1.2 Los aviones de escuela

We shall see that cryptography is more than a subject permitting mathemati- cal formulation, for indeed it would not be an exaggeration to state that abstract cryptography is identical with abstract mathematics.

Abraham Adrian Albert2.15 (1905–1972) Host Feistel may be considered to be one of the early pioneers in the drive to secure privacy for the public at large using cryptography. Born in Germany in 1914, he emigrated to the United States in 1934, but would not obtain a U.S. citizenship for another decade. In fact, in 1941, with Germany having declared war on America, he was placed on a (sort of) house arrest, where his movements were restricted to the Boston area where he lived. Yet, surprisingly, on January 31, 1944, the house arrest was lifted, he was granted U.S. citizenship, and the very next day he was given security clearance that allowed him to work at the Air Force Cambridge Research Center (AFCRC).2.16_{There he set up a cryptography} research group that developed some outstanding cryptographic algorithms. In particular, they developed the MARK XII, which is widely used in American aircraft. It is known that the NSA had an ambivalent attitude toward Feistel’s group. On the one hand, they exerted pressure to steer his work, while at the same time they considered his group to be a threat. Consequently his group was dissolved in the late 1950s. Then Feistel moved to MIT’s Lincoln Laboratory, followed by a move to MITRE Corporation, a spinoff of the MIT lab. When he tried to form a cryptography group there, again NSA exerted pressure on MITRE, so his efforts failed, and his group did not materialize.

A.A. Albert, a friend of Feistel, advised him to go to IBM, since they were hiring the brightest scientists to do their own innovative work, a kind of think tank. Feistel began work at their Watson Laboratory in Yorktown Heights, New York. There he created a cryptosystem used in the IBM2984 banking system, known today as the Alternative Encryption Technique, but then it was called

Lucifer.2.17 _{This cryptosystem was the predecessor of the first commercially} 2.15_{Albert was born in Chicago, Illinois, on November 9, 1905. He studied under L.E. Dickson} at the University of Chicago, receiving his Ph.D. in 1928. His elegant work on the classification of division algebras (see Appendix A, page 484) earned him a National Research Council Fellowship. This provided him with the opportunity to secure a postdoctoral position at Princeton, after which he spent a couple of years at Columbia University, then returned to Chicago in 1931. His book, Structure of Algebras, published in 1939, remains a classic today. The events of World War II induced Albert to take an interest in cryptography. The above quote is taken from his lecture on mathematical aspects of cryptography at the American Mathematical Society meeting held in Manhattan, Kansas, on November 22, 1941. His numerous achievements would take several pages to describe. Suffice it to say he has had a lasting influence. He died on June 6, 1972, in Chicago.

2.16_{There is speculation that something may have been going on behind the scenes between} Feistel and the U.S. government (see Levy’s excellent book Crypto [151] for an account of some of these possible scenarios as well as with other related cryptographic activities).

2.17_{Years later, Feistel said that if it had not been for the Watergate scandal that rocked} Washington, the NSA would probably have shut down the Lucifer project, as they had so many of his earlier efforts. In fact, in the early 1970s, patent secrecy orders were placed on some of Feistel’s inventions by the U.S. government.

available algorithm (namely for use with unclassified computer data) officially announced in 1977 as theData Encryption Standard (DES).2.18

DES is an example of ablock cipher, about which we will learn the details in Chapter 3 (as well as an entire class of ciphers, called Feistel ciphers, in honour of the groundbreaking work he did in those early years). Basically, block ciphers encipher fixed size blocks of data. For DES this is a block size of 56 bits, which is too small for modern-day data transfer. Its key size, at 56 bits, is also inadequate for modern usage, as we shall demonstrate below.

Lucifer was modified by the NSA, before it became the Data Encryption Standard. There was, and in some circles still is, controversy that the NSA had slipped in a “back door” into the standard, which would allow them an easy method for deciphering messages encrypted with DES. This suspicion was even investigated in 1978 by the U.S. Senate Select Committee on Intelligence, the findings of which are, of course, classified. However, an unclassified summary of their investigation stated that the NSA had no improper involvement in the design of DES. Yet, many remain skeptical since the details of the investigation were not made public. Despite such concerns, DES was used by banking, com- merce, and industry until the end of the twentieth century, when it reached the end of its tenure as a secure cryptosystem.

At theCRYPTO2.19 _{conference, in 1993, M.J. Weiner presented an efficient} key-search design that would have taken 3.5 hours (at that time) on a machine costing one million U.S. dollars to do anexhaustive search of the keyspace, also called a brute force attack, which means that all possible keys are tried to see which one is being used by the communicating entities. We will come back to this issue when we look at the replacement for DES, the new AES (see Footnote 3.10 on page 150). By 1998, the 56-bit keylength used by DES was becoming increasingly under attack by modern methods. In that year, a group led by Paul Kocher (about whom we will learn more later when we talk about security issues, see page 176), custom-built a computer for about a quarter of a million U.S. dollars, which they used to find a DES key in roughly fifty-six hours. The plaintext read: “It’s time for those 128-, 192-, and 256-bit keys.” Six months later, in January 1999, the same team did this in less than twenty-four hours. This and other developments spelled the end for DES since the keylength was just too small to withstand cryptanalytic advances. By August of 2000, DES was replaced with a non-Feistel cryptosystem called the Advanced Encryption Standard (AES), which allowed for 128-, 192-, and 256-bit keys. We will discuss it in detail in Section 3.5.

The 1970s also saw a revolutionary change in the manner in which keys were handled. Cryptography was about to go public. In a paper [69], published in

2.18_{A complete description of DES is given in the U.S. Federal Information Process-}

ing Standards Publication number 46 (or FIPS-46) Springfield, Virginia, April 1977. It was updated to FIPS-1 in 1988, then again to FIPS-2 in 1993 — see the FIPS home- page: http://www.itl.nist.gov/fipspubs/. TheAmerican National Standards Institute(ANSI) approved DES as a private sector standard in 1981 — see the ANSI homepage at:

http://www.ansi.org/.

2.19_{CRYPTO is a conference on cryptology held annually in late August at the University of} California at Santa Barbara.

1976, Whit Diffie and Martin Hellman conceived of a method for two entities,2.20 who have never met in advance or exchanged keys, to establish a shared secret key by exchanging messages over an open (unsecured) channel.2.21 _{We will learn} the mathematical means for how this works in Chapter 4. Up to the time of this idea, all cryptosystems, including DES, were looking for mechanisms to securely distribute secret keys. This is because once a symmetric enciphering key is known, an entity can easily deduce the deciphering key from it. Now, with the introduction of the Diffie-Hellman idea, which has come to be known as theDiffie-Hellman Key-Exchange,2.22 entities could exchange keys in the open and ensure privacy. It seems contrary to the very notion of secrecy. However, that is the brilliance of the scheme, use two essentially different keys, one for enciphering that can be made public, and one for deciphering that can be kept private, akey pair. No longer would the key besymmetric(the deciphering key easily determined from the enciphering key and vice versa). Now there would be anasymmetric key pair, the advent ofpublic-key cryptography (PKC). How could this possibly work?

Public-Key Cryptography (PKC)

Before giving an introduction to the Diffie-Hellman idea, let us look at an analogy, a standard one, for PKC, which will provide an easy-to-understand scenario to give the reader an understanding of how a public key can work. First we will introduce the first two characters (entities) in our cryptographic cast, Alice and Bob. Suppose that Bob has a public wall safe with a private

combination known only to him. Moreover, the safe is left open and made available to passers-by. Then, anyone, including Alice, can put messages in the safe and lock it. However, only Bob can retrieve the message, since, even Alice, who left the message in the safe has no way of retrieving it.

In order to give a general overview of the basic Diffie-Hellman idea, we need the notion of a one-way function, which we may view, at this juncture, as a method of enciphering that cannot be reversed. For instance, if youwrite a message on a piece of paper, then burn it, that is an example of a one-way function since retrieving the message is impossible. One says, in mathematical terms, that this is a function whose values are easy (computationally feasible) to compute, but calculating that inverse is computationally infeasible, meaning

2.20_{Henceforth, by anentitywe will mean any person or thing, such as a computer terminal,} which sends, receives, or manipulates information.

2.21_{From now on, by achannelwe will mean any means of communicating information from} one entity to another. Asecurechannel is one that is not physically accessible to an adversary, whereas an unsecured channel is one from which entities, other than those for whom the information was intended, can delete, insert, read, or reorder data.

2.22_{In some parts of the literature, this is called theMerkle-Diffie-Hellman Key-Exchange} since R.C. Merkle was working on these same ideas at that time. Merkle was a graduate student at the University of California at Berkeley, and was working on an idea for a one-way function involving certain puzzles. This would evolve later into what we now call theknapsack ciphers, none of which have survived cryptanalysis today. We will come back to this topic in later chapters. Merkle actually proposed joint work in a letter he wrote to Hellman in February 1976. However, it turned out that the Diffie-Hellman idea was both more efficient and more secure than Merkle’s idea.

that the task cannot be carried out in reasonable computational time. As Diffie and Hellman put it in [69], a computationally infeasible task is one whose “cost as measured by either the amount of memory used or the runtime is finite but impossibly large.” (Typically, this means that it would take hundreds, if not millions, of years on the fastest computer known.) However, if you burn the paper, how does the intended recipient read the message? Youneed additional information built into your one-way function so that the intended recipient can recover the message. This additional information is called a trapdoor. Mathe- matically speaking, a trapdoor in a one-way function is additional information that makes the finding of the inverse a feasible task, but without the trapdoor information, the task is computationally infeasible (see Chapter 4). For now, think of a trapdoor as information that allows youto invert the function (de- crypt the message), but if you do not know it, you cannot invert the function. It is easy enough, as our paper-burning example indicated, to find one-way func- tions, but getting those with trapdoors requires a bit more effort. So now let us see how the Diffie-Hellman idea works.

Alice and Bob have never met, but want to establish a secret means of communicating with one another. Bob and Alice both have unique public keys, which we may envision as long strings of bits, published in some public data base of keys that anyone can look up. Both Alice and Bob also have private keys that they keep secure and known only to themselves, namely, only Bob knows his private key2.23andonlyAlice knows her private key. Now, Alice takes a message and uses Bob’s public key via a one-way function to encipher the message in a manner that only Bob’s private key can decipher. So when Alice sends the cryptogram, the only person in the world who can decipher it is Bob, with his private key. Now suppose that another of our cast of characters, eavesdropping adversary Eve, intercepts the message. Without Bob’s private key, she has only trial and error at her disposal to try to cryptanalyze it, probably taking millions of years, so her interception is useless. Thus, since Bob is the only person who has both elements of the key pair, he can decipher the message instantly. The message might contain the symmetric-keyk, say, and a reference to the symmetric-key algorithm, such as DES, say. Similarly, Bob uses Alice’s public key and a one way function to encrypt a response, which would say that he agrees to use DES with symmetric-keykfor their correspondence, and sends this to Alice, who uses her private key to decrypt, and she is the only

one who can do so. In the Diffie-Hellman scheme, k is the shared secret key independently generated by both Alice and Bob. The key exchange is complete since Alice and Bob are in agreement onk. Hence, over an unsecured channel, they have established a secure means of communicating.

The observant reader may wonder why they do not just use this key pair for

2.23_{We use the convention that the termprivate key is reserved for use in association with} public-key cryptography, also calledasymmetric-key cryptography, whereas the termsecret

key is reserved for symmetric-key cryptography. The cryptographic community has adopted this convention since it takes two or more entities to share a secret (such as thesymmetric

secret key), whereas it is trulyprivatewhen onlyoneentity knows about it (such as with the asymmetric private key).

all of their correspondence rather than using it to set up a key exchange for use with a symmetric-key cryptosystem. The reason has to do with efficiency, as we will see in detail in Chapter 4. Public-key methods are extremely slow compared to symmetric-key methods. In later discussions, we will see how both the public- key and symmetric-key cryptosystems come to be used, in concert, to provide the best of both worlds combining the efficiency of symmetric-key ciphers with the increased security of public-key ciphers, called hybrid cryptosystems.

The Diffie-Hellman paper [69] was the “door-opener” topublic-key cryptogra- phyin that it was the landmark, since it had the first cryptographic protocol2.24 with public-key properties including the idea of a trapdoor one-way function, a partial solution to the public-key cryptosystem, and digital signatures (see Chapter 4). At the end of their paper Diffie and Hellman state: “Skill in pro- duction cryptanalysis has always been heavily on the side of the professionals, but innovation, particularly in the design of new types of cryptographic systems, has come primarily from amateurs.” They even go on to mention the “crypto- graphic amateur”, Thomas Jefferson, and his wheel cypher and the fact that it was used two centuries after its invention (see pages 66 and 67). Also, they talk about the amateurs responsible for the rotor ciphers (see page 90).

In summary, the Diffie-Hellman key exchange allowed two entities to set up a shared secret symmetric key, but they did not provide any method for enciphering messages, or any way to extend to digital signatures, digital data strings that associate a given message with its sender. As Diffie and Hellman put it at the outset of their paper, “We propose new techniques for developing public key cryptosystems, but the problem is still largely open.” This would take a couple more years.

RSA and PKC

In 1978, a paper [230] was published by R. Rivest, A. Shamir, and L. Adle- man. In this paper they describe a public-key cryptosystem, including key generation and a public-key cipher, whose security rests upon the presumed difficulty of factoring integers into their prime factors.2.25 _{This cryptosystem,} which has come to be known by the acronym from the authors’ names, theRSA cryptosystem has stood the test of time to this day, where it is used in cryp- tographic applications from banking, and e-mail security to e-commerce on the Internet. We will be discussing all these applications as we progress through the text, and we will provide the details of the RSA algorithm in Chapter 4. The astonishing aspect of the RSA cipher is that it rests upon mathematical developments from the eighteenth century, merely updated to our modern-day information-based computer world. In the RSA paper [230], Alice and Bob

2.24_{By aprotocol, in general human terms, we will meanprearranged etiquettesuch as under-} stood behavior at a formal dinner party. On the other hand, acryptographic protocol means an algorithm, involving two or more entities, using cryptography to achieve a security goal, which might involve issues of authentication, privacy, and secrecy, all of which we will discuss in detail later in the text.

make their first appearance as sender and recipient of messages. These charac- ters were quickly adopted by the cryptographic community, and were expanded to include a family of characters, such as Eve, and a host of others whom we will meet as our horizons broaden in our travels.

As the following diagram illustrates, if Alice wants to send a message to Bob, she looks up his public keyeB in a public data base and encrypts her message

m with it to geteB(m) =c, as ciphertext. If Eve is listening in, she has only

question marks in her head since she does not have access to Bob’s securely