Cryptography

Public-key algorithms are most often based on the computational complexity of 'hard' problems, often from number theory. Because of this, most public-key algorithms involve operations such as modular multiplication and exponentiation, which are much more computationally expensive than the techniques typically used in block ciphers, especially with typical key sizes. As such, public-key cryptosystems are commonly used in a "hybrid" system, in which a fast symmetric-key encryption algorithm is used for the message itself, while the relevant symmetric key is sent with the message, but encrypted using a public-key algorithm. Similarly, hybrid signature schemes are often used, in which a cryptographic hash function is computed, and only the resulting hash is digitally signed.

Cryptanalysis

The goal of cryptanalysis is to find some weakness or insecurity in a cryptographic scheme. Cryptanalysis might be undertaken by a hostile attacker, attempting to subvert a system, or by the system's designer (or others) attempting to evaluate whether a system has vulnerabilities. In modern practice, however, quality cryptographic algorithms and protocols usually come with proofs that establish practical security of the system (at least, under clear -- and hopefully reasonable -- assumptions).

It is commonly held misconception that every encryption method can be broken. In connection with his WWII work at Bell Labs Claude Shannon proved that the one-time pad cipher is unbreakable, provided the key material is truly random, never reused, kept secret from all possible attackers, and of equal or greater length than the message"Shannon": Claude Shannon and Warren Weaver, "The Mathematical Theory of Communication", University of Illinois Press, 1963, ISBN 0-252-72548-4. Most ciphers, apart from the one-time pad, can be broken with enough computational effort (by brute force attack if nothing else), but the amount of effort needed to break a cipher may be exponentially dependent on the key size, as compared to the effort needed to use the cipher. In such cases, effective security can still be achieved if some conditions (eg, key size) are such that the effort ('work factor' in Shannon's terminology) is beyond the ability of any adversary.

There are a wide variety of cryptanalytic attacks, and they can be classified in any of several ways. One distinction turns on what an attacker knows and can do. In a ciphertext-only attack, the cryptanalyst has access only to the ciphertext (modern cryptosystems are usually effectively immune to ciphertext-only attacks). In a known-plaintext attack, the cryptanalyst has access to a ciphertext and its corresponding plaintext (or to many such pairs). In a chosen-plaintext attack, the cryptanalyst may choose a plaintext and learn its corresponding ciphertext (perhaps many times); an example is the gardening used by the British during WWII. Finally, in a chosen-ciphertext attack, the cryptanalyst may choose ciphertexts and learn their corresponding plaintexts. Also important, often overwhelmingly so, are mistakes (generally in the design or use of one of the protocols involved); one class of these was termed cillies at Bletchley Park during WWII.

Cryptanalysis of symmetric-key techniques typically involves looking for attacks against the block ciphers or stream ciphers that are more efficient than any attack that could be against a perfect cipher. For example, a simple brute force attack against DES requires one known plaintext and 2⁵⁵ decryptions, trying approximately half of the possible keys, before chances are better than even the key will have been found. However, a linear cryptanalysis attack against DES requires 2⁴³ known plaintexts and approximately 2⁴³ DES operationsPascal Junod, ["On the Complexity of Matsui's Attack"], SAC 2001..

Public-key algorithms are based on the computational difficulty of various problems. The most famous of these is integer factorization (the RSA cryptosystem is based on a problem related to factoring), but the discrete logarithm problem is also important. Much public-key cryptanalysis concerns numerical algorithms for solving these computational problems efficiently. For instance, the best algorithms for solving the elliptic curve-based version of discrete logarithm are much more time-consuming than the best known algorithms for factoring, for problems of equivalent size. Therefore, to achieve an equivalent strength, factoring-based encryption techniques must use larger keys than elliptic curve techniques. For this reason, public-key cryptosystems based on elliptic curves have become popular since their invention.

While pure cryptanalysis uses weaknesses in the algorithms themselves, other attacks are based upon the implementation, known as side-channel attacks. If a cryptanalyst has access to, say, the amount of time the algorithm took to encrypt a number of plaintexts or report an error in a password or PIN character, he may be able to use a timing attack to break a cipher that is otherwise resistant to analysis. An attacker might also study the pattern and length of messages to derive valuable information; this is known as traffic analysisDawn Song, David Wagner, and Xuqing Tian, ["Timing Analysis of Keystrokes and Timing Attacks on SSH"], In Tenth USENIX Security Symposium, 2001..

Cryptographic primitives

Much of the theoretical work in cryptography concerns cryptographic primitives — algorithms with basic cryptographic properties — and their relationship to other cryptographic problems. For example, a one-way function is a function that is easy to compute but hard to invert. In order for any cryptographic application to be secure (if based on computational assumptions), one-way functions must exist. However, if one-way functions exist, this implies that P ǂ NP. Since the P versus NP problem is unsolved, we don't know if one-way functions exist. If they do, however, we can build other cryptographic tools from them. For instance, if one-way functions exist, then pseudorandom generators and pseudorandom functions existJ. Håstad, R. Impagliazzo, L.A. Levin, and M. Luby, ["A Pseudorandom Generator From Any One-Way Function"], SIAM J. Computing, vol. 28 num. 4, pp 1364–1396, 1999..

Other cryptographic primitives include one-way permutations, trapdoor permutations, and oblivious transfer protocols.

Cryptographic protocols

When a cryptographic system fails, typically breaching security, it is rare that the vulnerabilty leading to the breach will have been in a quality cryptographic primitive. Instead, weaknesses are often mistakes in the protocol design (often due to inadequate design procedures or less than thoroughly informed designers), in the implementation (eg, a software bug), in a failure of the assumptions on which the design was based (eg, proper training of those who will be using the system), or some other human error. Many cryptographic protocols have been designed and analyzed using ad hoc methods. Methods for formally analyzing the security of protocols, based on techniques from mathematical logic (see for example BAN logic), and more recently from concrete security principles, have been the subject of research for the past few decadesD. Dolev and A. Yao, ["On the security of public key protocols"], IEEE transactions on information theory, vol. 29 num. 2, pp. 198-208, IEEE, 1983.M. Abadi and P. Rogaway, "Reconciling two views of cryptography (the computational soundness of formal encryption)." In IFIP International Conference on Theoretical Computer Science (IFIP TCS 2000), Springer-Verlag, 2000.D. Song, "Athena, an automatic checker for security protocol analysis", In Proceedings of the 12th IEEE Computer Security Foundations Workshop (CSFW), IEEE, 1999., but the tools available are still essentially inadequate. They are typically cumbersome and not yet widely used for complex designs.

The study of how best to implement and integrate cryptography in applications is itself a distinct field, see: cryptographic engineering and security engineering.

Legal issues involving cryptography

In some countries, even the domestic use of cryptography is, or has been, restricted. Until 1999, France significantly restricted the use of cryptography domestically. In China, a license is still required to use cryptography. Many countries have tight restrictions on the use of cryptography. Among the more restrictive are laws in Belarus, China, Kazakhstan, Mongolia, Pakistan, Russia, Singapore, Tunisia, Venezuela, and Vietnam[RSA Laboratories' Frequently Asked Questions About Today's Cryptography].

In the United States, cryptography is legal for domestic use, but there has been much conflict over legal issues related to cryptography. One particularly important issue has been the export of cryptography and cryptographic software and hardware. Because of the importance of cryptanalysis in World War II and an expectation that cryptography would continue to be important for national security, many western governments have, at some point, strictly regulated export of cryptography. After World War II, it was illegal in the US to sell or distribute encryption technology overseas; in fact, encryption was classified as a munition, like tanks and nuclear weapons[Cryptography & Speech] from Cyberlaw. Until the advent of the personal computer and the internet, this was not especially problematic as good cryptography was indistinguishable from bad cryptography for most users, and because most of the available cryptography was slow and error prone whether good or bad. However, as the Internet grew, and computers became more widely available, high quality encryption techniques became well-known around the globe. Export controls came to be understood to be an impediment to commerce and to research, particularly in the United States.

In the 1990s, several challenges were launched against US export regulations of cryptography. Philip Zimmermann's Pretty Good Privacy(PGP) encryption program, as well as its source code, was released and found its way onto the Internet in June of 1991. Zimmermann was investigated by the FBI for several years but no charges were filed["Case Closed on Zimmermann PGP Investigation"], press note from the IEEE.Steven Levy, Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age, 2001, ISBN 0-670-85950-8. Also, Daniel Bernstein, then a graduate student at UC Berkeley, brought a lawsuit against the US government challenging aspects of those restrictions on free speech grounds in the 1995 case Bernstein v. United States which ultimately resulted in a 1999 decision that printed source code for cryptographic algorithms and systems was protected by the United States Constitution.[Bernstein v USDOJ], 9th Circuit court of appeals decision..

In 1996, thirty-nine countries signed the Wassenaar Arrangement, an arms control treaty that deals with the export of arms and "dual-use" technologies such as cryptography. The treaty stipulated that the use of cryptography with short key-lengths (56-bit for symmetric encryption, 512-bit for RSA) would no longer be export-controlled[The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies]. Cryptography exports from the US are much less strictly regulated now than in the past as a consequence of a major relaxation in 2000, and there are no longer many restrictions on key sizes in US-exported mass-market software. See Export of cryptography for more details. In practice, today, due to those US export restrictions being relaxed, and because almost every personal computer connected to the internet, everywhere in the world, includes a US-sourced web browser such as Mozilla Firefox or Microsoft Internet Explorer, almost every internet user worldwide has strong cryptography on their desktop in the form of their browser's Transport Layer Security stack. The Mozilla Thunderbird and Microsoft Outlook E-mail client programs similarly can connect to IMAP or POP servers via TLS, and can send and receive email encrypted with S/MIME. Many internet users don't even realize that their basic application software contains such powerful cryptography features. These browsers and email programs are now so ubiquitous that even governments that purport to regulate civilian use of cryptography generally don't find it practical to do much to control their distribution or use, so even when such laws are on the books, enforcement is often lax.

Another contentious issue in cryptography in the United States was the National Security Agency and its involvement in high quality cipher development. NSA was involved with the design of DES during its development at IBM and its consideration as a possible Federal Standard for cryptography["The Data Encryption Standard (DES)"] from Bruce Schneier's CryptoGram newsletter, June 15, 2000. DES was designed to be secure against differential cryptanalysis, a cryptanalytic technique known to NSA and to IBM who (re)discovered it during DES' development (and remained silent at NSA's request), but not publicly known until it was (re)rediscovered in the late 1980s by Biham and ShamirE. Biham and A. Shamir, ["Differential cryptanalysis of DES-like cryptosystems"], Journal of Cryptology, vol. 4 num. 1, pp. 3-72, Springer-Verlag, 1991.. Another instance of NSA's involvement was the 1993 Clipper chip, an encryption microchip intended to be part of the Capstone cryptography-control initiative. Clipper was widely criticized for two cryptographic reasons: the cipher algorithm was classified (the cipher, called Skipjack, was declassified in 1998 after the Clipper initiative lapsed), which led to concerns that the NSA had made the cipher weak on purpose in order to assist its intelligence efforts. The whole initiative was also criticized based its violation of Kerchoff's law, as the scheme included a special escrow key held by the government for use in wiretaps. See Clipper chip for more information.

Cryptography is central to digital rights management (DRM), a technological way of controlling use of copyrighted material at being implemented at the behest of some copyright holders. In 1998, Bill Clinton signed the Digital Millennium Copyright Act (DMCA), which criminalized the production, dissemination, and use of certain cryptanalytic techniques and technology; specifically, those that could be used to circumvent DRM technological schemes[Digital Millennium Copyright Act]. This had a very serious potential impact on the cryptography community since an argument could be made that virtually any cryptanalytic research violated, or might violate, the DMCA. The FBI has not enforced the DMCA as rigorously as had been feared by some, but nonetheless, this law remains a contentious issue in the cryptography community. One well-respected cryptography researcher, Niels Ferguson, has publicly stated that he will not release some research into an Intel security design for fear of prosecution under the DMCA, and both Alan Cox and Professor Edward Felten (and some of his students) have encountered problems related to the Act. Dmitry Sklyarov was arrested, and jailed for some months, for alleged violations of the DMCA which occurred in Russia, where his work was legal.

See also

• Short and long lists of cryptography topics.
• Short and lists of cryptographers.
• Important books, papers, and open problems in cryptography.
• International Association for Cryptologic Research.

Further reading

• The Codebreakers by David Kahn, a comprehensive history of classical (pre-WW2) cryptography. The current edition has a brief addendum about WW2 and later.
• The Code Book by Simon Singh, a clearly written anecdotal history of crypto, covering modern methods including public key.
• [[Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age]] by Steven Levy, about the political and legal conflicts in the US about cryptography, such as the Clipper Chip controversy and the Bernstein v. United States lawsuit.
• Applied Cryptography, 2nd edition, by Bruce Schneier. General reference book about crypto algorithms and protocols, aimed at implementers.
• [Handbook of Applied Cryptography] by A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone (PDF download available), somewhat more mathematical than Schneier's book.
• Introduction to Modern Cryptography by Phillip Rogaway and Mihir Bellare, a mathematical introduction to theoretical cryptography including reduction-based security proofs. [PDF download].
• [RSA Laboratories' Frequently Asked Questions About Today's Cryptography].
• Stealing Secrets, Telling Lies: How Spies and Codebreakers Helped Shape the Twentieth Century, by James Gannon.
• [sci.crypt mini-FAQ].
• [NSA's CryptoKids].
• Cryptonomicon by Neal Stephenson (novel, WW2 Enigma cryptanalysis figures into the story, though not always realistically).
• Alvin's Secret Code by Clifford B. Hicks (children's novel that introduces some basic cryptography and cryptanalysis).

References

From Wikipedia, the Free Encyclopedia. Original article here. Support Wikipedia by contributing or donating.
All text is available under the terms of the GNU Free Documentation License See Wikipedia Copyrights for details.