Introduction to CryptographySep 8, 2006
Cryptography was a subject of interest among the Government agencies, military, banks and multinational corporations, until recently. The research and development in this area was mainly aimed at delivering the vital messages without being understood by the interceptors. As we move into an information society, now cryptography relates to everyones life. It has become one of the main tools of privacy, trust, access control, electronic payments, corporate security and countless other fields.
The history of Cryptography is 4000 years old and can be traced to the hieroglyphs of early Egyptian civilization. It played a crucial role in both the World Wars. Cryptanalysis, the art of breaking the cryptographic messages (called ciphers) was also developed, and played an equal role in World War II.
In earlier days the secrecy of cryptographic messages depended upon the secrecy of algorithms. The strength of these systems clearly depended on its implementations. Also, it is possible to reengineer these algorithms, if implemented in software, particularly. In modern cryptosystems, everyone knows the algorithm, and the secrecy depends on keys, some random numbers used to encrypt the message or plaintext. The most commonly used type of cryptosystem in use today is Data Encryption Standard (DES), developed by National Institute of Standards and Technology (NIST), USA, based on a cryptosystem by Horst Feistel, a scientist at IBM Corporation. DES is known as a symmetric (or secret-key) algorithm, as it uses the same key for encryption and decryption. The encryption is performed by a series of permutations, expansions, and bit-slice operations, which makes it tough for the attacker to decipher the message. Nevertheless, DES was broken in 1998, with the use of modern computers that can do exhaustive key search easily. A variant of DES, Triple DES (3DES) uses DES three times, in an encrypt-decrypt-encrypt sequence with three different, unrelated keys. Triple-DES is arguably stronger than DES, however, it is rather slow compared to some new cryptosystems.
‘In response to growing feasibility of attacks against DES, NIST began coordinating the development of a successor to be called as Advanced Encryption Standard (AES). AES will use a more complex algorithm and 128-bit encryption standard instead of 64-bit standard of DES (actually 56 bit, excluding parity bits). Another algorithm called IDEA (International Data Encryption Algorithm) also uses 128-bit key and considered to be secure. It has been around for several years and no practical attacks on it have been published, despite numerous attempts to analyze it.
A different type of cryptosystem was developed in the meantime, generally known as Public Key Cryptography, using asymmetric (public-key) algorithms. Public-key cryptography uses a pair of mathematically related keys. If one key is used to encrypt information, then only the related key decrypt that information. The security of Public Key Cryptosystem is based on the fact that the private key can be computed from the public key only by solving a difficult computational problem. Therefore, the keys are based on the intractability of discrete logarithms, or factoring of large integers etc. RSA developed by Rivest, Shamir and Adleman is the most commonly used public key cryptosystem. The RSA system uses two large prime numbers, multiplied to form a composite and capitalizes on the very difficult problem of factoring into prime numbers. Other common public-key systems are Diffie-Hellman, used in key exchange protocols and Digital Signature Standard (DSS), a signature only mechanism endorsed by the United States Government. These two systems are based on discrete logarithms.
A public key system can be explained using an example. In this system every end-points hold a pair of keys called public-key and private-key. Public-key is published to all, while the private-key is kept secret. The information to be sent is encrypted using the publickey, which is provided by the receiver, or retrieved from a directory in which it is published (see Lotus Notes Address Book). The receiver uses the private-key to decrypt the information that has been encrypted using corresponding public-key. Thus the receiver can be certain that the information it is able to decrypt must have been intended for it. Alternatively, a private-key can be used to digitally sign a message, to identify the sender. The digital signature is a unique value depending on the content of the message, created using a hashing or message authentication algorithm. This value is encrypted using the private-key. The person who receives this message is provided with the algorithm and the public-key (either in the message itself, or from a directory). The receiver hash the message using the algorithm, decrypts the signature using the public-key, and compares the values as verification. When combined with a digital timestamp, the message can also be proved to have been sent at a certain time.
Another development in this area is a digital certificate. It is digitally signed statement by a Certification Authority (CA) that provides independent confirmation of an attribute claimed by a person offering a digital signature. The Certification Authority is a mutually trusted third party who does verification of the subject of the certificate, much like an agency that issues passports or driving licenses. In practice, CAs offer a range of certificates, graded according to the level of inquiry used to confirm the identity of the subject of the certificate. Digital certificates have a wide range of applications in the growing Internet community. Identifying Certificates that technically binds a name to a public key, Authorization Certificates binding the geographic location, age and other attributes, and Transactional Certificates to attest a particular transaction are some examples.
The Public Key System is collectively known as Public Key Infrastructure (PKI), including the Digital Certificates, Certification Authorities, Directories, and Certificate Management Systems. Applications are made PKI aware so that they are able to use Digital Signatures and Digital Certificates. Security is considered as a chain; it is only as strong as the weakest link.
Cryptography has advanced leaps and bounds in past few decades, identifying and removing the weakest links. The exponential growth in computational technology keeps demanding stronger versions of cryptographic systems than ever before. Also, if the weakest links that are not cryptographic, such as storage of private keys, are not made stronger the system will still remain vulnerable, however strong it is.