need to be valid for a few days or + weeks. Others, for decades. Certain contracts may need to + be unforgeable for many decades. And given advances in + computer power, what appears to be a strong key today may + fail utterly by 2020 or 2040. (I'm of course not + suggesting that a 300- or 500-digit RSA modulus will be + practical by then.) + + many people only need security for a matter of months or + so, while others may need it (or think they need it) for + decades or even for generations + - they may fear retaliation against their heirs, for + example, if certain communications were ever made + public + - "If you are signing the contract digitally, for instance, + you would want to be sure that no one could forge your + signature to change the terms after the fact -- a few + months isn't enough for such purposes, only something that + will last for fifteen or twenty years is okay." [Perry + Metzger, 1994-07-06] + 5.9.3. "What about commercial encryption programs for protecting + files?" + - ViaCrypt, PGP 2.7 + - Various commercial programs have existed for years (I got + "Sentinel" back in 1987-8...long since discontinued). Check + reviews in the leading magazines. + + Kent Marsh, FolderBolt for Macs and Windows + - "The best Mac security program....is CryptoMactic by Kent + Marsh Ltd. It uses triple-DES in CBC mode, hashes an + arbitrary-length password into a key, and has a whole lot + of Mac-interface features. (The Windows equivalent is + FolderBolt for Windows, by the way.)" [Bruce Schneier, + sci.crypt, 1994-07-19] + 5.9.4. "What are some practical steps to take to improve security?" + - Do you, like most of us, leave backup diskettes laying + around? + - Do you use multiple-pass erasures of disks? If not, the + bits may be recovered. + - (Either of these can compromise all encrypted material you + have, all with nothing more than a search warrant of your + premises.) + 5.9.5. Picking (and remembering) passwords + - Many of the issues here also apply to choosing remailers, + etc. Things are often trickier than they seem. The + "structure" of these spaces is tricky. For example, it may + seem really sneaky (and "high entropy" to permute some + words in a popular song and use that as a pass + phrase....but this is obviously worth only a few bits of + extra entropy. Specifically, the attacker will like take + the thousand or so most popular songs, thousand or so most + popular names, slogans, speeches, etc., and then run many + permutations on each of them. + - bits of entropy + - lots of flaws, weaknesses, hidden factors + - avoid simple words, etc. + - hard to get 100 or more bits of real entropy + - As Eli Brandt puts it, "Obscurity is no substitute for + strong random numbers." [E.B., 1994-07-03] + - Cryptanalysis is a matter of deduction, of forming and + refining hypotheses. For example, the site + "bitbucket@ee.und.ac.za" is advertised on the Net as a + place to send "NSA food" to...mail sent to it gets + discarded. So , a great place to send cover traffic to, no? + No, as the NSA will mark this site for what it is and its + usefulness is blown. (Unless its usefulness is actually + something else, in which case the recursive descent has + begun.) + - Bohdan Tashchuk suggests [1994-07-04] using telephone-like + numbers, mixed in with words, to better fit with human + memorization habits; he notes that 30 or more bits of + entropy are routinely memorized this way. + 5.9.6. "How can I remember long passwords or passphrases?" + - Lots of security articles have tips on picking hard-to- + guess (high entropy) passwords and passphrases. + + Just do it. + - People can learn to memorize long sequences. I'm not good + at this, but others apparently are. Still, it seems + dangerous, in terms of forgetting. (And writing down a + passphrase may be vastly more risky than a shorter but + more easily memorized passphrase is. I think theft + of keys and keystroke capturing on compromised machines + are much + more important practical weaknesses.) + + The first letters of long phrases that have meaning only to + the owner. + - e.g., "When I was ten I ate the whole thing."---> + "wiwtiatwt" (Purists will quibble that prepositional + phrases like "when i was" have lower entropy. True, but + better than "Joshua.") + + Visual systems + - Another approach to getting enough entropy in + passwords/phrases is a "visual key" where one mouses from + position to position in a visual environment. That is, + one is presented with a scene containg some number of + nodes, perhaps representing familiar objects from one's + own home, and a path is chosen. The advantage is that + most people can remember fairly complicated + (read: high entropy) "stories." Each object triggers a + memory of the next object to visit. (Example: door to + kitchen to blender to refrigerator to ..... ) This is the + visual memory system said to be favored by Greek epic + poets. This also gets around the keyboard-monitoring + trick (but not necessarily the CRT-reading trick, of + course). + + + It might be an interesting hack to offer this as a front + end for PGP. Even a simple grid of characters which could + be moused on could be an assist in using long + passphrases. + + 5.10. DES + 5.10.1. on the design of DES + - Biham and Shamir showed how "differential cryptanalyis" + could make the attack easier than brute-force search of the + 2^56 keyspace. Wiener did a thought experiment design of a + "DES buster" machine (who ya gonna call?) that could break + a DES key in a matter of days. (Similar to the Diffie and + Hellman analysis of the mid-70s, updated to current + technology.) + + The IBM designers knew about differential cryptanalyis, it + is now clear, and took steps to optimize DES. After Shamir + and Biham published, Don Coppersmith acknowledged this. + He's written a review paper: + - Coppersmith, D., "The Data Encryption Standard (DES) and + its strength against attacks." IBM Journal of Research + and Development. 38(3): 243-250. (May 1994) + + 5.11. Breaking Ciphers + 5.11.1. This is not a main Cypherpunks concern, for a variety of + reasons (lots of work, special expertise, big machines, not a + core area, ciphers always win in the long run). Breaking + ciphers is something to consider, hence this brief section. + 5.11.2. "What are the possible consequences of weaknesses in crypto + systems?" + - maybe reading messages + - maybe forging messages + - maybe faking timestamped documents + - maybe draining a bank account in seconds + - maybe winning in a crypto gambling system + - maybe matters of life and death + 5.11.3. "What are the weakest places in ciphers, practically + speaking?" + - Key management, without a doubt. People leave their keys + lying around , write down their passphrases. etc. + 5.11.4. Birthday attacks + 5.11.5. For example, at Crypto '94 it was reported in a rump session + (by Michael Wiener with Paul van Oorschot) that a machine to + break the MD5 ciphers could be built for about $10 M (in 1994 + dollars, of course) and could break MD5 in about 20 days. + (This follows the 1993 paper on a similar machine to break + DES.) + - Hal Finney did some calculations and reported to us: + - "I mentioned a few days ago that one of the "rump session" + papers at the crypto conference claimed that a machine + could be built which would find MD5 collisions for $10M in + about 20 days.....The net result is that we have taken + virtually no more time (the 2^64 creations of MD5 will + dominate) and virtually no space (compared to 2^64 stored + values) and we get the effect of a birthday attack. This + is another cautionary data point about the risks of relying + on space costs for security rather than time costs." [Hal + Finney, 1994-09-09] + 5.11.6. pkzip reported broken + - "I finally found time to take a closer look at the + encryption algorithm by Roger Schlafly that is used in + PKZIP and have developed a practical known plaintext attack + that can find the entire 96-bit internal state." [Paul Carl + Kocher, comp.risks, 1994-09-04] + 5.11.7. Gaming attacks, where loopholes in a system are exploited + - contests that are defeated by automated attacks + - the entire legal system can be viewed this way, with + competing teams of lawyers looking for legal attacks (and + the more complex the legal code, the more attacks can be + mounted) + - ecologies, where weaknesses are exploited ruthlessly, + forcing most species into extinction + - economies, ditto, except must faster + - the hazards for crypto schemes are clear + + And there are important links to the issue of overly formal + systems, or systems in which ordinary "discretion" and + "choice" is overridden by rules from outside + - as with rules telling employers in great detail when and + how they can discharge employees (cf. the discussion of + "reasonable rules made mandatory," elsewhere) + - such rules get exploited by employees, who follow the + "letter of the law" but are performing in a way + unacceptable to the employer + - related to "locality of reference" points, in that + problem should be resolved locally, not with intervention + from afar. + - things will never be perfect, from the perspetive of all + parties, but meddling from outside makes things into a + game, the whole point of this section + + Implications for digital money: overly complex legal + systems, without the local advantages of true cash (settled + locally) + + may need to inject some supra-legal enforcement + mechanisms into the system, to make it converge + - offshore credit databases, beyond reach of U.S. and + other laws + + physical violence (one reason people don't "play games" + with Mafia, Triads, etc., is that they know the + implications) + - it's not unethical, as I see it, for contracts in + which the parties understand that a possible or even + likely consequence of their failure to perform is + death + 5.11.8. Diffie-Hellman key exchange vulnerabilities + - "man-in-the-midle" attack + + phone systems use voice readback of LCD indicated number + - as computer power increases, even _this_ may be + insufficient + 5.11.9. Reverse engineering of ciphers + - A5 code used in GSM phones was reverse engineered from a + hardware description + - Graham Toal reports (1994-07-12) that GCHQ blocked a public + lectures on this + + 5.12. Loose Ends + 5.12.1. "Chess Grandmaster Problem" and other Frauds and Spoofs + - of central importance to proofs of identity (a la Fiat- + Shamir) + - "terrorist" and "Mafia spoof" problems