An Introduction to Cryptography
Copyright © 1990-1998 Network Associates, Inc. and its Affiliated Companies. All Rights
Reserved.
PGP*, Version 6.0.2
11-98. Printed in the United States of A merica.
PGP, Pretty Good, and Pretty Good Privacy are registered trademarks of Network Associates,
Inc. and/or its Aff iliated Companies in the US and other countries. All other registered and
unregistered trademarks in this document are the so le property of their respective owners.
Portions of this softw ar e may use public key alg orithms described in U.S. Patent numbers
4,200,770, 4,218,582, 4,405,829, and 4,424,414, licensed exclusively by Public Key Partners; the
IDEA(tm) cryptographic cipher described in U.S. patent number 5,214,703, licensed from
Ascom Tech AG; and the Northern Telecom Ltd., CAST Encryption Algorithm,licensed from
Northern Telecom, Ltd. IDEA is a trademark of Ascom Tech AG. Network Associates Inc. may
have patents and/or pending patent applications covering subject matter in this s oftware o r its
documentation; thefurnishing of thissoftwareor documentationdoesnot give you any license
to these patents. The com pression code in PGP is by Mark Adler and Jean- Loup Gailly, used
with permission from the free Info-ZIP implementation. LDAP software provided courtesy
University of Michigan at Ann Arbor, Copyright © 1992-1996 Regents of the U niversity of
Michigan. All rights reserved. This product includes software developed by the Apache Group
for use in the Apache HTTPserverproject (http://www.apache.org/). Copyright © 1995-1997
The Apache Group. All rights reserved. See text files included with the software or the PGP
web site for further information. Thissoftwareis based in part on the work of the Independent
JPEG Group. Soft TEMPEST font courtesy of Ross Anderson and M arcus Kuhn.
The software provided w ith this documentation is licensed to you for your individualuse
under the terms of the End User License Agreement and Limited Warranty provided with the
software. The information in this document is subject to change without notice. Network
Associates Inc. does not warrant that the i nformation meets your requirements or that the
information is free of errors. The information may include technical inaccuracies or
typographical errors. Changes may be made to the i nformation and incorporated in new
editions of this document, if and when made available by Network As so ciates Inc.
Export of this software and documentation may be subject to compliance with the rules and
regulations promulgated from time to time by the Bureau of Export Administration,United
States Department of Commerce, which restrict the export and re-export of certain products
and technical data.
Network Associates, Inc. (408) 988-3832 main
3965 Freedom Circle
Santa Clara, CA 95054
http://www.nai.com
info@nai.com
* is sometimes used instead of the ® for registered trademarks to protect marks registered
LIMITED WARRANTY
Limited Warranty. Network Associates warrants that for sixty (60) days from the date of
original purchase the media (for example diskettes) on which the Software is contained will be
free from defects in materials and workmanship.
Customer Remedies. Network Associates' and its suppliers ' entire liability and your exclusive
remedy shall be, at Network Associates' option, either (i) return of the purchase price paid for
the license, if any, or (ii) replacement of the defective media in which the Software is contained
with a copy on nondefective media. You must return the defective media to Network
Associates at your expense with a copy of your receipt. This limited warranty is void if the
defect has resulted from accident, abuse, o r misapplication. Any replacement media will be
warranted for the remainder of the original wa rranty period. Outside the United States, this
remedyisnotavailableto theextentNetwork Associatesissubject to restrictions under United
States export control laws and regulations.
Warranty Disclaimer. To the maximum extent permitted by applicable law, and except for the
limited warranty set forth herein, THE SOFTWARE IS PROV IDED ON AN "AS IS" BASIS
WITHOUT W ARRANTY OF AN Y KIND, EXPRESS OR IMPLIED. WITHOUT LIMITING THE
FOREGOING PROVISIONS, YOU ASSUME RESPONSIBILITY F OR SELECTING THE
SOFTWARE TO ACHIEVE YOUR INTENDED RESULTS, AND FOR THE INSTALLATION
OF, USE OF, AND RESULTS OBTAINED FROM THE SOFTWARE. WITHOUT LIMITING
THE FOREGOING PROVISIONS, NETWORK ASSOCIATES MAKES NO W ARRANTY
THATTHESOFTWAREWILLBEERROR-FREEORFREEFROMINTERRUPTIONSOR
OTHER FAILURES OR THAT THE SOFTWARE WILL MEET YOUR REQUIREMENTS. TO
THE MAXIMUM EXTENT PERMITTED BY APPLICABLELAW, NETWORK ASSOCIATES
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY,FITNESS FOR A
PARTICULAR PURPOSE, AND NONINFRINGEMENT WITH RESPECT TO THE
SOFTWARE AND THE ACCOMPANYING DOCUMENTATION. SOME STATES AND
JURISDICTIONS DO NOT ALLOW LIMITATIONS ON IMPLIED WARRANTIES, SO THE
ABOVE LIMIT ATION MAY NOT APPLY TO Y OU. The foregoing provisions shall be
enforceable to the maximum extent permitted by applicable law.
Preface
Cryptography is the stuff of spy novelsandactioncomics. Kids once savedup
Ovaltine
Almost everyone h as seen a television show or movie involving a nondescript
suit-clad gent leman with a briefcase handcuffed to his wrist. The word
“espionage” conjures images of James Bond, car chases, and flying bul lets.
And here you are, sittinginyouroffice,faced with the rather mundane task of
sending a sales report to a coworker in such a way that no one else can read it.
You just w ant to be sure that your colleague was the actual and only recipient
of the emailandyouwant him or her to know that you were unmistakablythe
sender.It’s notnationalsecurityatstake, but ifyourcompany’s competitorgot
a hold of it, it could cost you. How can you accomplish this?
You can use cryptography. You may find it lacks some of the drama of code
phrases whispered in dar k alleys, but the result is the same: information
revealed only to those for whom it was intended.
TM
labels and sent away for Captain Midnight’s Secret Decoder Ring.
Who should read this guide
This guide is useful to anyone who is interested in knowing the basics of
cryptography, and explains the terminology and technology you will
encounter as you use PGP products. You will find it useful to read before you
begin working with cryptography.
How to use this guide
This guide describes how to use PGP to securely manage your organization’s
messages and data storage.
Chapter 1, “The Basics of Cryptography,” provides an overview of the
terminology and concepts you will encounter as you use PGP products.
Chapter 2, “Phil Zimmermann on PGP,” written by PGP’s creator,contains
discussions of security, privacy, and the vulnerabilities inherent in any
security system,even PGP.
An Introduction to Cryptography v
Preface
For more information
There are several ways to find out more about Network Associates and its
products.
Customer service
To order products or obtain product information, contact the Network
Associates Customer Care department.
You can contact C ustomer Care at one of the following numbers Monday
through Friday between 6:00
Phone (408) 988-3832
Or write to:
Network Associates, Inc.
3965 Freedom Circle
Santa Clara, CA 95054
U.S.A.
Technical support
A.M. and 6:00 P.M. Pacific time.
Network Associates is famous for its dedication to customer satisfaction. We
have continued this tradition by making our site on the Wor ld Wide Web a
valuable resource for answers to technical support issues. We encourage you
to make this your first stop for answers to frequently asked questions, for
updatesto NetworkAssociatessoftware,and foraccessto NetworkAssociates
news and encryptioninformation
World Wide Web http://www.nai.com
Technical Support for your PGP product is also available through these
channels:
Phone
Email PGPSupport@pgp.com
To provide the answers you need quickly and efficiently, the Network
Associates technical support staff needs some information about your
computer an d your software. Please have this information ready before you
call:
•PGPproductname
• PGP product version
vi An Introduction to Cryptography
.
(408) 988-3832
• Computer platform and CPU type
• Amount of available memory(RAM)
• Operating system and version and type of network
• Content of any status or error message displayed on screen, or appearing
in a log file (not all products produce log files)
• Email application and version (if the problem involves using PGP with an
email pr oduct, for example, the Eudora plug-in)
Relate d re ad i ng
Here are some documents that you may find helpful in understanding
cryptography:
Non-Technica l and beginning technical books
•“Cryptography for the Internet,” by Philip R. Zimmermann. Scientific
American, October 1998. This article,written by PGP’s creator, is a tutorial
onvariouscryptographicprotocols and algorithms,manyofwhichhappen
to be us ed by PGP.
•“Privacy on the Li ne,” by Whitfield Diffie and Susan Eva Landau. MIT Press;
ISBN: 0262041677. This book is a d iscussion of the history and policy
surrounding cryptogra phy and communications security. It is a n excellent
read, even for beginners and no n-technical people, and contains
information that e ven a lot of experts don't know.
Preface
•“The Codebreakers,” by David Kahn. Scribner; ISBN: 0684831309. This book
is a history of codes and code breakers from the time of the Egyptians to the
end of WWII. Kah n first wrote it in the sixties, and published a revised
edition in 1996. This book won't teach you anything about how
cryptography is accomplished, but it has been the inspirationof the whole
modern generation of cryptographers.
• “Network Security: Private Communi cation in a Public World,” by Charlie
Kaufman, Radia Perlman, and Mike Spencer. Prentice Hall; ISBN:
0-13-061466-1. This is a good description of network security systems and
protocols, including descriptions of what works, what doesn't work, and
why. Published in 1995, it doesn't have many of t he latest technological
advances, but is still a good book. It also contains one of the most clear
descriptions of how DES works of any book written.
An Introduction to Cryptography vii
Preface
Intermediatebooks
• “Applied Cryptography:Protocols, Algorithms,andSourceCodeinC,”byBruce
Schneier,JohnWiley&Sons;ISBN:0-471-12845-7. This is a good beginning
technical book on how a lot of cryptography works. If you want to become
an expert, this is the place to start.
•“Handbook of Applied Cryptography,”byAlfredJ.Menezes,PaulC.van
Oorschot, and Scott Vanstone. CRC Press; ISBN: 0-8493-8523-7. This is the
technicalbook you should read after Schneier’s book. T here is a lot of
heavy-dutymath in this book, but it is nonethelessusable for those who do
not understand the math.
•“Internet Cryptography,” by Richard E. Smith. Addison-Wesley Pub Co;
ISBN: 0201924803. This book describes how many I nternet security
protocols work. Most importantly, it describes h ow systems that are
designed well nonetheless end up with flaws through careless op eration.
This book is lig ht on math, and heavy on practical information.
•“Firewalls and Internet Security: Repelling the Wily Hacker ,” by William R.
Cheswickand Steven M. Bellovin. Addison-Wesley Pub Co; ISBN:
0201633574. This book is written by two senior researchers at AT&T Bell
Labs and is about their e xperiences maintaining and redesigning AT&T's
Internet connection. V ery readable.
Advanced books
•“A Course in Number Theory and Cryptography,” by Neal Koblitz.
Springer-Verlag; ISBN: 0-387-94293-9. An excellent graduate-level
mathematics textbook on number theory and cryptography.
•“DifferentialCryptanalysis of theDataEncryptionStandard,”by Eli Biham and
Adi Shamir. Springer-Verlag; ISBN: 0-387-97930-1. This book describes the
technique of differential cryptanalysis as applied to DES. It is an excellent
book for learning a bo ut this technique.
viii An Introduction to Cryptography
Table of Contents
Preface......................................................v
Whoshouldreadthisguide ..............................................v
Howtousethisguide ...................................................v
Formoreinformation...................................................vi
Customerservice .............................................vi
Technicalsupport ............................................vi
Relatedreading ....................................................... vii
Chapter1. TheBasicsofCryptography .........................11
Encryptionanddecryption ..............................................11
Whatiscryptography?..................................................11
Strongcryptography...............................................12
Howdoescryptographywork? .....................................12
Conventionalcryptography .............................................13
Caesar’sCipher ...................................................13
Keymanagementandconventionalencryption.......................14
Publickeycryptography ................................................14
HowPGPworks .......................................................16
Keys ..................................................................17
Digitalsignatures ......................................................18
Hashfunctions....................................................19
Digitalcertificates......................................................21
Validityandtrust ......................................................23
Checkingvalidity .................................................23
Establishingtrust .................................................24
Metaandtrustedintroducers ..................................24
Trustmodels .....................................................24
DirectTrust..................................................25
HierarchicalTrust ............................................25
WebofTrust.................................................26
LevelsoftrustinPGP.........................................26
An Introduction to Cryptography ix
Table of Contents
Whatisapassphrase? ..................................................27
Key splitting ..........................................................28
Technicaldetails .......................................................28
Chapter2. PhilZimmermannonPGP ...........................29
WhyIwrotePGP ......................................................29
ThePGPsymmetricalgorithms..........................................33
AboutPGPdatacompressionroutines...............................35
Abouttherandomnumbersusedassessionkeys .....................35
Aboutthemessagedigest ..........................................36
Howtoprotectpublickeysfromtampering ..........................37
HowdoesPGPkeeptrackofwhichkeysarevalid? ...................40
Howtoprotectprivatekeysfromdisclosure..........................42
Whatifyouloseyourprivatekey? .............................43
Bewareofsnakeoil ....................................................43
Vulnerabilities . . ......................................................48
Compromisedpassphraseandprivatekey ...........................48
Publickeytampering ..............................................49
NotQuiteDeletedFiles ............................................49
VirusesandTrojanhorses..........................................50
Swapfilesorvirtualmemory ..................................51
Physicalsecuritybreach............................................52
Tempestattacks ...................................................52
Protectingagainstbogustimestamps ................................52
Exposureonmulti-usersystems.....................................53
Trafficanalysis ...................................................54
Cryptanalysis .....................................................54
Glossary . ...................................................57
Index.......................................................77
x An Introduction to Cryptography
1The Basics of Cryptography
When Julius Caesar sent messages to his generals, he didn't trust his
messengers. So he replaced every A i n his mes sages with a D, every B with an
E, and so on through the alphabet. Only someone who knew the “shift by 3”
rule could deciph er his messages.
And so we begi n.
Encryption and decryption
Data that can be read and understood without any special measures is called
plaintext or cleartext. The method of disguising plaintext in such a way as to
hide its substance is called encryption. Encrypting plaintext results in
unreadable gibberish called ciphertext. You use encryption to ensure that
information is hidden from anyone for whom it is not intended, even those
who can see the encrypted data. The process of reverting ciphertext to its
original plaintext i s called decryption.
Figure 1-1 illustrates this process.
1
decryptionencryption
plaintext ciphertext plaintext
Figure 1-1. Encryption and decryption
What is cryptography?
Cryptographyis the science of using mathematics to encrypt and decrypt data.
Cryptography enables you to store sensitive information or transmit it across
insecurenetworks (liketheInternet) sothatitcannot be read byanyoneexcept
the intended recipient.
An Introduction to Cryptography 11
The Basics of Cryptography
While cryptography is the science of securing data, cryptanalysis is the science
of analyzing and breaking secure communication. Classical cryptanalysis
involves an interesting combin ation of analytical reasoning, applicatio n of
mathematicaltools, pattern finding, patience, d etermination, and luck.
Cryptanalysts are also called attackers.
Cryptology embraces both cryptography and cryptanalysis.
Strong cryptography
“There are two kinds of cryptography in this world: cryptography that will stop your
kid sister from reading your files, and cryptograp hy that will stop major governments
from reading your files. This book is about the latter.”
--Bruce Schneier,Applied Cryptography: Protocols, Algorithms, and Source
Code in C.
PGPisalsoaboutthelattersortofcryptography.
Cryptography can be strong or weak, as explained above. Cryptographic
strengthismeasured in the time and resourcesitwouldrequire to recover the
plaintext. The result of strong cryptography is ciphertext that is very difficult to
decipherwithoutpossession of the appropriatedecoding tool.How difficult?
Given all of today’s computing power and available time—even a billion
computers doing a billion checks a second—it is not possible to decipher the
result of strong cryptography before the end of the universe.
One would think, then, that strong cryptographywould hold up rather well
against even an extremely determined cryptanalyst. W ho’s really to say? No
one has proven that the strongest encryptionobtainable today will hold up
under tomorrow’s computing power. However, the strong cryptography
employedbyPGP is the best available today. Vigilance and conservatism will
protect you better, however, than claims of impenetrability.
How does cryptogr aphy work?
A cryptographic algorithm,orcipher, is a mathematical function used in the
encryption and decryption process. A cryptographic algorithm works in
combination with a key—a word, number,or phrase—toencrypt the plaintext.
The same plaintext encrypts to different ciphertext with different keys. The
security of encrypted data is entirely dependent on two t hings: t he strength of
the cryptographic algorithm and the secrecy of the key.
A cryptographic algorithm, plus all possiblekeys and all the protocols that
make it work comprise a cryptosystem. PGP is a cryptosystem.
12 An Introduction to Cryptography
The Basicsof Cryptography
Conventional cryptography
In conventional cryptography, also called secret-key or symmetric-key
encryption, one key is used both for encryption and decryption. The Data
Encryption Standard (DES) is an example of a conventional cryptosystemthat
is widely employed by the Federal Government. Figure 1-2 is an illustration of
the conventional encryption process.
decryptionencryption
plaintext ciphertext plaintext
Figure 1-2. Conventional encry ption
Caesar’s Cipher
An extremely simple example of conventional cryptography is a substitution
cipher. A substitution cipher substitutes one piece of information for another.
This is most frequently done by offsetting letters of the alphabet. Two examples
areCaptainMidnight’s SecretDecoderRing,which you may have owned when
you were a kid, and Julius Caesar’s cipher. In both cases, t he algorithm is to
offset the alphabet and the key is the number of characters to offset it.
For example, if we encode the word “SECRET” using Caesar’s key value of 3,
we offset the alphabet so that the 3rd letter down (D) begins the a lphabet.
So starting with
ABCDEFGHIJKLMNOPQRSTUVWXYZ
and sliding ev erything up by 3, you get
DEFGHIJKLMNOPQRSTUVWXYZABC
where D=A, E=B, F=C, and so on.
An Introduction to Cryptography 13
The Basics of Cryptography
Using this scheme, the plaintext, “SE CRET” encrypts as “VHFUHW.” To
allow s omeone else to read the ciphertext, you tell them that the key is 3.
Obviously, this is exceedingly weak cryptography by today’s standards, but
hey, it worked for Caesar, and it also i llustrates how conventional
cryptography works.
Key management and conventional encryption
Conventional encryption has benefits. It is very fast. It i s especially useful for
encrypting data that is not going anywhere. However, conventional
encryptionalone as a means for transmitting secure data can be quite
expensive sim ply due to the difficulty of secure key distribution.
Recall a character from your favoritespy movie: the person w ith a locked
briefcasehandcuffedto his or her wrist. What is in the briefcase, anyway? It’s
probably not the m issile launch code/biotoxin formula/invasion plan itself.
It’s the key that will decrypt the secret data.
For a sender and recip ient to communica te securely using conven tional
encryption, they must agree upon a key and keep it secret between
themselves. Iftheyare in different physicallocations,theymust trustacourier,
the Bat Phone, or some other secure communication medium to prevent the
disclosure of the secret key during transmission. Anyone who overhears or
intercepts the key in transit can later read, modify, and forge all information
encrypted or authenticated with that key. From DES to Captain Midnight’s
Secret Decod er Ring, the persistent pr oblem with conventional encryption is
key distribution: how do you get the key to the recipient without someone
intercepting it?
Public key cryptography
The problems of key distribution are solved by public k ey cryptography,the
concept of which was introduced by Whitf ie ld Diffie and Martin Hellman in
1975. (There is now evidence that the British S ecret Service invented it a few
years before Diffie and He llman, but kept it a military secret—an d did nothing
with it.)
Public key cryptography is an asymmetric scheme that uses a pair of keys for
encryption: a public key, which encrypts data, and a corresponding private, or
secret key fordecryption.Youpublishyourpublickeytotheworldwhile
keeping your private keysecret. Anyone with a copyof your public key can then
encryptinformation that only you can read. Even people you have never met.
1. J H Ellis, The Possibility of Secure Non-Secret Digital Encryption, CESG Report, January 1970.
14 An Introduction to Cryptography
1
[CESG is the UK’s National Authority for the official use of cryptography.]
The Basicsof Cryptography
It is computatio nally infeasible to deduce the private key from t he public key.
Anyonewhohasapublickeycanencryptinformationbutcannotdecryptit.
Only the person who has the corresponding private key can decrypt the
information.
public key private key
decryptionencryption
plaintext ciphertext plaintext
Figure 1-3. Public key encryption
The primary ben efit of public key cryptography is that it allows people who
have no preexisting security arrangement to exchange messages securely. The
need for sender and receiver to share secret keys via some secure channel is
eliminated; all communications involve o nly public keys, and no private key
is ever transmitted or shared. So me examples of public-key cryptosystems are
Elgamal (named for its inventor, Taher Elgamal), RSA (named for its
inventors, Ron Rivest, Adi Shamir, and Leonard Adleman), Diffie-Hellman
(named, you guessed it, for its inventors), and D SA, the Digital Signature
Algorithm (invented by David Kravitz).
Because conventional cryptography was once the only available means for
relayingsecret information, the expense of secure channels and key
distribution relegated its use only to those who could afford it, such as
governments an d large banks (or small children with secret decoder rings).
Public key encryption is the technological revolution that provides strong
cryptography to the adult masses. Remember the courier with the locked
briefcase handcuffed to h is wrist? Public-key encryption puts him out of
business (probably to his relief).
An Introduction to Cryptography 15
The Basics of Cryptography
How PGP works
PGP combines some of t he best features of both conventional and public key
cryptography. PGP is a hybrid cryptosystem.
When a us e r encrypt s plaintext wi th PGP, PGP first compresses the plaintext.
Data compression saves modem transmission time and disk space and, more
importantly, strengthens cryptogr aphic security. Most cryptanalysis
techniques exploit patterns found in the plaintext t o crack the cipher.
Compression reduces these patterns in the plaintext, thereby greatly
enhancing resistance to cryptanalysis. (Files t hat are too short to compres s or
which don’t compress well aren’t compressed.)
PGP then creates a session key, which is a one-time-only secret key. This key is
a random numbergeneratedfrom the randommovements of your mouse and
the keystrokes you type. This session key works with a very secure, fast
conventional encryption algorithm to encrypt the plaintext; the result is
ciphertext. Once the data is encrypted,thesession key is then encryptedtothe
recipient’s public key. This public key-encrypted session key is t ransmitted
along with the ciphertext to the recipient.
plaintext is encrypted
with session key
Figure 1-4. How PGP encryption works
16 An Introduction to Cryptography
session key is encrypted
with public key
ciphertext +
encrypted sessi on key
The Basicsof Cryptography
Decryption works in the reverse. The recipient’s copy of PGP uses his or her
private key to recover the temporary session key, which PGP then uses to
decrypt the conventionally-encrypted ciphertext.
encrypted message
Figure 1-5. How PGP decryption works
The combination of the two encryption methodscombines the convenience of
public key encryption with the speed of conventional encryption.
Conventionalencryption is about 1,000 times faster than public key
encryption. Publickey encryption in turn provides a solution to key
distribution and data transmission issues.Used together, performance and
key distribution are improved without any sacrifice in security.
encrypted
session key
ciphertext
recipient’s private key used
to decrypt session key
session key used
to decrypt ciphertext
original
plaintext
Keys
A key is a value that works with a cryp tographic algorithm to produce a
specific ciphertext. Keys are basically really, really, rea lly big numbers. Key
size is measured in bits; the number representing a 1024-bit key is darn huge.
In public key cryptography, the bigger the key,the more secure the ciphertext.
However, public key size and conventional cryptography’s secret key size are
totally unrelated. A conventional 80-bit key has the equivalent strength of a
1024-bit public key. A conventional 128-bit key is equivalent to a 3000-bit
public key. Again, the bigger the key, the more secure,but the algorithms used
for each type of cryptography are very different and thus comparison is like
that of apples to oranges.
An Introduction to Cryptography 17
The Basics of Cryptography
While the public and private keys are related, it’s v ery difficult to derive the
private key given only the public key; however, deriving the private key is
always possible given enough time and computing power. This makes it very
importanttopickkeysoftherightsize;largeenoughtobesecure,butsmall
enough to be applied fairly quickly. Additio nally, you need to consi der who
might be trying to read your files, how determined they are, how much time
they have, and what their resources might be.
Larger keys will be cryptographically secure for a longer period of time. If
what you want to encrypt needs to be hidden for many years, you might want
to use a very large key. Of course, who knows how long it will take to
determine your key using tomorrow’s faster, more efficient computers? There
was a time wh en a 56-bit symmetric key was considered extremely safe.
Keys are s tored in encrypted form. PGP stores the keys in two files on you r
hard disk; one for public keys and one for private keys. These files are calle d
keyrings. As yo u use PGP, you will typically add the public keys of your
recipients to your public keyring. Yo ur private keys are stored on y our private
keyring. If you lose your private keyring, you will be unable to d e crypt any
information encrypted to keys on that ring.
Digital signatures
Amajorbenefitofpublickeycryptographyisthatitprovidesamethodfor
employing digital signatures. Digital signatures enable the recipient of
information to verify the authenticity of the information’s origin, and also
verify that the information is intact. Thus, public key digital signatures
provide authentication and data integrity. A digital signature also provides
non-repudiation, w hich means that it prevents the sender from claiming that he
or she did not actually send the information. These features are every bit as
fundamental to cryptography as privacy, if not more.
A digital signature serves the same p urpose as a handwrit ten signature.
However,ahandwritten signatureiseasy to counterfeit. A digital signatureis
superior to a handwritten signature in that it is nearly impossible to
counterfeit, plus it attests to the contents of the information as well as to the
identity of the signer.
Some people t end to use signatures more than t hey use encryption. For
example, you may not care if anyone knows that you just deposited $1000 in
your account, but you do want to be darn sureit was the bank teller you were
dealing with.
18 An Introduction to Cryptography
The Basicsof Cryptography
The basic manner in which digital signatures are created is illustrated in Figur e
1-6. Instead of encrypting information using someone else’s public key, you
encryptit withyourprivatekey.If the information canbedecryptedwithyour
public key, then it must have originated with you.
private key public key
signing
original text signed text verified text
Figure 1-6. Simple digital signatures
Hash functions
The systemdescribed above has some problems. It is slow, and it produces an
enormous vo lume of data—at least double the size of the original information.
An improvement on the above scheme is the addition of a one-way hash
function in the process. A one-way hash function takes variable-length
input—in this case, a message of any length, eve n thousands or millions of
bits—and produces a fixed-length output; say, 160-bits. The hash function
ensures that, if the information is changed in any way—even by just one
bit—an entirely different output value is produced.
PGP uses a cryptographically strong hash function on the plaintext the user is
signing. This generates a fixed-length data item known as a message digest.
(Again, any change to the information results in a totally different digest.)
verifying
An Introduction to Cryptography 19
The Basics of Cryptography
Then PGP uses the digest and the private key to create the “signature.” PGP
transmitsthe signature and the plaintext together. Upon receipt of the
message, the recipient uses PGP to recompute the digest, thus verifying the
signature. PGP can encryp t the p laintext or not; signing plaintext is useful if
some of the recipients are not interested in or capable of verifying the
signature.
As long as a secure hash function is used, there is no way to take someone's
signature from one document and attach it to another, or to alter a signed
message in any way. The slightest change in a signed document will ca use the
digital signature verification process to fail.
plaintext
hash function
digest signed
with private key
message digest
plaintext
+
signature
private key
used for signing
Figure 1-7. Secure digital signatures
Digital sig natures play a major role in authenticating and validatingotherPGP
users’ keys.
20 An Introduction to Cryptography
Digital certificates
One issue with public key cryptosystems is that users must be constantly
vigilant to ensure that they are enc rypting to the correct per son’s key. In an
environment wher e it is safe to freely exchange keys via public servers,
man-in-the-middle attacksare a potential threat. In this typeof attack, someone
posts a phony key with the name and user ID of the user’s intended recipient.
Data encrypted to— and intercepted by—the true owner of this bogus key is
now in the wro ng hands.
In a public key environment, it is vital that you are assured that the public key
to which you are enc rypting data is in fact the public key of the intended
recipientandnotaforgery.Yo u cou ld simply encrypt only to those keys which
have been physically hand ed to you. But suppose you need to exchange
information with people you have never met; how can you tell that you have
the correct key?
Digital certificates, or certs, simplify the task of establishing whether a key truly
belongstothepurportedowner.
Webster’s dictionary defines certificate as “a document containing a certified
statement, especially as to the truth of something.” A certificate is a form of
credential. Examples might be your passport, your social security card, or
yourbirthcertificate.Eachof thesehassomei nformationonitidentifying you
andsomeauthorizationstatingthatsomeone elsehasconfirmedyouridentity.
Some certificates, such as your driver’s license, are important enough
confirmation of your identity that you would not want to lose them, lest
someone use them to impersonateyou.
The Basicsof Cryptography
A digital certificate is da ta that functions much like a physical certificate. A
digital certificate is information included with a person’s public key that helps
others verifythat a key is genuine or valid. Digital certificates are u sed to
thwart attempts to substitute one person’s key for another.
A digital certificate consists of three things:
• A public key.
• Certificate information. (“Identity” information about the user, such as
name, user ID, and so on.)
• One or more d igital signatures.
The purpose of the digital signature on a certificate is to state that the
certificate information has been attested to by some other person or entity. The
digital signature does not attest to the authenticity of the certificate as a whole;
it vouches only that the signed identity informa tion goes along with, or is
bound to, the public key.
An Introduction to Cryptography 21
The Basics of Cryptography
While some security experts believe it is not a good practice to mix
professional and personal identity information on one key, but rather have
separate keys for each, you will come across cert ificates containing a public
key with several associated identities (for example, the user’s name and
corporate email account, the user’s nickname and home email account, the
user’s maiden name and college email account—all in one certificate). The list
of signaturesof eachof those identitiesmay differ;signatures usually attestto
the authenticity of one of the identities, not that all three are authentic.
For example, suppose your coworker, Alice, asks you to sign he r certificate.
You look it up on the server and see that A lice has two pieces of identity
information associated with the certifica te. The first one reads “Alice Petucci,
alice@securecompany.com.”The secondreads“Cleopatra,cleo@cheops.org.”
Depending on how well you kno w Alice, you might want to choose to sign
only the one that relates to t he Alice you know at wo rk.
key
userid userid
Figure 1-8. Anatomy of a certificate
22 An Introduction to Cryptography
certification
certificate
signaturesignature signature
Validity and trust
Every user in a public key system is vulnerable to mistaking a phony key
(certificate) for a real one. Validity is confidence that a public key certificate
belongs to its purported owner. Validity is essential in a public key
environment where you must constantlyestablish whether or not a particular
certificate is authentic.
When you’ve assured yourself that a certificate belonging to someone else is
valid, you can sign the copy on your keyring to attest to the fact that you’ve
checkedthecertificateandthatit’s a good one.Ifyouwantothers to knowthat
you gave the certificate your stamp of approval, you can export t he signature
to a certificate server so that others can see it.
Some companies designate one or more Certification Authorities (CA),whose
jobitistogoaroundandcheckthevalidityofallthecertificatesinthe
organization and then sign the good ones. The CA is the Grand Pooh-bah of
validation in an organization, whom everyone trusts, and in some public key
environments, no certificate is considered valid unless it has been attested to
by a CA.
Checking validity
The Basicsof Cryptography
Oneway to establishvalidity is to go through some manual process.Thereare
severalways to accomplishthis. You could require your intended recipientto
physically hand you a c opy of his or her public key. But this is often
inconvenient and inefficient.
Another way is to m anually check the certificate’s fingerprint.Justasevery
human’s fingerprints are unique, every PGP certificate’s finge rprint is unique.
The fingerprint is a hash o f the user’s certificate and appears as one of the
certificate’s properties. You can check that a certificate is v alid by calling the
key’s owner (so that you orig inate the transaction) and asking the owner to
read his or her key’s fingerprint to you and verifying that fingerprint against
the one you believe to be the real one. This works if you know the owner’s
voice, but, how do you manually verify the identity of someone you don’t
know? Some people put the fingerprintof their key on their business cards for
this very reason.
Another wa y to establish validity of someone’s certificate is to trust that a third
individual has gone through the process of validating it.
A CA, for example, is respon sible for ensuring that prior to assigning validity
toacertificate,heorshecarefullychecksittobesureitbelongstothe
purported owner. Anyone who trusts the CA will automatically consider any
certificates validated by the CA to be valid.
An Introduction to Cryptography 23
The Basics of Cryptography
Establ is hin g trust
You validate keys. You trust people. Mor e specifically, you trust people to
validate other peo ple’ keys. Typically, unless the owner hands you the
certificate, you have to go by someone else’s word that it is valid.
Meta and trus ted introducers
In most situations, people completely trust the CA to establish certificates’
validity. This means that everyone else relies upon the CA t o go through the
whole manual validation process for them. This is fine up to a certain number
of users or number of work sites, and then it may not be possiblefor the CA to
maintain the same level of quality validation. In that case, adding other
validators to the system is necessary.
ACAcanalsobeameta-introducer. A meta-introducer bestows not only
validityon keys,butbestowsthe ability to trustkeysupon others. Similar tothe
kingwhohandshissealtohistrustedadvisorssotheycanactonhisauthority,
the m eta-introducer enables others t o act as trusted introducers. These trusted
introducers can validate keys to the same effect as that of the meta-introducer.
They cannot, however, create new trusted introducers.
Trust models
Inrelativelyclosedsystems,suchaswithin a company,it is easy to traceapath
of trust back to the root CA. However, in the real world, users must often
communicate with people outside of their corporate env ironment, including
some whom they have never met, such as vendors,customers, clients,
associates, and so on. Establishing a line of trust to those who have not been
explicitly trusted by a CA is difficult.
Companiesfollow one or another trust model, which dictates how users will go
about establishing key validity. There are three different models:
•DirectTrust
• Hierarchical Trust
•AWebofTrust
24 An Introduction to Cryptography
Direct Trust
Direct trust is the simplest trustmodel. In this model, a user trusts that a key
is valid because he or she knows where it came f ro m. All cryptosystem s u se
this form of trust in some way. For example, in web browsers, the root
CertificationAuthoritykeysaredirectlytrusted because they were shipped by
the manufacturer. If there is any form of hierarchy, it extends from these
directly trusted certificates.
In PGP, a user who validates keys herself and n ever sets another certificate to
be a trusted introducer is using direct trust.
Hierarch ica l Trust
In a hierarchical system, there are a number of “root” certificates from which
trust extends. These certificates may c ertify certificates themselves, or they
may certify cert ificates that certify sti ll other certificates d own some chain.
Consider it as a big trust “tree.” The “le af” certificate's validity is verified by
tracing backward from its certifier,to other c ertifiers, until a directly trusted
root certificate is found.
The Basicsof Cryptography
meta-introducer (or CA)
trusted introducers
users
Figure 1-9. Hierarchical trust
An Introduction to Cryptography 25
The Basics of Cryptography
Web of Trust
A web of trust encompasses both of the other models,butalsoaddsthenotion
that trust is in the eye of the beholder (whic h is the real-world view) and the
idea that more information is better. It is thus a cumulative trust model. A
certificate might be trusted directly, or trusted in some chain going back to a
directly trusted root certificate (the meta-introducer), or by some group of
introducers.
Perhaps you’ve heard of the term six degrees of separation, which suggests that
any person in the world can determine some link to any other person in the
world using six or fewer other people as intermediaries. This is a web of
introducers.
It is also the PGP view of trust. PGP uses digital signatures as its form of
introduction. When any user signs another’s key, he or she becomes an
introducer of that key. As this process goes on, it establishes a web of trust.
In a PGP environment, any user can act as a certifying authority. Any PGP user
can validate another PGP user’s public key c ertificate. However, such a
certificate is only valid to another user if the relying party recognizes the
validator as a trusted introducer. (That is, you trust my opinion that others’
keys are valid only if you consider me to be a trusted introducer. Otherwise,
my opinion on other keys’ validity is moot.)
Stored on each user’s public keyring are indicators of
• whether or not the user considers a par tic ular key to be valid
• the level of trust the user places on the key that the key’s owner can serve
as certifier of others’ keys
You indicate, on your copy of my key, whether you think my judgement
counts. It’s really a reputation system: certain people are reputed to give good
signatures, and people trust them to attest to other keys’ validity.
Levels of trust in PGP
The highest level of trust in a key, implicit trust, is trust in your own key pair.
PGP assumes that if you own the private k ey, you must trust the actions of its
related public key. Any keys signed by your implicitly trusted key are valid.
There ar e three levels of trust you can assign to so m eone else’s public key:
• Complete trust
• Marginal trust
•Notrust(orUntrusted)
26 An Introduction to Cryptography
The Basicsof Cryptography
To make things confusing, there are also thre e levels of validity:
• Valid
• Marginally va lid
• Invalid
To define another’s key as a trusted introducer, you
1. Start with a valid key, o ne t hat is either
• signed by you or
• signed by another trusted introducer
and t hen
2. Set the level of trust you feel the key’ s ow ner is entitled.
For e xample, suppose your key ring contains Alice’s key. You have validated
Alice’s key and you indicate this by signing it. You know that Alice is a real
stickler for validating others’ keys. You therefore assign her key with
Complete trust. This makes Alice a Certification Authority. If Alice signs
another’s key, it appears as Valid on your keyring.
PGP requires one Completely trusted signature or two Marginally trusted
signatures to establisha key as valid. PGP’s method of considering two
Marginals equal to one Complete is similar to a m erchant asking fo r two forms
of ID. You might consider Alice fairly trustworthy and also consider Bob fairly
trustworthy.Eitherone alonerunsthe riskofaccidentallysigningacounterfeit
key, so you might not place complete trust in either one. However, the odds
that both individuals signed the s am e phony key are p robably small.
What is a passphrase?
Most people are familiar with restricting ac cess to computer systems via a
password, which is a unique string of characters that a user types in as a n
identification code.
A passphrase is a longer version of a password, and in theory, a more secure
one. Typically composed of multiple words, a passphrase is more secure
against standard dictionary attacks, wherein the attacker triesall the words in
the dictionary in an attempt to determineyour password. The best
passphrases are relatively long and complex and contain a combination of
upper and lowercase letters, numeric and punctuation characters.
An Introduction to Cryptography 27
The Basics of Cryptography
PGP uses a passphrase to encrypt your private key on your machine. Your
private key is encrypted on your disk using a hash of your passphrase as the
secret key. You use the passphrase to decrypt and use your private key. A
passphrase should be hard for you to forget and difficult for others to guess. It
should be something already firmly embedded in your long-term memory,
ratherthansomething you makeup from scratch.Why?Becauseifyou forget
your passphrase, you are out of luck. Your private key is totally and
absolutelyuselesswithout yourpassphraseandnothing can be done aboutit.
Remember the q uote earlier in this c hapt er? PGP is cryptography that will
keepmajorgovernmentsoutofyourfiles.Itwillcertainlykeep you out o f your
files, too. Keep that in mind when you decide to change your passphrase to the
punchline o f that joke you can never q uite remember.
Key splitting
They say t hat a secret is not a secret if it is known to more than one person.
Sharing a private k ey pair poses such a problem. While it is not a
recommended practice, sharing a private key pair is necessary at times.
Corporate Signing Keys, for example, are p rivate keys used by a c ompany to
sign—for ex ample—legal documents, sensitive personnel i nformation, or
pressreleasestoauthenticatetheirorigin.Insuchacase,itisworthwhilefor
multiplemembers of the company to hav e accessto the private key. However,
this means that any single individualcan act fully on behalf of the company.
Insuchacaseitiswisetosplit the key among multiple people in such a way
that more than one or two people must present a piece of the key in order to
reconstitute it to a usable condition. If too few pieces of the key are available,
then the key is unusable.
Some examples are to split a key into three pieces and require two of t hem to
reconstitute the k ey, or split it into two pieces and require both pieces. If a
securenetwork connectionisused during the reconstitutionprocess, the key’s
shareholders need not be physically present in order to rejoin the key.
Technical details
Thischapterprovideda high-levelintroductionto cryptographicconceptsand
terminology. In Chapter 2, Phil Zimmermann, the creator of PGP, provides a
more in-depth discussion of privacy, the technical details of how PGP works,
includingthevarious algorithms it uses, as well as various attacks and how to
protect yourself against them.
Formoreinformationon cryptography,pleasereferto some ofthebooks listed
in the ”Related reading” section of the Preface.
28 An Introduction to Cryptography
2Phil Zimmermann on PGP
This chapter contains introductory and background inform ation about
cryptography and PGP as written by Phil Zimmermann.
WhyIwrotePGP
“Whatever you do will be insignificant, but it is very important that you do it.”
—Mahatma Gandhi.
It’s personal. It’s private. And it’s no one’s business but yours. You may be
planning a political campaign, discuss ing your taxes, or having a secret
romance. Or you may be communicating with a political dissident in a
repressive country. Whatever itis,you don’twantyour private electronicmail
(email)or confidentialdocumentsreadbyanyone else.There’snothing wrong
with asserting your privacy. Privacy is as apple-pie as the Constitution.
The right to privacy is spread implicitly throughout the Bill of Rights. But
when the United States Constitution was framed, the Founding Fathers saw
no need to explicitly spell out the right to a private conversation. That would
have been silly. Two hundred years ago, all conversations were private. If
someone else was within earshot, you could just go out behind the barn and
have your conversation there. No one could listen in without your knowledge.
The right to a private conversation was a natural right, not just in a
philosophical sense, but in a law-of-physicssense,giventhetechnology of the
time.
2
But with the coming of the information age, startingwith the invention of the
telephone,all thathas changed.Nowmostof our conversationsareconducted
electronically. This allows our most intimate conversations to be exposed
without our knowle dge. Cellular phone calls may be monitored by anyone
with a radio. Electronic mail, sent across the Internet,is no more secure than
cellular phone calls. Email is rapidly replacing postal mail, becoming the norm
for everyon e, not the nove lty itwas in the past. And email can be routinely and
automatically scanned for interesting keywords, on a large scale, without
detection. This is like driftnet fishing.
An Introduction to Cryptography 29
Phil Zimmermann on PGP
Perhaps you think your email is legitimate enough that encryption is
unwarranted. If you really are a law-abiding citizen with nothing to hide, then
why don’t you always send your paper mail on postcards? Why not submit to
drug testing on demand? Why require a warrant for police searches of your
house? Are you trying to hide something? If you hide your mail inside
envelopes, does that mean you must be a subversive or a drug dealer, or
maybe a paranoid nut? Dolaw-abiding citizens have any need toencrypt their
email?
What if everyone believed that law-abid ing c itizens should use postcards for
their mail? If a nonconformisttriedto assert his privacy by using an envelope
for his mail, it would draw suspicion. Perhaps the authorities would open his
mail to see what he’s hiding. Fortunately, we don’t live in that kind of world,
because everyone protects most of their mail with envelopes. So no one draws
suspicion by asserting their privacy with an envelope. There’s safety in
numbers.Analogously,itwould be nice ifeveryone routinelyusedencryption
for all their email, innocent or not, so that no one drew suspicion by asserting
their email privacy with encryption. Think of it as a form of solidarity.
Until now, if the government wanted to violate the privacy of ordinary
citizens,theyhadtoexpendacertainamountof expenseandlabortointercept
and steam open and read paper mail. O r they had to listen to and possibly
transcribe spoken telephone conversation, at least before automatic voice
recognition technology became available. This kind of labor-intensive
monitoring was not practical on a large scale. It was only done in important
cases when it seemed worthwhile.
Senate Bill 266, a 1991 omnibus anticrime bil l, had an unsettling measure
buriedinit.If thisnon-binding resolutionhad becomereal law, it would have
forced manufacturers of secure communications equipmentto insert special
“trap doors” in their prod uct s, so t hat the government could read anyo ne ’s
encrypted messages. It reads, “It is the sense of Congress that providers of
electronic communications services and manufacturers of electronic
communicationsserviceequipment shallensurethatcommunicationssystems
permit the government to obtain the plain text contents of voice, data, and
other communications w hen appropriately authorized by law.” It was this bill
that led me to publish PGP electronically for free that year, shortly before the
measure was defeated after vigorous protest by civillibertariansandindustry
groups.
The 1994 Digital T elephony bill mandated that phone c ompanies install
remote wiretappingports into their central office digital switches, creating a
new technology infrastructure for “point-and-click” wiretapping, so that
federal agents no longer have to go out and attach a lligator clips to phone
lines. Now they will be able to sit in their headqu arters in Washington and
listenin on your phone calls. Of course,the law still requires a court order for
a wiretap. But while technology infrastructures can persist for gener ations,
30 An Introduction to Cryptography
Phil Zimmermann on PGP
laws and policies can change overnight. Once a communications
infrastructure optimized for surveillance becomes entrenched, a shift in
political conditions may lead to abuse of this ne w-found power. Political
conditions may shift with the election of a new gov ernment, or perhaps more
abruptly from the bo mbing of a federal building.
A year after the 1994 Digital Telephony bill passed, the FBI disclosed plans to
require the phone companies to build into their infrastructure the capacity to
simultaneously wiretap 1 percent of all phone calls in all major U.S. cit ies. This
wouldrepresentmorethanathousandfoldincrease over previous levels in the
number of phones that could be wiretapped. In pr evious years, there were
only aboutathousandcourt-orderedwiretaps in the United States per year,at
the federal, state, and local levels combined. It’s hard to see how the
government could even emp loy enough judges to sign enough wiretap orders
to wiretap 1 percent of all our phone calls, much less hire enough federal
agents to sit and listen to all that traffic in real time. The only p lausible way of
processing that amount of traffic is a massive Orwellian application of
automated voice recognition technology to sift through it all, searching for
interesting keywords or searching for a particular speaker’s voice. If the
government doesn’t find the target in the first 1 pe rcent sample, the wiretap s
can be shifted over to a different 1 percent until the target is found, or until
everyone’s phone line has been checked for subversive traffic. The FBI says
they need this capacity to plan for the future. This plan sparked such outrage
that it was defeated in Congress, at least this time around, in 1995. But the
mere fact that the FBI even asked for these broad powers is revealing of their
agenda. And the defeat of this plan isn’t so reassuring when you consider that
the 1994 Digital Telephony bill was also defeated the first time it was
introduced, in 1993.
Advances in technology will not permit the m aintenance of the status quo, as
far as privacy is concerne d. The status quo is unstable. If we do nothing, new
technologies will give the government new automatic surveillance capabilities
that Stalin could never have dreame d of. The only way to hold the line on
privacy in the information age is strong cryptography.
You don’t have to distrust the government to want to use cryptography.Your
business can be wiretapped by business rivals, organized crime, or foreign
governments. Several foreign governments, for example, admit to using their
signals intelligence against companies from other countries to give their own
corporations a competitive edge. Ironically, the United States gov ernment’s
restrictions on cryptography have weakened U.S. corporate defenses against
foreign intelligence and organized crime.
An Introduction to Cryptography 31
Phil Zimmermann on PGP
The government knows what a pivotal role cryptography is destined to play
in the power relationship with its people. In April 1993, the Clinton
administration unveiled a bold new encryption policy initiative, which h ad
beenunderdevelopmentattheN ational Security Agency (NSA) since thestart
of the Bush administration. The centerpiece of this initiative was a
government-builtencryption device,calledtheClipperchip,containing a new
classified NSA encryption algorithm. The government tried to encourage
private industry to design it into all their secure communication products,
such as secure phones, secure faxes, and s o on. AT&T put Clipper into its
secure v oice products. The catch: At the time of manufacture, each Clipper
chip is loaded with its own unique key, and the government gets to keep a
copy, placed in escrow. Not to worry, though—the government promises that
they will use these keys to read yo ur tr affic o nly “when duly authorized by
law.” Of course, to make Clipper completely effective, the next logical step
would be to outlaw oth er forms of cryptography.
The government in itially claimed that using Clipper would be voluntary, that
no one would be forced to use it instead of other types of cryptography. But
the public reactionagainstthe Clipper chip has been strong, stronger than the
government anticipated. The computer industry has monolithically
proclaimed its opposition to using Clipper. FB I director Louis Freeh
responded to a questionin a press conference in 1994 by saying that if Clipper
failed to gain public support, a nd FBI wiretaps were shut out by
non-government-controlled cryptography, his office would have no choice
but to seek legislative r elief. Later, in the aftermath of the Oklahoma City
tragedy, Mr. Fr eeh testified before the Senate Judiciary Committee that public
availability of strong cryptography mu st be curtailed by the gover nment
(although no one had suggested that cryptography was used by the bombers).
The Electronic Privacy Information Center (EPIC) obtained some reve aling
documents under the Freedom of Information Act. In a briefing document
titled “Encryption: The Threat, Applications and Potential Solutions,” and
sent to the National Security Council in February 1993, the FBI, NSA, and
Departmentof Justice (DOJ)concluded that“Technicalsolutions,suchas they
are, will only work if they are incorporated into all encryptionproducts. To
ensure that this occurs, legislation mandating the use of
Government-approved encryption products or adherence to Government
encryption criteri a is required.”
32 An Introduction to Cryptography
Phil Zimmermann on PGP
The government has a track record that does not inspire confidence that they
will never abuse our civil liberties. The FBI’s CO INTELPRO p rogram targeted
groups that opposed government policies. They s pied on the antiwar
movement and the civil rights mo vement. They wiretapped the phone of
Martin Luther King Jr. Nixon had his enemies list. And then there w as the
Watergate mess. Congress now seems i ntent on passing laws cur tailing our
civil liberties on the Internet. At no time in the past century has public distrust
of the government been so broadly distributed across the political spectrum,
as it is today.
If we want to resist this unsettling trend in the governmentto outlaw
cryptography, one measure we can apply is to use cryptography as much as
we can now while it’s still legal. When use of strong cryptography becomes
popular, it’s harder for the government to criminalize it. Therefore, using PGP
is good for preserving democracy.
If privacy is outlawed, only outlaws will have privacy. Intelligence agencies
have access to good cryptogr aphic technology. So do the big arms and drug
traffickers. But ordinary people and grassroots political organizations mostly
have not had access to affordable “military grade” public-key cryptographic
technology. U ntil now.
PGP empowers people to take their privacy into their own hands. There’s a
growing social need for it. That’s why I created it.
The PGP symmetric algorithms
PGP offers a selection of different secret key algorithms to encrypt the actual
message. By secret key algorithm, we m ean a conventional, or symmetric,
block cipher that uses the same key to both encrypt and d ecrypt. The three
symmetric block ciphers offered by PGP are CAST, Triple-DES, and IDEA.
They are not “home-grown” algorithms. They were all developed by teams of
cryptographers with distinguished reputations.
For the cryptographically curious, all three ciphers operate on 64-bit blocks of
plaintext and ciphertext. CAST and IDEA have key sizes of 128 bits, while
Triple-DES uses a 168-bit k ey. L ike Data Encryption Standard (DES), any of
these ciphers can be used in cipher feedback (CFB) and cipher block chaining
(CBC) modes. PGP u ses them in 64-bit CFB mode.
I included the CAST encryption algorithm in PGP because it shows promise as
a good block cipher with a 128-bit key size, it’s very fast, and it’s free. Its name
is derived from the initials of its designers, Carlisle Adams and Stafford
Tavares of Northern Telecom (Nortel). Nortel has applied for a patent for
CAST, but they have made a commitment in writingto make CAST available
to anyone on a royalty-free basis. C AST appears to be exceptionally well
designed, by people with good repu tations in the field. The design is based on
An Introduction to Cryptography 33
Phil Zimmermann on PGP
a v ery formal approach, with a number of formally provable assertions that
give good reasons to believ e that it probably requires key e xhaustion to brea k
its 128-bit key. C AST has no weak or sem iweak keys. There are strong
arguments t hat CAST is completely immune to both linear and differential
cryptanalysis, the two most powerful forms of cryptanalysis in the published
literature,both of which have been effective in cracking DES. CA ST is too new
to have developed a long track record, but its formal design and the good
reputations of its designers will undoubtedly attract the attentions and
attempted cryptanalytic attacks of the rest of the academic cryptographic
community. I’m getting nearly the same preliminary gut feeling of confidence
from CAST that I got years ago from IDEA, the cipher I selected for use in
earlierversionsofPGP.Atthattime,IDEAwasalsotoonewtohaveatrack
record, but it has held up well.
The IDEA (International D ata Encryption Algorithm) block c ipher is based on
the design concept of “mixing operations from different algebraic groups.” It
was developed at ETH in Zurich by James L. Massey and Xuejia Lai, and
published in 1990. Ea rly published papers on the algorithm called it IPES
(Improved Pr o posed Encryption Standard), but they later changed the name
to IDEA. So far, IDEA has resisted attack much better than other ciphers such
asFEAL,REDOC-II,LOKI,SnefruandKhafre.AndIDEAismoreresistant
than DES to Biham and Shamir’s highly successful differentialcryptanalysis
attack,as well as attacks from linear cryptanalysis. As thiscipher continuesto
attract attack efforts from the most formidable q uarters of the cryptanalytic
world, confidence in IDEA is growing with the passage of time. Sadly, the
biggest obstacle to IDEA’s acceptance as a standard has been the fact that
Ascom Systec holds a patent on its d esign, and unlike DES and CAST, IDEA
has not been made available to everyone on a ro yalty-free basis.
As a hedge, PG P includes three-key Triple-DES in its repertoire of available
block ciphers. The DES was developed by IBM in the mid-1970s. While it h as
a good design, its 56-bit key size is too small by today’sstandards. Triple-DES
is very strong, and has been well studied for many years, so it might be a safer
bet than the newer ciphers such as CAS T and IDEA. Triple-DES is the DES
appliedthreetimestothesame bl ock of data, using three differentkeys,except
that the second DES operation is run backwards, in decrypt mode. While
Triple-DES is much slower than either CAST or IDEA, speed is usually not
critical for email applications. Although Triple-DES uses a key size of 168 bits,
it appears to have an effective key strength of at least 112 bits against an
attacker with impossibly immense data storage capacity to use in the attack.
According to a paper presented by Michael Weiner at Crypto96, any remotely
plausible amount of data storage available to the attacker would enable an
attack that would require about as much work as breaking a 129-bit key.
Triple-DES is no t encumbered by any patents.
34 An Introduction to Cryptography
PGP public keys that were generated by PGP Version 5.0 or la ter have
information embedded in them that tells a sender w hat block ciphers are
understood by the recipient’s software, so that the sender’s software knows
which ciphers can be used to encrypt. Diffie-Hellman/DSS public keys accept
CAST, IDEA, or Triple-DES as the block cipher, with CAST as the default
selection. At present, for compatibility reasons, RSA keys do not provide this
feature. Only the IDEA cipher is used by PGP to send messages to RSA keys,
because o ld er versions of PGP only supported RSA and IDEA.
About PGP data compression routines
PGP normally c o mpresses the plaintext before enc rypting it, because it’s too
latetocompress the plaintextafter it has been encrypted; encrypteddatai s not
compressible. Data compression saves modem transmission time and disk
space and, more importantly,strengthens cryptographic security. Most
cryptanalysis techniques exploit r edundancies found in the plaintext to crack
the cipher. Data compression reduces this redundancy in the plai ntext,
thereby greatly enhancing resistance to c ryptanalysis. It takes extra time to
compressthe plaintext, but from a security point of view it’s worth it.
Files that are too short to compress, or that just don’t compress well, are not
compressed by PGP. In addition, the program recognizes files produced by
most popular compression pr ograms, such as PKZIP, and does not try to
compress a file that has already been c o mpressed.
Phil Zimmermann on PGP
For the technically curious, the program uses the freeware ZIP compression
routines written by Jean-Loup Gailly, Mark Adler, and Richard B. Wales. This
ZIP software uses compressionalgorithms that are functionally equivalentto
those used by PKWare’s PKZIP 2.x. This ZIP compression software was
selected for PGP m ainly because it has a really good compression ratio and
because it’s fast.
About the random numbers used as session keys
PGP uses a cryptographically strong pseudo-random-number generator for
creating temporary session keys. If this random seed file does not exist, it is
automatically created and seeded with truly r andom numbers derived from
your random events gat hered by the PGP program from the timing of your
keystroke and mouse movements.
This generato r reseeds the seed file each time it is used, by mixing in new
material partially derived from the time of day and other truly random
sources. It uses the conventional e ncryption algorithm as a n engine for the
random number generator. The seed file contains both random see d material
and random key material used to key the conventional encryption engine for
the r andom generator.
An Introduction to Cryptography 35
Phil Zimmermann on PGP
This random seed file should be protected from disclosure, to reduce the risk
of an attackerderiving your nextor previoussession keys.Theattackerwould
have a very hard time getting anything us e f ul from cap turing this random
seed file, because the file is cryptographically laundered before and after each
use. Nonetheless, it seems prudent to try to keep it from falling into the wrong
hands. If possible, make the file readable only by you. If this is not possible,
don’t let other people indiscriminately copy disks from your computer.
About the message digest
The m essage digest is a compact (160-bit o r 128-bit) “distillate” of your
message or file checksum. You can also think of it as a “fingerprint” of the
messageor file.The messagedigest“represents” your message, in such a way
thatif the message were altered in any way, a differentmessagedigest would
be computed from it. This makes it possible to detect any changes made to t he
messageby a forger. A message digest is computed using a cryptographically
strong one-way hash function of the message. It should be computationally
infeasible for an attacker to devise a substitute me ssage that would produce an
identicalm essage digest. In that respect,a message digest is much better than
achecksum,becauseitiseasytodeviseadifferentmessagethatwould
produce the same checksum. But like a checksum, you can’t d erivethe original
message from its message digest.
The message digest algorithm now used in PGP (Version 5.0 and later) is
called SHA, which stands for Secure Hash Algorithm, designed by the NSA
for the National Institute of Standards and T echnology (NIST). SHA is a
160-bit hash algorithm. Some people might regard anything fro m the NSA
with suspicion,because the NSA is in charge of intercepting communications
and b reaking codes. But keep in mind that the NSA has no interest in forging
signatures, and the government would benefit from a good unforgeable
digital signature standard that would preclude anyone from repudiating their
signatures. That has d istinct benefits for law enforc ement and intelligence
gathering. Also, SHA has been published in the open literature and has been
extensively peer-reviewed by most of the best cry ptographers in the world
who specialize in hash functions, and the una nimous opinion is that SHA is
extremely well designed. It has som e design innovations that overcome all the
observed weaknesses in message digest algorithms previou sly published by
academic cryptographers. A ll new versions of P GP use SHA as the message
digest algorithm for creating signatures with the new DSS keys that comply
with the NIST Digital Signature Standard. For compat ibility reasons, new
versions of PGP still use MD5 for RSA signatures, because older versions of
PGP u sed MD5 for RSA signatures.
36 An Introduction to Cryptography
The message digest algorithm used by older versions of PGP is the MD5
Message Digest Algorithm, placed in thepublic domain by RSA Data Security,
Inc. MD5 is a 128-bit h ash algorithm. I n 1996, MD5 was all but broken by a
German cryptographer, Hans Dobb ertin. Although MD5 was not completely
broken at that time, it was discovered to have such serious weaknesses that no
one s hould keep using it to generate signatures. Further work in this a rea
might completely break it, allowing signatures to be forged. If you don’t want
to someday find your PGP digital signature on a forged confession, you might
be well advised to migrate to the new PG P DSS keys as your preferred method
for making digital signatures, because DSS uses SHA as its secure hash
algorithm.
How to protect public keys from tampering
In a public key cryptosystem, you don’t have to protect public keys from
exposure.Infact,it’sbetterif they are widely disseminated. But it’simportant
to protect public keys from tampering, to make sure that a public key really
belongs to the person to whom it appears to belong. This may be the most
important vulne rability of a public key cryptosystem. Let’s first look at a
potential disaster, t hen describe how to safely avoid it with PGP.
Suppose you want to send a private message to Alice. You download Alice’s
public key certificate from an electronic bulletin board system (BBS). You
encrypt your le tter to Alice with this public key and send it to her through the
BBS’s email fac ility.
Phil Zimmermann on PGP
Unfortunately, unbeknownsttoyou or Alice, another user named Charlie has
infiltrated the BBS and generated a public key of h is ow n with Alice’s user ID
attached to it. He covertly substitutes his bogus key in place of Alice’s real
public key. Yo u unwittingly use this bogus ke y belonging to Cha rlieinstead of
Alice’s public key. All looks normal because this bogus key has Alice’s user ID.
Now Charlie can decipher the message intended for Alice becaus e he has the
matching private key. He may even reencrypt the deciphered message with
Alice’s real public key and send it on to her so that no one suspects any
wrongdoing. Furthermore, he can even m ake apparently good signatures
from Alice with this private key be cause everyone will use the b ogus public
key to check Alice’s si gnatures.
The only way to prevent this disaster is to prevent anyone from tampering
with public keys. If y ou got Alice’s public key directly from Alice, this is no
problem. But that may be difficult if Alice is a thousand miles away or is
currently unreachable.
Perhaps you could get Alice’s p ublic key fr om a mu tually trusted friend,
David, who kn ows he has a good copy of Alice’s public key. David could sign
Alice’s public key, v ouc hing for the integrity of Alice’s public key. David
would create this signature with his own private key.
An Introduction to Cryptography 37
Phil Zimmermann on PGP
This would create a signed public key certificate, and would show th at Alice’s
keyhadnotbeentamperedwith.Thisrequiresthatyouhaveaknowngood
copy of David’s pub lic key to check his signature. Perhaps David could
provide Alice with a signed copyof your public ke y also. David is thus serving
as an “Introducer” between you and Al ice.
This signed public key certificate for Alice co uld be uploaded by David or
Alice to the BBS, a nd you could download it later. You could then check the
signature via David’s public key and thus be assured that this is really Alice’s
public key. No impostor can fool you into accepting his own bogus key as
Alice’s because no one else can forge signatures made by David.
A widely trusted person could even specialize in providing this service of
“introducing” users t o each other by providing signatures for their public key
certificates.Thistrusted person could be regarded as a “CertifyingAuthority.”
Any pub lic key certificates bearing the Certifying Authority’s signature could
be trusted as truly belonging t o the per son to whom they appear to belong to.
All users who wanted to participatewould need a knowngood copy o f j u st the
Certifying Authority’s public key, so that the Certifying Authority’s
signatures could be verified. In some cases,the Certifying Authoritymay also
actasakeyserver,allowingusersonanetworktolookuppublickeysby
askingthe key server, but there is no r eason w hy a key server must also certify
keys.
A trusted centralized Certifying Authority is especially appropriate for large
impersonalcentrally-controlled corporate or government institutions. Some
institutional environments use hierarchiesof Certifying Authorities.
For more decentralized environments, allowing all users to act as trusted
introducers for their friends would probably work better than a centralized
key certification authority.
One of the attractive features of PGP is that it can operate equally well in a
centralized environment with a Certifying Authority or in a more
decentralized environment where individuals exchange personal keys.
This whole business of protecting public keys from tampering is the single
most difficult prob lem in practical public key applications. It is the “Achille s
heel” of public key cryptography, and a lot of software complexity is tied up
in solving this one problem.
You shoulduse a public key only after you are sure that it is a good public key
that has not been tampered with, and that it actually belongs to the person
with whom it purports to be associated. You can be sure of this if you got this
public key certificate directly from its owner, o r if it bears the signature of
someone else that you trust,from whom you already have a good public key.
Also, the user ID should have the full name of thekey’s owner, not just h erfirst
name.
38 An Introduction to Cryptography
Phil Zimmermann on PGP
No matter how t em pted you are, you should never give in to expediency and
trust a public key you downloaded from a bulletin board, unless it is signed
by so meone you trust. That uncertified public key could have been tampered
with by anyone, maybe even by the system administrator of the bulletin board.
Ifyouareaskedtosignsomeone else’s publickeycertificate, make certainthat
it r eally belongs to the person named in the user ID of that public key
certificate. This is because your signature on her public key certificate is a
promise by yo u that this public key really belongs to her. Other people who
trust you will accept her public ke y because it bears your signature. It c an be
ill-advised to rely on hearsa y —don’t sign her public key unless yo u have
independent first-handknowledge that it really belongs to her. Preferably yo u
should sign it only if you got it directly from her.
In order to sign a public key, you must be far more certain of that key’s
ownership tha n if you merely want to use that key to encrypt a message. To be
convinced of a key’s validity enough to use it, certif y ing signatures from
trusted introducers should suffice. But to sign a key yourself, you should
require your own independent first-hand knowledge of w ho owns that key.
Perhaps you could call the key’s owner on the phone and read the key
fingerprinttoher,toconfirmthatthekeyyouhaveisreallyherkey—and
make sure you really are talking to the right person.
Bear in mind that your signature on a public key certificate does not vouch for
the integrityofthatperson,butonlyvouchesfortheintegrity (the ownership)
of that person’s public key. You aren’t risking your credibility by signing the
public key o f a sociopath, if you ar e completely confident that the key really
belongs to him. Other people would accept that k ey as belonging to him
because you signed it (assumingthey trust y ou), but they wouldn’t trust that
key’s owner. Trusting a key is not the same as trusting the key’s owner.
It would be a good idea to keep your own public key on hand with a collection
of certifying signatures attached from a variety of “introducers,” in the hope
that most people will trust at least one of the introducers who vouch for the
validityof your public key. You could post your key with its attached
collection of certifying signatures on various elect ro nic bulletin boards. If you
sign someone else’s public key, return it to them with your signature so that
they can add it to their own collection of credentials fo r their own public key.
Make sure that no one else can tamper with yo ur own public keyring.
Checking a new ly s igned public key certificate must ultimately depend on the
integrity of the trusted public keys that are already on your own public
keyring. Maintain physical control of your public keyring, preferably on yo ur
own personal computer rather than on a remote time-sharing system, just as
you would do for your private key. This is to protect it from tampering, not
from disclosure. Keep a trusted backup copy of yo ur public keyring and your
private key on write-protected media.
An Introduction to Cryptography 39
Phil Zimmermann on PGP
Since your own trusted public key is used as a final authority to directly or
indirectly certify all the other keys on your keyring, it is the most import ant
key to protect from tampering. You may want to keep a backup copy on a
write-protected floppy disk.
PGP generally assumes that you will maint ain physical security over your
systemandyourkeyrings,aswellasyourcopy of PGP itself.If an intrudercan
tamper with your disk, then in theory he can tamper with the program itself,
renderingmoot the safeguards the program may have to detect tampering
with keys.
One somewhat complicated way to protect your own whole public keyring
from tampering istosign the whole ring with your own private ke y . Youcould
do this by making a detached signature certificate of the public keyring.
How does PGP keep track of which keys are valid?
Before you read this section, you should read the previous section, “How to
protect public keys from tampering.”
PGP keeps track of which keys on your public keyring a re properly ce rtified
with signaturesfrom introducersthatyoutrust.All you have to do is tell PGP
which people you trust as introducers, and certify their keys yourself with
your own ultimately truste d key. PGP can take it from there, au tomatically
validating any other keys that have been signed by your designated
introducers. And of course you can directly sign more keys yourself.
There ar e two entirely separate criteria that PGP uses to jud ge a public key’s
usefulness—don’t get them confused:
1. D oes the keyactuallybelongtothepersonto whom it appears to belong?
In other words, has it been certified with a trusted signature?
2. Does it belong to someone you can trust to certify other keys?
PGP can calculate the answer to the first question. To answer the second
question, you must tell PGP explicitly. When you supply the answer to
question 2, PGP can then calculate the answer to question 1 for other keys
signed by the introducer you designated as trusted.
Keys that have been certified by a trusted introducer are deemed valid by PGP.
The keys belonging to trusted introducers must themselves be certifiedeither
by you or by other trusted introducers.
PGP also allows for the possibility of yo ur having several shades of trust for
people to act as introducers. Your trust for a key’s owner to act as an
introducer does not just reflect your estimation of their personal integrity—it
should also reflect how competent you think t hey are at understanding key
management and using good judgment in signing keys. You can designatea
40 An Introduction to Cryptography
Phil Zimmermann on PGP
personas untrusted, marginallytrusted,or completelytrusted to certify other
public keys. This trust information is stored on your keyring with their key,
but when you tell PGP to copy a key off your keyring, PGP does not copy the
trust information along with the key, because your private opinions on trust
are regarded as confidential.
When PGP is calculating the validity of a public key, it examines the trust level
of all the attached certifying signatures. It computes a weighted score of
validity—for example, two marginally trusted signatures are deemed to be as
credible as one fully trusted signature. The program’s skepticism is
adjustable—for example, you can tune PGP to require two fully trusted
signatures or three marginally trusted signatures to judge a key as valid.
Your own key is “axiomatically” valid to PGP, needing no introduc er’s
signature to prove its validit y. PGP knows which public ke ys a re yours by
looking for the corresponding private keys on the private key. PGP also
assumes that you completely trust yourself to certify other keys.
As time goes on, you will accumulatekeys from other people whom you may
want to designate as trusted introducers.Everyoneelse will choose their own
trusted introducers. And everyone will gradually accumulate and distribute
with their key a collection of certifying signatures from other people, with the
expectation that anyone receiving it will trust at least one or two of the
signatures.Thiswill cause the emergence of a decentralized fault-tolerant web
of confidence for all pub lic keys.
This unique grass-roots approach contrasts sharply with standard public key
management schemes developed by governm e nt a nd other monolithic
institutions, such as Internet Privacy Enhanced M ail (PEM), which are based
oncentralized controland mandatorycentralized trust.The standardschemes
rely on a hierarchy of Certifying Authoritieswho dictate who you must trust.
The program’s decentralized probabilistic method for determining public key
legitimacy is the centerpiece of its key management architecture. PGP lets you
alone choose who you trus t, put ting you at the top of your own priv ate
certification pyramid. PGP is for people who prefer to pack their own
parachutes.
Note that while this decentralized, grass-roots approach is emphasized here,
it d oes not mean that PGP does not perform eq ually well in the more
hierarchical, centralized p ublic key management schemes. Large corporate
users,forexample, will probably want a centralfigureorpersonwhosignsall
the em ployees’ keys. PGP handles that centralized scenario as a special
degenerate case of PGP’s more generalized trust model.
An Introduction to Cryptography 41
Phil Zimmermann on PGP
How to protect private keys from disclosure
Protect your own private key and your passphrase very carefully. If your
private key is ever compromised, you’d better get the word out quickly to all
interestedpartiesbeforesomeoneelseus es it to make signatures in your name.
For example, someone could use it to sign bogus public key certificates, which
could create problems fo r many people, es pecially if your signature is widely
trusted. And of course, a compromise of your own private key could expose
allmessagessenttoyou.
To protect your private key, you can start by always keeping physical control
of it. Keeping it on your personal computer at home is OK, or keep it in your
notebook computer that you can carry with you. If you must use an office
computer t hat you don’t always have physical control of, t hen keep your
public and private keyringson a write-protected removable floppy disk, and
don’t leave it behind w hen you leave the office. It would n’t be a good idea to
allow your private key to reside on a remote timesharing computer, such as a
remote dial-in UNIX system. Someone could eavesdrop on your modem line
and captureyourpassphrase and then obtain your actualprivatekeyfromthe
remote system. You should only use your private key on a machine that is
under your physical control.
Don’t store your passphrase anywhere on the computer that has your private
keyfile.Storingboththe privatekeyandthe passphraseonthe same computer
is as dan gerous as keeping your PIN in the same wallet as your Automatic
Teller Machine bank card. You don’t want somebody to get their hands on
your disk containingboth the passphrase and the private key file. It would be
mostsecureif you just memorizeyourpassphraseanddon’tstore it anywhere
but your brain. If you feel y ou must write down your passphrase,keep it well
protected, perhaps even better protected t han the private key file.
And keep backup copies of your private key—remember, you have the only
copy of yo ur private key, and losing itwill render useless all the copies of your
public key that you have sp rea d throughout the world.
The decentralized noninstitutional approach that PGP supports for
management of public keys has its benefits, but unfortunately it also means
that you can’t rely on a single centralized list of which keys have been
compromised.Thismakesitabithardertocontainthedamageofaprivatekey
compromise.You just have to spread the word and hope that everyone h ears
about it.
If the worst case happens—your private key and passphrase are both
compromised (hopefully you will find this out somehow)—you will have to
issue a “key revocation” certificate. This kind of certificate is used to warn
other people to stop using your public key. You can use PGP to create such a
certificate by using the Revoke command from the PGPkeys menu or by
having your Designated Revoker do it for you. Then you must send this to a
42 An Introduction to Cryptography
certificate serversootherscanfindit. Their own PGP softwareinstalls thiskey
revocation certificate on their public keyrings and automatically prevents
them from accidentally using your public key ever aga in. You can then
generate a new private/ p u b lic ke y pair and publish the new public key. You
could se nd out one package co ntaining both your new public key and the key
revocation certificate for your old key.
What if you loseyour private key?
Normally, if you want torevoke your own private key, yo u canuse the Revoke
command from the PGPkeys menu to issue a revocation certificate, signed
with your own private key.
But what can you do if you lose your private key, or i f your private key is
destroyed? You can’t revoke it yourself, because you must use your own
private key to revoke it, and you don’t have it anymore. If you do not have a
Designated Revoker for your key, someone specified in PGP who can revok e
the key on your behalf, you must ask each person who signed y our key to
retire his or her certification. Then anyone attemp ting t o us e your ke y based
on the trust of one of your introducers will know not to trust your public key.
For more information on Designated Revokers, see the PGP User’s Guide.
Phil Zimmermann on PGP
Beware of snake oil
When examining a cryptographic software package, the question always
remains,why shouldyou trustthisproduct? Even if you examinedthesource
code yourself, not everyone has the cryptographic experience to judge the
security. Even if you are an experienced cryptographer, subtle weaknesses in
the algorithms could still elude you.
When I was in co llege in the early seventies, I devised what I b elieved was a
brilliant encryptio n scheme. A simple pseu dorandom number stream was
added to the plaintext stream to create ciphertext. This would seemingly
thwart any frequency analysis of the ciphertext, and would be uncrackable
even to the most resourceful government intelligence agencies. I felt so smug
about my achievement.
Years later, I discovered this same scheme in several introductory
cryptography texts and tutorial papers. How nice. Other cryptographers had
thought of the same scheme. Unfortunately, the scheme was presented as a
simple homework assignment on how to use elementary cryptanalytic
techniques to trivially crack it. So much for my brilliant scheme.
An Introduction to Cryptography 43
Phil Zimmermann on PGP
From this humbling experience I learned how easy it is to fall into a false sense
of security when devisingan encryption algorithm. Most people don’t realize
how fiendishly difficult it is to devise an encryption alg orithm that can
withstand a prolonged and determined attack by a resourceful opponent.
Many mainstream software engineers have developed equally naive
encryption schemes(often even the very same encryptionscheme), and some
of them have been incorporated into commercial encryption software
packages an d sold for good money to thousands of unsuspecting users.
This is likeselling automotive seat belts that look good and fee l good, but s nap
open in the slowest crash test. Depending on them may be worse t han not
wearing seat belts at all. No one suspects they are bad until a real crash.
Depending on weak cryptographic software may cause you to unknowingly
place sensitive information at risk when you might not otherwise have done
so if you had no cryptographic software at all. Perhaps you may never even
discover that your data has been compromised.
Sometimes commercial packages use the Federal Data Encryption Standard
(DES),a fairly good conventionalalgorithmrecommended bythegovernment
for commercial use (but not for classified information, o ddly
enough—Hmmm). There are several “modes of operation” that DES can use,
some of them betterthanothers.T he government specifically recommends not
using the w eakest simplest mode for messages, the Electronic Codebook
(ECB) mode. But they do recommend the stronger and more complex Cipher
Feedback (CFB) and Cipher B lock Chaining (CBC) modes.
Unfortunately,mostofthe commercialencryptionpackagesI’ve lookedatuse
ECB mode. When I’ve talked t o the authors of a number of these
implementations, they say they’ve never heard of CBC or CFB modes, and
don’t know anything about the weaknes ses o f ECB mode. The very fact that
they haven’t even learned enough cryptography to know these elementary
concepts is not reassuring. And they sometimes manage their DES keys in
inappropriate or insecure ways. Also, these same software packages often
include a second faster encryption algorithm that can be used instead of the
slower DES. T he author of the package often thinks his proprietary faster
algorithmis as secure as DES, butafterquestioning him I usuallydiscoverthat
it’s just a variation of my own brilliant scheme from college days. Or maybe he
won’t even reveal how his proprietary encryption scheme works, but assures
me it’s a brilliant scheme and I should trust it. I’m sure he believes that his
algorithm is brilliant, b ut how can I know that without seeing it?
InfairnessImustpointoutthatinmostcasestheseterriblyweakproductsdo
not come fr om companies th at specialize in cryptographic technology.
44 An Introduction to Cryptography
Phil Zimmermann on PGP
Even the really good software packages, that use DES in the correct m odes of
operation, still have problems. Standard DE S uses a 56-bit key, which is too
small by today’s standards, and can now be easily broken by exhaustive key
searches on special high-speed machines. The DES has reached the end of its
useful life, and so has any software package that relies on it.
There is a company called AccessData (http://www.accessdata.com) that
sells a very low-cost package that cracks the built-in encryption schemes used
by WordPerfect,Lotus1-2-3,MS Excel, Symphony,QuattroPro,Paradox, MS
Word, and PKZIP. It doesn’t simply guess passwords—it does real
cryptanalysis. Some people buy it when they forget their password for their
own files. Law enforcement agencies buy it too, so they can read files they
seize. I talked to Eric Thompson, the author, and he said his program only
takes a split second to crack them, but he put in some delay loops to slow it
down so it doesn’t look so easy to the customer.
In the secure telephone arena, your choices look bleak. T he leading contender
is the STU-III (Secure Telephone Unit), made by Motorola and AT&T for
$2,000to $3,000, and used by the governmentforclassifiedapplications. It has
strong cryptography, but requires some sort of special license from the
government to buy this strong version. A commercial version of the STU-III is
available that is watered down for NSA’s convenience, and an export version
is av ailable that is even more severely weakened. Then there is the $1,200
AT&T Surity 3600, which uses the government’s fam ous Clipper chip for
encryption, with keys escr owed with the government for the convenience of
wiretappers. Then, of course, there are the analog (nondigital) voice
scramblers that you can buy from the spy-wannabe catalogs, that are really
useless toys as far as cryptography is concerned, but are sold as “secure”
communicationsproductstocustomerswhojustdon’tknowanybetter.
In some ways, cryptography is like pharmaceuticals. Its integrity may be
absolutely crucial. Bad penicillin looks the same as good penicillin . Yo u can
tell if your spreadsheet software is wrong, but how do you tell if your
cryptography package is weak? The ciphertext produced by a weak
encryptionalgorithm looks as good as ciphertext produced by a strong
encryptionalgorithm. There’s a lot of snakeoilout there.A lot of quack cures.
Unlike the patent medicine hucksters of old, these software implem entors
usually don’t even know their stuff is snake oil. They may be goo d software
engineers,but they usually haven’t even readany of the academic literature in
cryptography. But they think they can write good cryptographic software.
And why not? Afte r all, it seems intuitively easy to do so. And their software
seemstoworkOK.
An Introduction to Cryptography 45
Phil Zimmermann on PGP
Anyone who thinks they have devised an unbreak abl e encryption scheme
either is an incredibly rare genius or is naive and inexperienced.
Unfortunately, I sometimes have to deal with would-be cryptographers who
want to make “improvements” to PGP by adding encryption algorithms of
their own design.
I r em ember a conversation with Brian Snow, a highly placed senior
cryptographer with the NSA. He said he would never trust an encryption
algorithm designed by someone who had not “earned their bones” by first
spendingalotoftimecracking codes. That madea lot of sense.I observedthat
practically no one in the commercial world of cryptography qualifies under
thiscriterion.“Yes,”he said withaself-assuredsmile,“And thatmakesourjob
at NSA so much easier.” A chilling thought . I didn’t qualify either.
The government has peddled snake oil too. After World War II, the United
States sold German Enigma ciphering machines to third-world governments.
But they didn’t tell th em that the Allies cracked the Enigma code during the
war, a fact that remained classified for many years. Even today m any UNIX
systems worldwide use the Enigma cipher for file encryption, in part because
the government has created legal obstacles against using better algorithms.
They even tried to prevent the initial p ublication of the RSA algorithm in 1977.
And they have for many years squashed essentially all commercial efforts to
develop effect ive secure telephones for the general public.
The principal job of the U nited Statesgovernment’sNationalSecurityAgency
is to gather intelligence, principally by covertly tapping into peop le’s private
communications (see James Bamford’s book, The Puzzle Palace). The NSA has
amassed considerable skill and resources for cracking codes. When people
can’t get good cryptography to protect themselves, it makes N SA’s job much
easier. NSA also has the responsibility of approving and recommending
encryption algorithms. Some criticscharge thatthisis a conflict of interest,like
putting the fox in charge of guarding the hen house. In the 1980s, NSA had
been pushing a conventional encryption algorithm that they designed (the
COMSEC Endorsement Program), and they won’t tell anybody how it works
because that’s classified. They wanted others to trust it and use it. Bu t an y
cryptographer cantellyouthat a well-designed encryptionalgorithmdoesn ot
have to be classified to remain secure. Only the keys should need protection.
How does anyone else really know if NSA’s c lassified algorithm is secure? It’s
not that hard for NSA to design an encryption algorithm that only they can
crack, if no one else can review the algorithm.
46 An Introduction to Cryptography
Phil Zimmermann on PGP
There are three main factors that have undermined the quality of commercial
cryptographic software in the United States.
• The first is the virtually universal lack of competence of implementors of
commercialencryption software (although this is starting to change since
the publication of PGP). Every software engineer fancies him self a
cryptographer, which has led to the proliferation of really bad crypt o
software.
• The second is the NSA deliberately and systematically suppressing all the
good commercial encryption technology, b y legal intimidation and
economic pressure. Part of this pressure is brought to bear by stringent
export controls on encryption software which, by the economics of
software marketing, has the net effect of suppr essing domestic encryption
software.
• The third principle method of suppressioncomes from the granting of all
the software patents for all the public key encryption algorithms to a single
company, affording a single choke point to suppress the spread of this
technology (although this crypto patent cartel br oke up in the fall of 1995).
The net effect of all this is that before PGP w a s published, there was almost no
highly secure general purpose encryption software available in the United
States.
I’m not as certain about the security o f PGP as I once was about my brilliant
encryption software from college. If I were, that would be a bad sign. But I
don’t think PGP containsany glaring weaknesses (although I’m pretty sure it
containsbugs). I have selected the best algorithms from the published
literature of civilian cryptologic academia. For the most part, these algorithms
have been individually subject to extensive peer review. I know many of the
world’s leading cryptographers, and have discussed with some of them ma ny
of the cryptographic algorithms and protocols used in PGP. It’s well
researched, and has been years in the making. And I don’t work for the NSA.
But you don’t have to trust my word on the cryptographic integrity of PGP,
because source code is available to facilitate peer review.
One more point about my commitment to cryptographic quality in PGP: Since
I first developed and released PGP for free in 1991, I spent three years under
criminal investigation by U.S. Customs for PGP’s spread overseas, with risk of
criminal prosecution and years of imprisonment. By the way, you didn’t see
the government getting upset about other cryptographic software—it’s PGP
that really set them off. What does that tell you about the strength of PGP? I
have earned my reputation on the cryptographic integrity of my products. I
will not betray my commitment to our right to privacy, for which I have risked
my freedom.I’m not aboutto allow a product with my name on it to have any
secret back doors.
An Introduction to Cryptography 47
Phil Zimmermann on PGP
Vulnerabilities
“If all the personal computers in the world—260 million—were put to work on a
single PGP-encrypted message, it would still take an estimated 12 million times the
age of the universe, on average, to break a single message.”
--William Crowell, Deputy Director, National Security Agency, March 20,
1997.
No datasecuritysystemisimpenetrable.PGP canbecircumventedina variety
of ways. In any data security system, you h ave to ask yourself if the
information you are trying to protect is morevaluable to your attackerthan the
cost of the attack. This should lead you to protect yourself from the cheapest
attacks, while not worrying about the more expensive attacks.
Some of the discussion that follows may seem unduly paranoid, but such an
attitude is appropriate for a reasonable disc u ssion of vulnerability i ssues.
Compromised passphrase and private key
Probably the simplest attack comes if you leave the passphrase for your
private key written down somewhere. If someone gets it and also gets your
private key file, they can read your messages and make signatures in your
name.
Here are some recommendations for protecting your passphrase:
1. Don’t use obvious passphrases that can be easily guessed, such as the
namesofyourkidsorspouse.
2. Use spacesandacombinationof numbersand lettersinyour passphrase.
If you make your passphrase a single word, it can be easily guessed by
having a computertry all the words in the dictionary until it finds your
password.That’s why a passphraseissomuchbetter than a password.A
more sophisticated attacker may have his computer scan a book of
famous quotations to find your passphrase.
3. Be creative. Use an easy to rememberbut hard to guess passphrase; you
can easily construct one by u sing some creativelynonsensical sayings or
obscure literary quotes.
48 An Introduction to Cryptography
Public key tamp erin g
A maj or vulnerability exists if public keys are tampered with. This may b e the
most crucially important vulnerability of a public key cryptosyste m, in part
because most novices don’t immediately recognize it.
To summarize: When you use someone’spublic key, make certainit has not
been tampered with. A new public key from someo ne else should be trusted
only if you got it directlyfrom its owner, or if it has been signed by someone
you trust. Make sure no one else can tamper with yo ur own public keyring.
Maintain physical cont ro l of both your public keyring and your p rivate key,
preferably on your own personal computer rather than on a remote
timesharing system. Keep a backup copy of both keyrings.
Not Quite Delet ed Files
Anotherpotentialsecurity problem is caused by how most operatingsystems
delete files. When you encrypt a file and then delete the original plaintext file,
the operating system doesn’t actually physically erase the data. It merely
marks those disk blocks as deleted, allowing the space to be reused later. It’s
sort o f like discarding s ensitive paper documents in the paper recycling bin
instead of the paper shredder.The disk blocks still contain the original
sensitive data you wanted to erase, and w ill probably be overwritten by new
data at some point in the future. If an attacker reads these deleted disk blocks
soon after they have been deallocated, he could recover your plaintext.
Phil Zimmermann on PGP
In fact,thiscouldeven happen accidentally,ifsomethingwentwrong with the
disk and some files were accidentally deleted or corrupted. A disk recovery
program may be run to recover the damaged files, but this often means that
some previously deleted files are resur rected along with everything else. Your
confidentialfiles that you thought were gone forever could then reappear and
be inspected by whoever is attempting to recover your damaged disk. Even
while you are creating the original message with a word processor or text
editor, the editor may be creating multiple temporary copies of your text on
the disk,just becauseof its internalworkings.These temporary copies of your
text are deleted by the word processor when it’s done, but these sensitive
fragmentsare still on your disk somewhere.
The o nly way to prevent the plaintext from reappearing is to som ehow cause
the deleted plaintext files to be overwritten. Unless you know for s ure that all
the deleted disk blocks will soon be reused, you must take positivesteps to
overwritethe plaintextfile,andalsoany fragmentsof it on thediskleft by your
word processor. You can take care of any fragments o f the plaintext left on the
disk by using PGP’s Secure Wipe and Freespace Wipe features.
An Introduction to Cryptography 49
Phil Zimmermann on PGP
Viruses and Trojan horses
Another attack could involve a specially tailored hostile compute r virus or
worm that might infect PGP or your operating system. This hypothetical virus
could be designed to capture your passphrase or private key or deciphered
messages and to covertly write the captured information to a file or send it
through a networkto the virus’s owner. Or it might alter PGP’s behavior so
that signatures are not pr o perly checked. This attack is cheaper than
cryptanalytic attacks.
Defending again st this kind of attack falls into the category of defending
against viral infection generally. There are some m oderately capable antiviral
products commercially available, and there are hygienic pr ocedures to follow
that can greatly reduce the chances of viral infection. A complete treatment of
antiviral and antiworm countermeasures is beyond the scope of this
document. PGP has no defenses against viruses, and assumes that your own
personal computer is a trustworthy execution environment. If such a virus or
worm actually appeared, hopefully word would soon get around warning
everyone.
A similar attack involves someone creating a clever imitation of PG P that
behaves like PGP in most respects, but that doesn’t work the way it’s supposed
to. For example, it might be deliberately crippled to not check signatures
properly, allowing bogus key certificates to be accepted. This Trojan horse
version of PGP is not hard for an attacker to create, because PGP source code
is widely available, so anyone could modif y the source code and produce a
lobotomizedzombie imitation PGP that looks real but does the bidding of its
diabolical ma st er. This Trojan horse version of PGP could then be widely
circulated, claiming to be from a legitimate source. How insidious.
You should make an effort to get your copy of PGP directly from Network
Associates, Inc.
There ar e other ways to check PGP for tampering, using digital signatures.
You could use another trusted version of PGP to check the signature on a
suspect version of PGP. But this won’t help at all if your operating system is
infected, nor will it detect if your original copyof pgp.exe has been maliciously
altered in such a way as to compromise its own ability to check signatures.
Thistestalsoassumesthat you have a good trusted copy of the publickeythat
you use to check the signature on the PGP executable.
50 An Introduction to Cryptography
Swap files or virtual memory
PGP was originally developed for MS-DOS, a primitive operating system by
today’s standards. But as it was ported to other more complex operating
systems, such as Microsoft Windows and the Macintosh OS, a new
vulnerability emerged. This v ulnerability stem s from the fact th at t hese fancier
operating systems use a technique called virtual memory.
Virtual memory allo ws y ou to run huge programs on your computer that are
bigger than the space available in your computer’s semiconductor memory
chips. This is handy because software has become more and more bloated
since graph ical user interfaces became the norm and users started running
severallargeapplicationsatthes ame time. Theoperatingsystemuses the hard
disk to store portions of your software that aren’t being used at the moment.
This means that the operating system might, without your knowle dge, write
out to disk some things that you thought were kept only in main
memory—-things like keys, passphrases, and decrypted plaintext. PGP does
not keep that kind of sens itive data lying around in memory for longer than
necessary, but there is some chance that the operating system could write it
out to disk anyway.
Thedataiswrittenouttosomescratchpadareaofthedisk,knownasaswap
file.Datais read back in from the swap file as needed, so that only part of y our
program or data is in physical memory at any one time. All this activity is
invisible to the user, who just sees the disk chattering away. Microsoft
Windowsswaps chunks of memory,calledpa ges, using a LeastRecentlyUsed
(LRU) page-replacement algorithm. This means pages that have not been
accessed for the longest period of time are the first o nes to be swapped to the
disk. This approach suggests that in most cases the risk is fairly low that
sensitive d ata will be swapped out to disk, because PGP doesn’t leave it in
memory for very long. But we don’t make any guarantees.
Phil Zimmermann on PGP
This swap file can be accessed by anyone who can get physical access to your
computer. If you are c oncerned about this problem, you may be able to solve
it by obtaining special software that overwrites your swap file. Another
possible cure is to turn off your operating system’svirtual memory feature.
Microsoft Windows allows this, and so d oes the Mac OS. Turning off virtual
memory may mean that you need to have more physical RAM chips installed
in order to fit everyth ing in RAM.
An Introduction to Cryptography 51
Phil Zimmermann on PGP
Physical security breach
A physical security breach may allow someone to physically acquire your
plaintextfilesor printed messages. A determined opponent might accomplish
this through burglary, trash-picking, unreasonable search and seizure, or
bribery, blackmail,or infiltration of your staff. Some of these attacks may be
especiallyfeasibleagainst grass-roots political organizations that depend on a
largely volunteer staff.
Don’t be lulled into a false sense of security just because you have a
cryptographic tool. Cryptographic techniques protect data only while it’s
encrypted—direct physical security violations can still compromiseplaintext
data or written or spoken information.
This kind of attack is cheaper than cryptanalytic attacks on PGP.
Tempest attacks
Another kind of attack that has been used by wel l-equipped opponents
involves the rem ote detection of the electromagnetic signals from your
computer. Th is expensive and somewhat labor-intensive attack is probably
stillcheaperthandirect cryptanalyticattacks. An appropriately instrumented
van can park nea r your offic e and remo tel y pick up all of your keystrokes and
messagesdisplayed on your computer video screen. T his w ould compromise
all of your passwords, messages, and so on. T his attack c an be thwarted by
properly shielding all of your computer equipment and network cabling so
that it does not emit these signals. This shieldingtechnology, known as
“Tempest,” is used by some government agencies and defense contractors.
There ar e hardware vendors who supply Tempest shielding commercially.
Protecting against bogus timestamps
A somewhat obscure vulnerab ility of PGP involves dishonest users creating
bogus timestampson their own public key certificates and signatures. You can
skip ov er this section if you are a casual user and aren’t deeply into o bscure
public-keyprotocols.
There’snothingtostopadishonestuserfromalteringthedate and timesetting
of his own system’s clock, and generating his own public key certificates and
signatures that appear to have been createdat a d ifferent time.He can m ake it
appear that he signed something earlier or later than he actually did, or that
his public/private key pair was created earlier or later. This may have some
legalorfinancialbenefit to him, for examplebycreatingsome kind of loophole
that might allow him to repudiate a signature.
52 An Introduction to Cryptography
Phil Zimmermann on PGP
I think this problem of falsified timestamps in digital signatures is no worse
than it is already in handwritten signatures. Anyone can write any date next
to their handwrittensignature on a c ontract, but no one seems to be alarmed
about this state of affairs. In some cases, an “incorrect” date on a handwritten
signaturemight not be associated with actual fraud. The timestamp might be
whenthesignator assertsthathe signed a document,ormaybewhen he wants
the signature to go into effect.
In situations where i t is criticalthat a signature be trusted to have the actual
correctdate,people can simply use notaries to w itness and d ate a handwritten
signature. The analog to this in digital signaturesisto get a trusted third party
to sign a signature certificate, applying a trusted timestamp. No exotic or
overly formal protocols are needed for this. Witnessed signatures have long
been recognized as a legitimate way of determining when a document was
signed.
A trustworthy Cert if ying Authority or notary could create notar ized
signatures with a trustworthy timestamp.This would not necessarily require
a centralized authority. Perhaps any trusted introducer or disinterested party
could serve this function, the same way real notary publics do now. When a
notary signs other people’ssignatures, it creates a signature certificate of a
signature certificate. This wouldserve as a witnesstothe signatureinthe same
way that real notariesnow witness handwritten signatures. T he notary could
enter the detached signature certificate (without the actual whole document
thatwassigned) intoaspecial logcontrolled by thenotary. Anyonecouldread
thislog.Thenotary’s signaturewouldhaveatrustedtimestamp, whichmight
have greater credibility or more legal significa nce than the timestam p in the
original signature.
There is a good treatment of this topic in Denning’s 1983 article in IEEE
Computer. Futureenhancementsto PGP mighthavefeaturestoeasilymanage
notarized signatures of signatures, with trusted timestamps.
Exposure on multi-user systems
PGP was originally designed for a single- u ser PC under your dire ct physical
control. If you run PGP at home on your own PC, your encrypted files are
generally sa fe, unless someone breaks into your house, steals yo ur PC and
persuades you to give them your passphrase (or your passphrase is simple
enough to guess).
An Introduction to Cryptography 53
Phil Zimmermann on PGP
PGP is not designed to protect your data while it is in plaintext form on a
compromised system.Norcan it prevent anintruder fromusingsophisticated
measures to r ead your private key while it is being used. You will just have to
recognizethese risks on multiusersystems,and adjust your expectations and
behavior accordingly. Perhaps your situation is such that you should consider
only running PGP on an isolated single-usersystem under your direct
physical control.
Traffic analysis
Even if the attacker cannot read the contents of your encrypted messages, he
may be able to infer at least some u seful information by observing where the
messages come from and where they are going, the size of the messages, and
thetimeofdaythemessagesaresent. This is analogous to the attackerlooking
at your long- distance phone bill to see who you called and when and for how
long, even though the actual content of your calls is unknown to the attacker.
This is called traffic analysis. PGP alone does not protect against traffic
analysis. Solving this problem would require specialized comm unication
protocols designed to reduce exposure to traffic analysis in your
communication environment, possibly with some cryptographic assistance.
Cryptanalysis
An expensiveand formidable cryptanalyticattack could possibly be mounted
by someone with vast supercomputer resources, such as a government
intelligence agency. They might crack your public ke y by using some new
secret mathematical breakthrough. But civilian academia has been intensively
attacking public key cryptography without success since 1978.
Perhaps the governm e nt ha s some classified methods of cra cking the
conventional encryption algorithmsused in PGP. This is every
cryptographer’s worst nightmare. There can be no absolute security
guarantees in practical cryptographic im plementations.
Still, some optimism seems justified. The public key algorithms, message
digest algorithms, and block ciphers used in PGP were designed b y some of
the bes t cryptographers in the world. PGP’s algorithms has had e x ten sive
security analysis and peer review from some of the best cryptanalysts in t he
unclassified world.
Besides, even if the block ciphers used in PGP have some subtle unknown
weaknesses, PGP compr esses the plaintext befo re encryption, which should
greatly reduce those weaknesses. The computational workload to crack it is
likely to be much more expensive than the value of the message.
54 An Introduction to Cryptography
Phil Zimmermann on PGP
If your situation justifies worrying about very formidable attacks of this
caliber, then perhaps you should contact a d ata security consultant for some
customized d ata security approaches tailored to your special needs.
In summary, without good cryptographic protection of your data
communications, it may be p ra ctically ef fortless and perhaps even routine for
an oppo nent to intercept your messages, especially those sent thr ough a
modem or email system. If you use PGP and follow reasonable precautions,
the attacker will have to expend far more effort and expense to violate your
privacy.
Ifyouprotectyourself againstthesimplest attacks, andyoufeelconfident that
your privacy is not going to be vi olat ed by a determined and highly
resourceful attacker, then you’ll probablybe safe using PGP. PGP gives you
Pretty Good Privacy.
An Introduction to Cryptography 55
Phil Zimmermann on PGP
56 An Introduction to Cryptography
Glossary
A5 a trade-secret cryptographic algorithm used in
European cellular telephones.
Access control a method of restricting access to resources, allowing
only privileged entities access.
Additional recipient
request key
AES (Advanced
Encryption Standard)
AKEP (Authentication
Key Exchange Protocol)
Algorithm (encryption) a set of mathemat ical rules (logic) used in the process es
Algorithm (hash) a set of mathemat ical rules (logic) used in the process es
Anonymity of unknown or und e clared or igin or authorship,
ANSI (American National
Standards Institute)
a special key whose presence indicates that all m es sages
encrypted to its associated base key should also be
automatically encrypted to it. Sometimes referred to by
its marketing term, additional decryption key.
NIST approved standards, usually used for the next 20 30 y ears.
key transport based on symmetric encryptionallowing
two parties to exchange a shared secret key, secure
against passive ad versaries.
of encryption and decryption.
of message digest creation and key/signature
generation.
concealing an entity’s identific ation.
develops standards through various Accredited
Standards Committees (ASC). The X9 committee
focuses on security standards for the financial services
industry.
API (Application
Programming Interface)
provides the means to take advantage of software
features, allowing dissimilar software products to
interactupon one another.
An Introduction to Cryptography 57
Glossary
ASN.1(AbstractSyntax
Notation One)
ISO/IECstandardforencodingrulesusedinANSI
X.509 certificates, two types exist - DER (Distinguished
Encoding Rules) and BER (Basic Encoding Rules).
Asymmetric keys a separate but integrated user key-pair, comprised o f
one public key and one private key. Each key is one
way, meaning tha t a key used to encrypt information
can not be used to decrypt the same data.
Authentication to prove genuine by corroboration of the identity of an
entity.
Authorization certificate an electronic documentto prove one’s access or
privilege r ights, also to prove one is who they say they
are.
Authorization to convey official sanction, a ccess or legal power to an
entity.
Blind signature ability to sign doc uments without knowledge of
content, similar to a notary public.
Block cipher a symmetric cipher operating on blocks of plain text
and cipher text, usually 6 4 bit s.
Blowfish a 64-bitblock symmetric cipher consisting of key
expansion and data encryption.A fast,simple, and
compact algorithm in the public domain written by
Bruce Schneier.
CA (Certificate Authority) a trusted third party (TTP) who creates certificates that
consist of assertions on various attributes and binds
them to an entity and/or to their public key.
CAPI (Crypto API) Microsoft’s crypto API for Windows-based operating
systems and applications.
Capstone anNSA-developed cryptographic chip that implements
a US government Key Escrow capability.
CAST a 64-bit block cipher using 64-bit key, six S-bo xes with
8-bit input and 32-bit output, developed in Canada by
Carlisle Adams and Stafford Tavares.
58 An Introduction to Cryptography
Glossary
CBC (Cipher Block
Chaining)
CDK (Crypto Developer
Kit)
CERT (Computer
Emergency Response
Team)
Certificate (digital
certificate)
CFM (Cipher Feedback
Mode)
CDSA (Common D ata
Security Architecture)
the process of having plain text XORed with the
previous cipher text block before it is encrypted, thus
adding a feedbackmechanism to a block cipher.
a documented environment, including an A PI for third
parties to write secure applications using a specif ic
vendor’s cryptographic library.
security clearinghouse that promotes security
awareness. CERT provides 24-hour technical assistance
for computer and network security incidents. CERT is
located at the Software Engineering Institute at
Carnegie Mellon University in Pittsburgh, PA.
an electronic document attached to a public key by a
trustedthird party,whichprovides proofthatthe public
key belongs t o a legitimate owner and has not been
compromised.
a block cipher that has been implemented as a
self-synchronizing stream cipher.
IntelArchitectureLabs(IAL)developed this framework
to address the data security problems inherentto
InternetandIntranet for use in Intelandothers’Internet
products.
Certification endorsement of information by a trusted entity.
CHAP (Challenge
Authentication Protocol)
a session-based, two-way password authentication
scheme.
Cipher text the result of manipulating either characters or bits via
substitution, transposition, or both.
Clear text characters in a human readable form or bits in a
machine-readable form (also called plain text).
Confidentiality the act of keeping s o mething private and secret from all
but those who are authorized to see it.
An Introduction to Cryptography 59
Glossary
Cookie PersistentClientStateHTTPCookie-afileortokenof
sorts,thatispassedfromthewebservertotheweb
client (your browser) that is us ed to identify you and
could record personal information such as ID and
password, ma iling address, credit card number, and
other information.
CRAB a 1024-byte block cipher (similar to MD5), using
techniques from a one-way hash function, developed by
Burt Kaliski and Matt Robshaw at RSA Laboratories.
Credentials something that provides a basis for credit or confidence.
CRL (Certificate
Revocation List)
an online, up-to-date l ist of previously issued
certificates that are no longer valid.
Cross-certification two or more organizations or Certificate Authorities
that share some level of trust.
Cryptanalysis the art or science of transferring cipher text into plain
text without initial k nowledge of the key used to
encrypt the plain text.
CRYPTOKI same as PKC S #11.
Cryptography the art and science of creating messages that have some
combination of being private, signed, unmodified with
non-repudiation.
Cryptosystem a system comprised of cryptographic algorithms,all
possible plain text, cipher text, a nd keys.
Data integrity a method of ensuring information has not bee n altered
by unauthorized or unknown means.
Decryption the process of turning cipher text back into plain text.
DES (Data Encryption
Standard)
60 An Introduction to Cryptography
a 64-bit block cipher, symmetric algorithm also known
as Data Encryption Algorithm (DEA) by ANSI and
DEA-1 b y ISO. Widely used for over 20 years, adopted
in 1976 as FIPS 46.
Glossary
Dictionary attack a calculated brute force attack to reveal a password by
trying obvious and logical combinations of words.
Diffie-Hellman the first public key algorithm, in vented in 1976, using
discrete logarithms in a finite field.
Digital cash electronic money that is stored and transferred through
a variety of complex protocols.
Direct trust an establishment of peer-to-peer confidence.
Discrete logarithm the underlying mathematical problem used in/by
asymmetric algor ithms, like Diffie-Hellman and Elliptic
Curve. It is the inverse problem of modular
exponentiation, w hich is a one-way function.
DMS(Defense Messaging
System)
standardsdesigned by the U.S. Department of Defense
to provide a secure and reliable enterprise-wide
messaging infrastruc ture for government and military
agencies.
DNSSEC(DomainName
System Security Working
Group)
aproposedIETF draft that will spe cify enhancements to
the DNS protocol to protectthe DNS against
unauthorized modification of data and against
masquerading of data origin. It will add data integrity
and authentication capabilities to the DNS via digital
signatures.
DSA (Digital Signature
Algorithm)
a public key digital signature algorit hm p roposed by
NIST for use in DSS.
Digital signature an electronic identification of a person or thing created
by using a public key algorithm. Intended to verify to a
recipient the integrity o f data and identity of the sender
of the data.
DSS (Digital Signature
Standard)
ECC (Elliptic Curve
Cryptosystem)
a NIST proposed standard (FIPS) for digitalsignatures
using DSA.
a unique method f or creating public key algorithms
based on mathem atical curves over fini te fields or with
large prime numbers.
An Introduction to Cryptography 61
Glossary
EDI (Electronic Data
Interchange)
the d irect, standardized computer-to-computer
exchange of business documents (purchase orders,
invoices, payments, inventory analyses, and others)
between your organization and your suppliers and
customers.
EES(EscrowedEncryption
Standard)
a proposed U.S. government standard for escrowing
private keys.
Elgamal scheme used for both digital signatures and encryption based
on discrete logarit hms in a finite field; can be used with
the DSA function.
Encryption the process of disguising a message in such a way as to
hideits substance.
Entropy a mathematicalmeasurement of the amount of
uncertainty or randomness.
FEAL a block cipher using 64-bit block and 64-bit key, d es ign
by A. Shimizu and S. Miyaguchi at NTT Japan.
Filter a function, set of functions, or combination of functions
thatappliessomenumberoftransformstoitsinputset,
yielding an output set containing only those members
of the input set that satisfy the transform criteria.The
selected members may or may not be further
transformed in the resultant output set. A n example
would be a search function that accepts multiplestrings
having a boo lean relationship(( like
a
or like
b
) but not containingc), and optionally forces
the case of the found strings in the resultant output.
Fingerprint a unique identifier for a key that is obtained by hashing
specific portions of the key data.
FIPS (Federal Information
Processing Standard)
a U.S. governm ent standard published by NIST.
Firewall a combination of hardware and software that protects
the perimeter of the public/private network against
certain attacks to ensure some degree of security.
62 An Introduction to Cryptography
Glossary
GAK(GovernmentAccess
to Keys)
a method for the government to escrow individual’s
private key.
Gost a 64-bit symmetric block cipher using a 256-bit key,
developed in the former Soviet Union.
GSS-API(Generic
Security Services API)
a high-level security API based u pon IETF RFC 1508,
which isolates session-oriented application code from
implementation details.
Hash function a one-way hash function - a function that produces a
messagedigestthatcannotbereversedtoproducedthe
original.
HMAC a key-dependent one-way hash function specifically
intended for use with M AC (Message Authentication
Code), and based upon IETF RFC 2104.
Hierarchical trust a graded series of entities that distribute t rust in an
organized fashion, commonly used in ANSI X.509
issuing certifying authorities.
HTTP (HyperText
Transfer Protocol)
a common protocol used to transfer documents between
servers or from a server to a client.
IDEA (International Data
Encryption Standard)
a 64-bit bloc k symmetric cipher using 128-bit keys
based on mixing operations from different algebraic
groups. Considered one of the strongest algorithms.
IETF (Internet
Engineering Task Force)
a large open international community of network
designers, operators, vendors, and researchers
concerned with the evolution of the Internet
architecture and the smooth operation of the Internet. It
is open to any interested individual.
Identity certificate a signed statem ent that binds a key to the name of an
individual and has the intended meaning of delegating
authority from that named individual to the public key.
Initialization vector (IV) a block of arbitrarydata that serves as the starting point
for a block cipher using a chaining feedback mode (see
cipher block chaining).
An Introduction to Cryptography 63
Glossary
Integrity assurance that data is not modified (by unauthorized
persons) during storage or transmittal.
IPSec a TCP/IP layer encryption s ch eme under consideration
within the IETF.
ISA/KMP (Internet
Security Association, Key
Mgt. Protocol)
defines the procedures for authenticating a
communicating peer, creation and management of
Security Associations, key generation techniques, and
threat mitigation, for example, denial of service and
replay attacks.
ISO (International
Organization for
Standardization)
ITU-T
Telecommunication
Union-Telecommunication)
(International
responsible for a wide range of standards, like the OSI
model and international relationship with ANSI on
X.509.
formally the CCITT (Consultative Committee for
International Telegraph and Telephone), a worldwide
telecommunications technology standards
organization.
Kerberos a trusted third-party authentication protocol developed
at MIT.
Key a means of g aining or preventing a ccess, possession, or
control represented by an y one of a large number of
values.
Key escrow/recovery a mechanism that allows a third party to retrieve the
cryptographic k eys used for data confidentiality, with
the ultimate goal of recovery of encrypted data.
Key exchange a scheme for two or more nodes to transfer a secret
session key across an unsecured channel.
Key length the number of bits representing the key size; the longer
the key, the stronger it is.
Key management the process and procedure for safely storing and
distributing accurate cryptographic keys; the overall
process of generating and distributing cryptographic
key to authorized recipients in a sec u re man ne r.
64 An Introduction to Cryptography
Glossary
Key splitting a process for dividing portions of a single key between
multiple parties, none having the ability to reconstruct
the whole key.
LDAP (Lightweight
Directory Access Protocol)
a simple protocol that supports a c cess and search
operations on directories containing information such
as names, phone numbers, and addresses across
otherwiseincompatible systems over the Internet.
Lexicalsection a distinct portion of a message that contains a specific
class of data, for example, clear-signed data, encrypted
data, and key data.
MAA (Message
Authenticator Algorithm)
MAC (Message
Authentication Code)
anISOstandardthatproducesa32-bithash,designed
for IBM mainframes.
a key-dependent one-way hash function, requiring t he
use of the identical key to verify the hash.
MD2(MessageDigest2) 128-bit o ne-way hash function designed by Ron Rivest,
dependent on a random permutation of byt es.
MD4(MessageDigest4) 128-bit o ne-way hash function designed by Ron Rivest,
using a simple set o f bit manipulations on 32-bit
operands.
MD5(MessageDigest5) improved, more complex version of MD4, but still a
128-bit o ne-way hash function.
Message digest a number that is derived from a m es sage. Change a
single character in the message and the message will
have a different message dige st.
MIC (Message Integrity
Check)
originally defined in PEM for authentication using MD2
or MD 5. Micalg (message integrity calculation) is used
in secure M IME implementations.
MIME (Multipurpose
Internet Mail Extensions)
a freely available set of specifications that offers a way
to interchange text in languages with differentcharacter
sets, a nd multimedia email among many different
computer systems that use Internet mail standards.
An Introduction to Cryptography 65
Glossary
MMB (Modular
Multiplication-based
Block)
MOSS (MIME Object
Security Service)
based on IDEA, Jo an Daemen developed this 128-bit
key /128-bit block size symmetric algorithm, not used
because of its suscept ibility to linear cryptanalysis.
defined in RFC 1848, it facilitates encryption an d
signature services for MIME, including key
management based on asymmetric techniques (not
widelyused).
MSP (MessageSecurity
Protocol)
the military equivalent of PEM, an X.400-compatible
application level protocol fo r securing e-mail,
developed by the NSA in late 1980.
MTI a one-pass key agreement protocol by Matsumoto,
Takashima, and Imai that provides mutual key
authentication without key confirmation or entity
authentication.
NAT (Network Address
Translator)
RFC 1631, a router connecting two networks together;
one designate d as inside, is addressed with either
private or obsolete addresses that need to be converted
into legal addresses before packets are forwarded onto
the other network (designated as outside).
NIST (National Institute
for Standards and
Technology)
a division of the U.S. Dept. of Comme rce that pu blishes
open, interoperability standards called FIPS.
Non-repudiation preventing the denial of previous commitments or
actions.
Oakely the “Oakley Session K ey Exchange” provides a hybrid
Diffie-Hellman session key exchange for use within the
ISA/KMP framework. Oakley provides the important
property of “Perfect Forward Sec recy.”
One-time p ad a large non-repeating set of truly rando m key letters
used for encryption, considered the o nl y perfect
encryption scheme, invented by Major J. Mauborgne
and G . Vernam in 1917.
66 An Introduction to Cryptography
Glossary
One-wayhash a funct ion of a variable string to create a fixe d length
value representing the original pre-image, also called
message digest, fingerprint, message integrity check
(MIC).
Orange Book the National Computer Security Center book entitled
Department of Defens e Trusted Compute r Systems
Evaluation Criteria that defines security requirements.
PAP (Password
Authentication Protocol)
an authentication protocol that allow s PPP peers to
authenticate one another, does n ot prevent
unauthorized access but merely identifies the remote
end.
Passphrase an easy-to-remember phrase used for better security
than a single password;key crunching convertsit into a
random key.
Password asequenceofcharactersorawordthatasubject
submits to a system for purposes of authentication,
validation, or verification.
PCT (Private
Communication
Technology)
PEM (PrivacyEnhanced
Mail)
a protocol developed by Microsoft and Visa for secure
communications on the Internet.
a protocol to provide secure internet mail, (RFC
1421-1424) including services for encryption,
authentication, message integrity, and key
management. PEM uses ANSI X.509 certificates.
Perfect forw ard secrecy a cryptosystem in which the cipher text yields no
possible information about the plain text, e xcept
possibly the l ength.
Primitive filter afunction that applies a single transformto its input set,
yielding an output set containing only those members
of the input set that satisfy the transform criteria.An
example would be a s earch function that accepts only a
single string and outputs a list of line numbers where
the string was found.
An Introduction to Cryptography 67
Glossary
Pretty Good Privacy(PGP) an applicationand protocol(RFC1991)forsecuree-mail
and file encryption developed by Phil R. Zimmermann.
Originally pu blished as Freeware, the source code has
always been available for public scrutiny. PGP uses a
variety of algorithms, like IDEA, RSA, D SA, MD5,
SHA-1 for providing encryption, au thentication,
message integrity, and key m anagemen t. PGP is based
on the “Web-of-Trust” model and has worldwide
deployment.
PGP/MIME an IETF standard (RFC 2015) that provides privacy and
authentication using the MultipurposeInternet Mail
Extensions (MIME) security content types described in
RFC1847, currently deployed in PGP 5.0 and later
versions.
PKCS (PublicKey Crypto
Standards)
asetofde facto standards for public key cryptography
developed in co operation with an informal consortium
(Apple,DEC, Lotus, Microsoft,MIT, RSA, and Sun) that
includes algorithm-specific and algorithm-independent
implementation standards. Specifications defining
message syntax and other protocols controlled by RSA
Data Security Inc.
PKI (Public Key
Infrastructure)
a widely available and accessible certificate system f or
obtaining an entity’s public key with som e degree of
certaintythat you have the “right” key and that it has
not been revoked.
Plain text (or clear text) the hum an readable data or message before it is
encrypted.
Pseudo-random number a number that results from applying rando mizing
algorithms to input derived from the computing
environment, for example, mouse coordinates. See
random number.
Private key the privately held “secret” component of an integrated
asymmetric key pair, often referredto as the decryption
key.
68 An Introduction to Cryptography
Public key the p ublicly available component of an integrated
asymmetric key pair often referred to as the encryption
key.
Glossary
RADIUS (Remote
Authentication Dial-In
User Service)
an IETF protocol (developed by Livingston, Enterprise),
for distributed security that secures remote access to
networks and network services against unauthorized
access. RADIUS consists of two pieces - authentication
server code and client protocols.
Random number an important aspect to many cryptosystems, and a
necessary element in generating a unique key(s) that are
unpredictable to an adversary. True r andom numbers
are usually derived from analog sources, and usually
involve t he use of special hardware.
RC2 (Rivest Cip her 2) variable key size, 64-bit block symmetric cipher, a trade
secret held by RSA, SDI.
RC4 (Rivest Cip her 4) variable key size stream cipher, once a proprietary
algorithm of RSA Data Security, Inc.
RC5 (Rivest Cip her 5) a block cipher with a variety of arguments, block size,
key size, and number of rounds.
RIPE-MD an algorithm developed for the European Community’s
RIPE project, designed to resist known cryptanalysis
attacks and produce a 128-bit hash value, a variation of
MD4.
REDOC a U.S.-patented block cipher algorithm developed by M.
Wood, using a 160-bit key and an 80-bit block.
Revocation retractionof certification or authorization.
RFC (Request for
Comment)
an IETF document, either FYI (For Your Information)
RFC sub-series that are overviews and introductory or
STD RFC sub-series that identify specify Internet
standards.Each RFC has an RFC number by which it is
indexed and by which it can be retrieved
(www.ietf.org).
An Introduction to Cryptography 69
Glossary
ROT-13 (Rotation Cipher) a simple substitution (Caesar) cipher, rotating each 26
letters 13 places.
RSA shortfor RSA Data Security, Inc.; or referring to the
principals - Ron Rivest, Adi Shamir, and Len Adleman;
or referring to the algorithm they invented. The RSA
algorithm is used in public key cryptography and is
based on the fact that it is ea sy to multiply two large
prime numbers together, but hard to factor them out of
the product.
SAFER (Secure And Fast
Encryption Routine)
a non-proprietary block cipher 64-bit key encryption
algorithm. It is not patented, is available license free,
and was developed by Massey, who also developed
IDEA.
Salt a random string that is concatenated with passwords
(or random numbers) before being operated on by a
one-way funct ion. This concatenation effectively
lengthens and obscures the password, making the
cipher text less susceptible to dictionary attacks.
SDSI (Simple Distributed
Security Infrastructure)
anewPKI proposal from Ronald L. Rivest (MIT), and
Butler Lampson (Microsoft). It provides a means of
defining groups and issuing group - membership,
access-control lists, and security policies. SDSI's design
emphasizes linked local name spaces rather than a
hierarchical global nam e space.
SEAL
(Software-optimized
Encryption ALgorithm)
a fast stream cipher for 32-bit machines designed by
Rogaway and Coppersmith.
Secret key either t he “private key” in public key (asymmetric)
algorithms or the “session key” in symmetric
algorithms.
Secure channel a means of conveyinginformation from one en tity to
another such that an adversa ry does not have the ability
to reorder, delete,insert,orread(SSL, IPSec,whispering
in someone’s ear).
70 An Introduction to Cryptography
Glossary
Self-signed key a public key that has been signed by the corresponding
private key for proof of ownership.
SEPP (SecureElectronic
Payment Protocol)
an open specification for secure bankcard transactions
over the Internet. Developed by IBM, Netscape, GTE,
Cybercash, and MasterCard.
SESAME (Secure
European System for
Applications in a
Multi-vendor
European research and development project t hat
extended Kerbros by adding authorization and access
services.
Environment)
Session key the s ec ret (symmetric) key used to encrypt each set of
data on a transaction basis. A different session key is
used for each communication session.
SET (SecureElectronic
Transactio n)
SHA-1(Secure Hash
Algorithm)
provides for secure exchange of credit card numbers
over the Internet.
the 1994 revision to SHA, developed by NIST, (FIPS
180-1) used with DSS produces a 160-bit hash, similar to
MD4, which is very popular and is w id ely
implemented.
Single sign-on onelog-onprovidesaccesstoallresourcesofthe
network.
SKIP (SimpleKey for IP) simple key-management for Internet pro tocols,
developed by Sun Microsystems, Inc.
Skipjack the 80-bit key encryption algorithm contained in NSA’s
Clipper chip.
SKMP (Securekey
Management Protocol)
an IBM proposed key-recovery architecture that uses a
key encapsulation technique to provide the key and
message recovery to a trusted third-party escrow agent.
An Introduction to Cryptography 71
Glossary
S/MIME(Secure
Multipurpose Mail
Extension)
a proposed standard developed by Deming s oftware
and R SA Data Security for encrypting and/or
authenticating MIME data. S/MIME defines a format
for the MIME data, the algorithms that must be used for
interoperability (RSA, RC2, SHA-1), and the additional
operational concerns such as ANSI X.509 certificates
and transport over the Internet.
SNAPI (Secure Network
API)
a Netscape driven API for security services that provide
ways for resources to be protected against u nauthorized
users, for communication to be encrypted and
authenticated, and for the integrity of i nformation to be
verified.
SPKI (Simple Public Key
Infrastructure)
an IETF proposed d raft standard, (by Ellison, Frantz,
and Thomas) public key certificate format, associated
signatureand other formats, and key acquisition
protocol. Recently merged with Ron Rivest’s SDSI
proposal.
SSH (Secure Shell) an IETF proposed protocol for securing the transport
layer by providing encryption, cryptographic host
authentication, and integrity protection.
SSH (Site Security
Handbook)
the Working Group (WG) of the Internet Engineering
Task Force has been working since 1994 to produce a
pair of docume nts designed to educate the Internet
communityin the area of security. The firstdocumentis
a complete reworking of RFC 1244, and is targeted at
system an d network administrators, as well as decision
makers (middle management).
SSL (Secure Socket Layer) developed by Netscape to provide security and privacy
over t he Internet. Supports server and client
authentication and maintains the security and integrity
of the transmission channel. Operates at the transport
layer and mimics the “sockets library,” allowing it to be
application independent. Encrypts t he entire
communication channel and does not support digital
signatures at the message level.
SST (Secure Transaction
Technology)
72 An Introduction to Cryptography
a secure payment protocol developed by Microsoft and
Visaas a companion to the PCT protocol.
Stream cipher a class of symmetric key encryption where
transformation can be changed for each symbol of plain
text being enc ryp ted, useful for equipment with little
memory to buffer data.
Glossary
STU-III (Secure
Telephone Unit)
NSA designed telephone for secure voice and
low-speed data co mmuni cations for use by the U.S.
Dept. of Defense and their contractors.
Substitution cipher the characters of the plain text are substituted with
other characters to form the cipher text.
S/WAN (SecureWide
Area Network)
RSA Data Security, Inc. drivenspecifications for
implementing IPSec to ensure interoperability among
firewall and TCP/IP products. S/WAN's goal is to use
IPSec to allow companies to mix-and-match firewall
and TCP/IP stack products to build Internet-based
Virtual Private Networks (VPNs).
Symmetric algorithm a.k.a., conventional, secret key, and single key
algorithms; th e encryption and decryption key are
either the same or can be calculated from one another.
T wo sub-categories exist - Block and Stream.
TACACS+ (Terminal
Access Controller Access
Control S ys tem)
aprotocolthatprovidesremoteaccessauthentication,
authorization, and related accounting and logging
services, used by Cisco Systems.
Timestamping recording the time of creation or existence of
informatio n.
TLS (Transport L ayer
Security)
an IETF draft, version 1 is based on the Secure Sockets
Layer (SSL) version 3.0 protocol, and provides
communications privacy over the Internet.
TLSP (Transport Layer
Security Protocol)
ISO 10736, draft international standard.
Transposition cipher the plain text remains the same but the order of the
characters is transposed.
Triple D ES an encryption configurationin which the DES
algorithm is used three times with three different keys.
An Introduction to Cryptography 73
Glossary
Trust a firm belief or confidence in the honesty, integrity,
justice, and/or reliability of a person, compan y,or ot her
entity.
TTP (Trust Third-Party) a responsible party in w hich all participants i nvolved
agree upon in advance, to provide a service or function,
such as certifica tion, by binding a public key to an
entity, t ime-stamping, or key-escrow.
UEPS (Universal
Electronic Payment
System)
a smart-card (secure debit card) -based banking
application developed for South Africa where poor
telephones make on-line verification impossible.
Validation a means to provide timeliness of authorization to use or
manipulateinformation or resources.
Verification to authenticate, confirm, or establish accuracy.
VPN (Virtual Private
Network)
allows private networks to span from the end-user,
across a public network (Internet) directly to the Home
Gateway of choice,such as your company’s Intranet.
WAKE (Word Auto Key
Encryption)
produces a streamof 32-bit wo rds, w hich can be XORed
with plain t ext stream to produce cipher text, invented
by David W heeler.
74 An Introduction to Cryptography
Glossary
Web of Trust a distributed trust model used by PGP to validate the
ownership of a public key where the level of trust is
cumulative based on the individual’s knowledge of the
“introducers.”
W3C (World Wide Web
Consortium)
an international industryconsortium founded in 1994 to
develop common protocols for the evolution of the
World Wide Web.
XOR exclusive-or operation; a mathematical way torepresent
differences.
X.509v3 an ITU-T digital certificate that is an internationally
recognized electronic document used to prove i dentity
and public key ownership over a communication
network. It containsthe issuer’s name, the user’s
identifying information, and the issuer’s digital
signature, as well as other possibleextensions in version
3.
X9.17 an ANSI specification that details the methodolo gy for
generatingrandom and pseudo-random numbers.
An Introduction to Cryptography 75
Glossary
76 An Introduction to Cryptography
Index
A
attackers 12
protecting against 37
attacks
cryptanalysis 54
on swap files 51
on virtual memory 51
physical s ecurity breach 52
tempest 52
traffic analysis 54
trojan horses 50
viruses 50
authentication 18
B
block ciphers 35
C
CA 23
Caesar’s Cipher 13
CAST 33
key size 33
CBC 33
cert 21
Certification Authority 23
description 38
certifying
public keys 38
CFB 33
checking validity 23
checksum 36
cipher 12
cipher block chaining 33
cipher feedback 33
ciphertext 11
cleartext 11
Clipper chip 32
complete trust 26
conventional encryption
and key management 14
Crowell, William 48
cryptanalysis 12
cryptographic algorithm 12
cryptography 11
types of 13
cryptology 12
cryptosystem 12
to 27
D
data compression
in PGP 16
routines 35
data integrity 18
decryption 11
DES 13
dictionary attacks 27
Diffie-Hellman 15
digital certificates 21
digital signatures 18
Digital T elephony bill 31
direct trust 25
disclosure
DSA 15
, 33
protecting private keys against 42
E
eavesdroppers 12
Elgamal 15
An Introduction to Cryptography 77
Index
encryption 11
types of 13
Enigma46
establishing trust24
F
fingerprints 23
description36
H
hash function 19
hash function, description36
hierarchical trust 25
hybrid cryptosystem16
I
IDEA 33 to 34
key size33
implicit trust 26
integrity 18
introducers 38
and d igital signatures39
description39
trusted38
, 41
K
key compromise certificate
issuing42
key distribution
and conventional encryption 14
key pair14
key rings18
key size17
key splitting 28
keys12
, 17
protecting 42
, 53
M
man-in-the-middle attac ks 21
marginal trust 26
marginally
trusted 27
valid 27
message digest 19
description 36
meta-introducers 24
and trust 24
N
Network Associates
contacting
Customer Care vi
non-repudiation 18
NSA 32
P
passphrases 27
compromised 48
password
description 27
versus passphrase 27
PGP
how it works 16
symmetric algorithms 33
vulnerabilities 48
Phil Zimmermann 29
PKZIP 35
plaintext 11
Privacy Enhanced Mail 41
private keys 14
compromised 48
protecting against 42
protecting
against bogus timestamps 52
public key cryptography 14
public key tampering 49
78 An Introduction to Cryptography
Index
public keys 14
certifying 38
protecting against tampering 37
signing38
R
random numbers
their use as session keys 35
random seed file 36
related reading vii
residual data 49
RSA 15
S
Schneier, Bruce 12
secret keys 14
secret-key cryptography 13
security breach
description 52
session keys 16
signing
public keys 38
snake oil 43
strong cryptography 12
substitution cipher 13
symmetric-key cryptography 13
Triple-DES 33
key s ize 33
trojan horses 50
trust 37
and m eta-introducers 24
establishing 24
marginal 27
trust models 24
trusted introducers 24
description 38
to 34
, 41
U
untrusted 26
user ID
checking a public key’s 38
V
validity 23, 37
checking 23
virus
as attacker 50
vulnerabilities 48
W
web of trust 26
worm
as attacker 50
T
tampering
protecting your keys against 37
technical support
email address vi
information needed from user vii
online vi
tempest a ttacks 52
traffic analysis
as an attack 54
Z
Zimmermann, Phil 29
An Introduction to Cryptography 79
Index
80 An Introduction to Cryptography
Loading...