Why Cryptography

❚ Because it is Private
❚ It’s not anyone else’s business
❚ You must protect yourself

Quadralay Cryptography Archive Internet Privacy Coalition

Crypto-Log
 Paradigm Shift
❚ Telephone network
❙ Owned by few
❙ Effectively managed
❚ Traditional LAN Therefore,
❙ Owned by an cryptograph
organization y is
❙ Centrally managed important!!
❚ The Internet
❙ No one owns it
❙ Management anarchy
 Internet Reality
❚ Anyone can be intercepting your data
❚ Ethernets are easy to “spy” on
❚ Most of today’s attacks are kids
❚ Professionals are coming
❚ Many internet links travel on microwaves

Americans for Computer Privacy

 Cryptography
❚ Art of enciphering information to
render it meaningless to all but a few
❙ It is still an “art”
❚ Third oldest profession
❙ After tattoo artistry

The Center for Democracy and Technology

Secret Key Cryptosystems

“Conventional” ciphers use the same

key for encryption and decryption

Secret Key Cryptosystems

(Real Audio)
Public Key Cryptosystems

“Public key” ciphers use a pair of keys

(one public, one private)

Public Key Cryptosystems

(Real Audio)
Problems of Cryptography

❚ Develop cryptographic algorithm

❚ Generate “strong” keys
❚ Distribute keys securely
❚ Develop protocol for interaction

Security Pitfalls in Cryptography

Develop Algorithms
❚ Easiest step:
❙ Don’t do it!
❚ If you must…
❙ Spend 10 years breaking other people’s
algorithms
❙ Get other people to attack your design
❚ Plenty of good algorithms exist
❙ People are busy attacking them
ALGORITHMS
❚ DES
❙ IBM/NSA - 56bit keys (dented, but not broken)
❚ IDEA
❙ 128 bit keys; not feasibly broken by brute force
❚ RC-5
❙ Can be licensed from RSA data security
❙ Used by many commercial products
Problems of Cryptography

❚ Develop cryptographic algorithm

❚ Generate “strong” keys
❚ Distribute keys securely
❚ Develop protocol for interaction

Security Pitfalls in Cryptography

 Generate Strong Keys

❚ Very hard, many systems attacked this way

❙ Netscape (10/95)
❙ Kerberos (2/96)
❚ Cryptographic “random” numbers have to be
unpredictable
❚ Tighter requirements than for statistical uses
❚ Computers are VERY VERY NON-random devices
Problems of Cryptography

❚ Develop cryptographic algorithm

❚ Generate “strong” keys
❚ Distribute keys securely
❚ Develop protocol for interaction

Security Pitfalls in Cryptography

 Distribute Keys
❚ Another way to
crack systems
❚ Interception of
keys in transit,
or storage
Problems of Cryptography

❚ Develop cryptographic algorithm

❚ Generate “strong” keys
❚ Distribute keys securely
❚ Develop protocol for interaction

Security Pitfalls in Cryptography

 Develop Protocol

Careful not to negotiate insecurity

Example: Cannot ask untrusted

endpoint for name of authentication
domain
• Until you have a secure
association, you can’t negotiate
security
 Internet Security
Principles
❚ Protect yourself
❚ Help others
❚ Remember which of these is first!!

Competing Internet Privacy Initiatives

(Real Audio)
 DES Data Encryption Standard

❚ Developed by IBM, refined by NSA

❚ 56 bit keys, 64 bit blocks
❙ OK for 1977, but a little short today
❚ “Dented” but not broken
❚ Key length too short for much longevity
❙ Brute force can be used successfully
❚ Fast in hardware, slow in software
IDEA International Data Encryption Algorithm

❚ Developed by Xuejia Lai and James L.

Massey of ETH Zurich
❚ Published in 1990, 128 bit keys
❚ Fast in software
❚ 128 bit keys can not feasibly be broken
by brute force
❙ Would require all the energy output of the
earth for 500-600 years
❚ Patented, but licensing not difficult
 3DES Triple DES

❚ Three passes of DES

❙ Encrypt with key 1
❙ Decrypt with key 2
❙ Encrypt with key 3
❚ Has 112 bits of strength
❚ Slow (3 times DES)
❚ Freely available (no patent issues)
❚ Very strong
❙ Could follow with IDEA encryption
 RC5
❚ Ron Cipher #5
❚ Trade secret
❙ Publicly released
❙ Reverse engineering partially successful
❚ Very fast stream cipher
❚ Variable key length
❚ Believed to be “good” but only recently
studied
❚ Can be licensed from RSA data security
❚ Used by many commercial products