Professional Documents
Culture Documents
2 (1997) 1O-l 3
Introduction to Cryptology
By Professor Fred Piper, Information Security the appropriate deciphering key k(D)
Group, Royal Holloway, University of London reproduces the plaintext from the ciphertext.
This is shown diagrammatically by the
This article provides a general introduction to the following figure.
subject of Cryptology, explains the terminology
I
and the practical application of cryptographic
I
In order that the recipient can obtain the A cipher system is called conventional or
message from the cryptogram there has to be a symmetric if it is easy to deduce the
deciphering algorithm which, when seeded by deciphering key k(D) from the enciphering
the ultimate responsibility involved in important and it must be recognized that there
keeping a system secret. is a ‘market’ for low level security. For almost
all non-military implementations the
WC2 is a reasonable assumption. If there is no provision of security is a costly overhead.
possibility of interception then there is no Furthermore, the addition of the security
need to use a cipher system. However, if facilities frequently degrades the overall
interception is a possibility then, presumably, performance of the system. Thus there is a
the communicators will not be able to dictate natural requirement to keep the security to a
when the interception takes place and the minimum. One common way of trying to
safest option is to assume that all determine the level of security required is to
transmissions will be intercepted. try to estimate the length of time for which the
information needs protection. If we call this
WC3 is also a realistic condition. The attacker the desired cover time of the system then we
might gain this type of information by have a crude indication of the security level
observing traffic or making intelligent required. For instance the cipher system
guesses. He might also even be able to choose suitable for a tactical network with a cover
the plaintext for which the ciphertext is time of a few minutes may be considerably
known. ‘weaker’ than that required for a
strategic system where, as in the case of
An attack which utilizes the existence of government secrets, the cover time may be
known plaintext/ciphertext pairs is called a tens of years.
known plaintext attack. If the plaintext is
selected by the attacker then it is a chosen If we assume that our deciphering algorithm
plaintext attack. is known then there is one obvious method of
attack available to the interceptor. They could,
One consequence of accepting these worst at least in theory, try each possible
case conditions is that we have to assume that deciphering key and ‘hope’ that they identify
the only information which distinguishes the the correct one. Such an attack is called an
genuine recipient from the interceptor is exhaustive key search. Of course such an
knowledge of k(D). Thus the security of the attack cannot possibly succeed unless the
system is totally dependent on the secrecy of attacker has some way of recognizing the
the deciphering key. This reinforces our earlier correct key or, as is more common, at least
assertion about the importance of good key being able to eliminate some obviously
management. incorrect ones. In a known plaintext attack, for
instance, it is clear that any choice of k(D)
We must stress that assessing the security level which does not give the correct plaintext for
of a cipher system is not an exact science. All all the corresponding ciphertext cannot
assessments are based upon assumptions, not possibly be the correct key.
only on the knowledge available to an
attacker, but also on the facilities available to Uses of cryptography
them. The best general principle is to assume
the worst and/or err on the side of caution. It In the introductory section we assumed that
is also worth stressing that, in general, the cryptography was being used to provide
relevant question is not “is this an secrecy. Although this is its ‘traditional’ use it
exceptionally secure system?” but, rather, “is is no longer its only application. In fact, it is
this system secure enough for this particular probably true to say the provision of secrecy is
application?” This latter observation is very no longer its main purpose.
When messages are sent over open networks symmetric systems. In each case an attacker
there may not be any need for confidentiality, has two different methods of attacking the
but the user is likely to need assurance that the system. One is to obtain the relevant secret
message received has not been altered during key. This might be achieved by computing the
transmission. Furthermore, they will also need secret key from the public key or by obtaining
to be confident that they know the identity of a device which stores and/or uses that key.
the sender. Cryptography may be used to (The computation attack is prevented by using
provide these assurances. suitable large keys and relying on the
infeasibility of the attacker successfully
This is an appropriate place to point out a completing the necessary calculations. Attacks
fundamental difference between the use of which involve the misuse of devices must be
symmetric and asymmetric algorithms. If a thwarted by good management and/or the
symmetric algorithm is used then the receiver use of suitably tamper resistant devices.) The
and sender share the same secret key and it is other attack is to substitute a public key for the
the use of this secret key that identifies them to genuine one. If the public key system is being
each other and provides the assurances about used to encrypt a symmetric key then, since
the integrity of the data and the identity of the the attacker’s key has been used for the
sender. Provided that they remain the only encryption, it will be the attacker and not the
two people who know the secret key then they intended recipient who obtains the symmetric
have protection against all third parties. key. If the public key system is being used to
However, they have no protection from each provide digital signatures then, clearly, the
other. Either one of them could use the secret attacker can forge the signature of the genuine
key and claim that the other must be signer.
responsible. Thus symmetric systems are only
appropriate when the two parties trust each This last paragraph highlights the need for
other. If two parties need protection from each being able to guarantee the authenticity of
public keys. This is not an easy problem and
other, in the sense that, say, the sender should
most solutions involve the use of a trusted
not be able to deny sending a particular
third party, called a Certification Authority
message, then there must be some form of
(CA), which digitally signs a certificate which
asymmetry between them. In this case data
binds the identity of the key owner to the
integrity and user authentication are provided
value of the public key. Anyone who has an
by the use of a digital signature which is a authentic copy of the CA’s public key, and has
cryptographic checksum added by the sender confidence that the CA will have checked the
but with the property that only the sender, key owner’s credentials, will then be able to
could have computed it. In most confirm the authenticity of the public key by
circumstances any third party, e.g. a judge, checking the CA’s signature. These certificates
will be able to verify that the checksum was can also be used to verify a user’s identity by
computed by the actual sender. issuing a challenge which they must encrypt
using their secret key. The issuer of the
Public key systems tend to use arithmetic challenge can use the public key value in the
processes involving very large numbers and, certificate to decrypt the response and, if the
as a result, are usually significantly slower answer is correct, knows that the response
than symmetric algorithms. Thus they tend must have come from the user identified in the
not to be used for encrypting large passages of certificate. Of course the problem now is
text. The two main uses of public key systems ensuring that we can have confidence in the
are the provision of digital signature and as CA and be sure that we have an authentic
key encrypting keys to distribute keys for copy of that CA’s public key.