Security in communication networks

Transcription

1 Security in communication networks by MARTIN E. HELLMAN Stanford University Stanford, California INTRODUCTION It may seem anomolous that electronic mail and other computer communication systems require cryptographic protection when almost no physical mail is given this protection. The difference is that computer readable traffic is extremely vulnerable to automatic sorting at very low cost. Physical mail would also need to be encrypted if it were all written on postcards and could be sorted at a cost of only $1 for several million pages. Even seemingly innocuous facts can be damaging when such vast amounts of data can be screened for all messages mentioning one of a list of key words (e.g., computer communications, electronic mail, EFT, etc.). Analog voice circuits are as vulnerable to wiretapping, but are expensive to sort. Fortunately, the digital nature of the data makes high grade encryption possible at low cost. Analog circuits are almost impossible to adequately secure without going through a digital interface and encryption. The National Bureau of Standards has promulgated a national data encryption standard which can be implemented on a single LSI chip. 1 In large quantities it should therefore cost on the order of $10, an insignificant addition to the cost of a computer terminal. While some have criticized the standard as being inadequately secure,2-4 this is not due to technical constraints, but rather appears to be a political problem. While the cost of the encryption hardware is not a barrier to the widespread use of cryptography in computer oriented systems, there are other costs and problems which must be considered. Key distribution is one such problem. 5 In a network with n users there are approximately n 2 /2 possible pairs of users who may wish to converse securely from all other users. The distribution of this many keys by courier, registered mail, etc. is clearly uneconomic even for n equal to one million. This problem can be solved by having the system itself distribute keys, encrypted in user specific system keys or passwords, but this requires the system to be secure. 6,7 A more useful approach was suggested by Diffie and Hellman 5 and Merkle. S They proposed that it is possible to converse securely over an insecure channel with no prearrangement through use of "public key systems." The second section describes the public key systems of References 5 and 8 as well as systems devised by Rivest, Shamir and Adleman, 9 McEliece,lO and Merkle and Hellman. 11 While none of these public key systems has been broken thus far, it is necessary that they withstand the test of time and concerted mock attacks by dedicated "opponents" before they can be trusted because no methods are currently known for proving even conventional cryptosystems secure. In this regard we applaud the work of Simmons and Norris 12 which looked for potential weaknesses in one of the public key systems. More such work is needed, and it would not be surprising if weaknesses were found in one or more of the currently known systems, much as conventional cryptography also went through a learning period. Digital signatures are discussed in the third section. Conventional cryptographic systems can prevent third party forgeries, but cannot settle disputes between the transmitter and receiver (e.g., a stock broker and his client) as to what message, if any, was sent. Solutions to this problem were first hypothesized by Diffie and Hellman 5 and found by Rivest, Shamir and Adleman 9 and Merkle and Hellman. 11 PUBLIC KEY SYSTEMS Merkle's public key systems is perhaps the simplest and least likely to yield to continued cryptanalytic efforts. Its disadvantage is that it is the most expensive. It depends on the existence of a one way function, a function that is easy to compute for all arguments in its domain but computationally infeasible to invert for almost all images in its range. Such functions have been discussed elsewhere and are as easy to develop as secure cryptosystems of the conventional, as opposed to public key, type. 5 Merkle goes a step further and describes a method for generating one way functions of controllable "one wayness" or difficulty of inversion. A mildly one way function can be used to generate a puzzle, a problem which is difficult, but not impossible, to solve and for which it is easy to check a supposed solution. User A generates m keys, k 1, k 2,, k m, and operates on them with a mildly one way function f(*) to obtain their images or puzzles, Y1' Y2'..., Ym' These images are transmitted to user B who selects one of them at random, say Yi' and solves the associated puzzle to obtain ~. The two users now share a key in common but A does not know which one it is. B therefore sends A the value z=g(~), where g(:) is a 1131

2 1132 National Computer Conference, 1978 true one way function. A then operates on k l, k 2, etc. with g(*) until he finds one which yields z. The successful key must be ~ provided g(*) is one-to-one. The cost to A is linearly proportional to m, the number of puzzles, because A must operate on m k's withf(*)-which is easy-to obtain the my's; he must store the m k's; and finally must operate on approximately ml2 of the k's with g(*)-again an easy task-before finding z as an image. A's transmission cost is also linearly proportional to m since he must send my's. B's dominant cost is in solving the one puzzle that he chose at random. By making the cost of solving a single puzzle proportional to m, the total cost to the two legitimate users is still only linear in m. An eavesdropper, however, must solve ml2 puzzles on the average before finding ~, so his cost is proportional to m 2. Thus as m tends to infinity the ratio of cryptanalytic cost to key exchange cost also tends to infinity. This method's weakness is in the relatively small ratio of costs (m 2 : m) and the fact that the key exchange cost is as much in transmission as in computation. (Transmission costs have not decreased as rapidly as computation costs.) The introduction of low cost, high bandwidth transmission media, such as fiber optics, may make this method more competitive. Merkle's paper 8 describes several very clever additions to this simple description, but the basic cost ratio is not changed. Diffie and Hellman 5 propose a method of public key exchange which requires 2 bl2 operations for cryptanalysis (using the best known algorithm) but only b 3 operations for key exchange, where b is the number of bits in the representation of the key. By choosing b =400, key exchange requires only 64 million gate operations and takes approximately one second in a special purpose LSI implementation. Cryptanalysis using currently known techniques requires approximately operations and words of memory and is therefore totally infeasible. This technique makes use of the apparent one wayness of the discrete exponential function y=a x mod q, where q is a large prime number of appropriate form 1?,,J:7 and a is a fixed ~mitive element of the finite field nf(q). Calculating y from x-with tacit knowledge of ailnd q-is relatively easy, and requires only three words /.ofmemory, each b bits)ong, and b 3 gate delays. Computing x from y is believed tibe much harder, and the best known algorithm l6,17 require~ memory and time proportional to 2b12. ' The two users and the cryptanalyst are assumed to know q and a. Each user generates a random number uniformly distributed between 2 and q-2. Call these values Xl and X2. The users -~~ep these values secret, but compute YI = a XI mod q aiid Y2 = a x2 mod q and exchange these values. The cryptanalyst therefore also learns YI and Y2, but cannot feasibly compute Xl or X2 therefrom. User 1 takes Y2 (which was sent to him) and Xl (which he has kept secret) and computes (Y2)Xl=(aX2)Xl=dxlX2) mod q. User 2 computes (Yl)X2 = (a Xl )X2 = dx1xl!). Both users are now in possession of a common number K= a< x l x 2) mod q which they use as the key in a normal cryptographic system. The cryptanalyst cannot compute K as any obvious function ofyi andy2 (e.g., Yl Y2 or (Yl )Y2) without first computing either Xl or X2, which is an infeasible task using the best known algorithms. There may be better algorithms for computing Xl and X2, or there may be some nonobvious method for computing K from YI and Y2 directly. As with all cryptographic systems, this one should be studied further to increase our trust in it. Merkle and Hellman 11 have proposed a public key method based on trap door knapsacks. Given a one-dimensional knapsack of length S and a set of n rods of lengths ai' ~,..., an' one version of the knapsack problem is to find a subset of the rods whose lengths sum to exactly S. Equivalently, find a binary n-vector X such that a*x=s. (The dot product of two vectors is denoted by *.) The knapsack problem is believed to be very difficult in general, and this belief is supported by its being an NPcomplete problem. 18 In a loose sense the NP-complete problems are the most difficult problems of a cryptographic nature. 5 A trap door knapsack vector a is one which has no apparent structure which can be used to simplify the solution process, but which possesses hidden (trap door) structure which allows rapid solution for x. As a small demonstration example, consider a=(5457, 1663, 216, 6013, 7439) and S = = 15115, corresponding to x=(o,i,o,i,i). It happens that if each component of a is multiplied by 3950 mod 8443 (the secret, trap door information) the vector a'=(171, 196, 457, 1191, 2410) results. This vector has the property that each component is larger than the sum of all the preceding components. Transforming S in a similar manner (multiplying it by 3950 mod 8443) yields S'=3797. Some thought shows that the solution to the problem S=a*x is the same as the solution to S' =a'*x, and that the solution to S' =a'*x is easily found because of the form of a'. X5 must be 1 because S'~lls '-if X5 were 0 then even if all other components of x were l' s the sum could not be large enough to yield S'. Subtracting a 5 ' from S' yields = 1387 which is the sum of a subset of the remaining components of a'. Because 1387~a4'=1191 we know that X4 must also equal 1. Subtracting a4' from 1387 yields 196. This is smaller than ll:j' =457 so X3 must equal o. It is equal to ~'=196 so X 2 must equal 1 and Xl must equal o. The determination of x is now complete and, as a quick check will show, correct for the original problem S =a*x as well. Of course the trap door knapsack vector a was not generated first. Rather a' was first chosen with the property that each component was larger than the sum of all preceding components and then transformed into the a vector by multiplying each component of a' by 2550 mod 8443 (2550 and 3950 are multiplicative inverses mod 8443). In a similar manner a program could easily be written to generate rather large trap door knapsack vectors from a random bit string. Any user of a computer system could then generate his own personal trap door knapsack vector regardless of his mathematical abilities. The program would also generate the secret multiplier and modulus which reduces the apparently difficult knapsack problem S=a*x to the trivial problem S' =a'*x. This program is assumed to be public knowledge but, even so, there is no apparent way for a cryptanalyst to easily solve for x only from knowledge of S and the public vector a. After generating a trap door knapsack vector a, the user

3 Security in Communication Networks 1133 can place it in a public file. Then anyone who wishes to send him information can do so by representing it in binary blocks of n bits each, and using these as x vectors to compute the sums S =a*x which are sent to the first user, who can easily recover the information x even though no one else can. Note that this system is different from either of the first two public key systems in that a normal cryptographic system is not needed. This is because the first two systems each generated a number that the two legitimate parties to the conversation could easily compute, but neither of the parties could determine that number on his own. In the trap door knapsack system x is determined entirely by one of the users. While it is not necessary for x to be used as the key in a normal cryptographic system, in practice, the speed advantages of conventional cryptographic systems will probably cause x to be used in that manner. This same remark applies to all of the currently known public key systems. The public key system due to Rivest, Shamir, and Adleman 9 can be regarded as a generalization of a conventional cryptographic system developed by Pohlig and Hellman. 16 Each user generates a pair of numbers E and n which are placed in a public file and which are used by others to encipher data they wish to send him. At the same time that E and n are generated, another number D is generated which is required for deciphering data. Clearly, it must be computationally infeasible to compute D from the public information E and n if the system is to be secure. As shown in Reference 9, computing D from E and n is equivalent to factoring n, and it is possible to choose n so that this is infeasible using the best known factoring algorithms. First two large prime numbers p and q are chosen and multiplied to produce n =pq. Then Euler's function m=phi(n)=(p-l)(q-l) is computed. Phi(n) is the number of integers between 1 and n which are relatively prime to n, and has the interesting property that almost any number between 1 and n when raised to the m power mod n equals 1 (the exceptions turn out not to affect the system and we therefore neglect them in what follows. 9). E is then chosen as a random number between 1 and m which is relatively prime to m, and D is computed using Euclid's algorithm to be the multiplicative inverse of E mod m. That is ED= km + 1 for some integer k. Enciphering requires only one exponentiation in modulo n arithmetic and is easily accomplished. Letting P denote the plaintext and C the ciphertext, C=pE mod n. (The plaintext must be represented as a sequence of integers each between 0 and n -1.) Deciphering is also easily accomplished in one exponentiation, p= CD mod n. To see that this really does undo the enciphering operation note that C D =(PE)D=pED=(pm)kPl=Pmod n, because pm=l. The most recently developed public key system is due to McEliece,lO and is based on algebraic coding theory. Goppa codes are highly efficient error correcting codes, both in their error correcting capacity and in the computation required to correct errors. The ease of error correction is destroyed, however, if the bits which make up a codeword are permuted prior to transmission. In McEliece's system a user's public enciphering key describes a scrambled Goppa - code, chosen at random from a large set of possible codes. Anyone can easily encode information (scrambling the Goppa code does not greatly affect the ease of encoding because the code is still linear), add a randomly generated error vector and transmit this to the user. But only the intended recipient knows the inverse permutation which allows the errors to be corrected easily. McEliece estimates that a block length of 1000 bits, with 500 information bits, should foil cryptanalysis using the best currently known attacks. The main problem is the storage of a 500 by 1000 bit generator matrix, requiring 500 kilobits of memory per user. SIGNATURES Written signatures are essential to our current methods of conducting business. They serve to indicate accountability and agreement on contracts, etc. Before electronic means can fully replace physical (hardcopy) forms of information, a digital equivalent to a written sjgnature is needed. A digital authenticator must be a number which is easily recognized without being known, because any number that is known can be forged by the intended recipient. While at first appearing to be a logical impossibility, digital signatures can be obtained from public key cryptosystems and probably in many other ways as well. 5 Rivest, Shamir, and Adleman's system 9 yields signatures most directly, merely by interchanging the enciphering and deciphering operations, so we only describe that method. When a user wishes to send a signed message M to someone else, he operates on it with his secret key D to obtain Y=M D mod n. The recipient can recover M through use of the public key E,n because ye mod n=m. The recipient saves Y as proof that message M was sent to him by the user whose public key is E,n. If the sender later disclaims having sent the message, the recipient gives Y to a "judge" who can access the public file and see that ye mod n does in fact equal a meaningful message with the right header information. Only the user who placed E,n in the public file knows D and could produce such a Y. In practice each block of the message will probably not be signed in this manner. Rather, to speed things up, the message will be sent in its untransformed state, and a one way hash total H of the message computed. 5 The signature will be Y=HD mod n. The recipient can easily check that H results when the public key E,n acts on Y, and that it is the same H as obtained from action of the hash function H on the message. The above discussion neglects the privacy problem which results if an eavesdropper may be listening. This problem is easily overcome by enciphering the message-signature combination in a normal or public key system. CONCLUSIONS Public key systems and digital signatures make teleprocessing systems vastly more useful for business and personal

4 1134 National Computer Conference, 1978 use, but care must be exercised, both at the technical and legal levels, to ensure that these advances are not used in a detrimental manner. For example, a user's secret key will probably be stored on a magnetic card which is needed to transact any business on the system. If the system becomes all pervasive in daily life, people may be expected to carry their cards with them constantly. It is only a small step to allow the police to demand the card as a form of universal identifier, without which a person becomes a nonperson. There are clearly dangers in such a system and adequate safeguards must be built in. EVen now, certain businesses (e.g., car rental, gas stations at night) will accept only credit cards. Further research is obviously needed at a technical level. The security levels of the currently known systems need better evaluation and new systems should be sought. These may be more efficient than the currently known systems, or needed in the unlikely event that holes are found in all of them. A major research goal is the establishment of provably secure systems, conventional, public key, and signature. That goal is more ambitious than solving one of the premier outstanding problems in computer science (the P=? NP problem) and must be viewed as long term. REFERENCES 1. National Bureau of Standards, Data Encryption Standard, Federal Information Processing Standards Publication 46, January Diffie, W. and M. E. Hellman, "Exhaustive Cryptanalysis of the NBS Data Encryption Standard," Computer, June 1977, pp G. B. Kolata, "Computer Encryption and the National Security Agency Connection," Science, Vol. 197, July 29, 1977, pp Morris, R., N. J. A. Sloane and A. D. Wyner, "Assessment of the National Bureau of Standards Proposed Federal Data Encryption Standard," Bell Laboratories Memorandum, November Also in Cryptologia, Vol. 1, July 1977, pp Diffie W. and M. E. Hellman, "New Directions in Cryptography," IEEE Trans. on Info. Theory, Vol. IT-22, November 1976, pp Brandstad, D., "Security Aspects of Computer Networks," AIAA Computer Network Conference, April Diffie, W. and M. E. Hellman, "Multiuser Cryptographic Techniques," National Computer Conference, AFIPS Conference Proceedings Vol. 45, June 1976, pp Merkle, R. C. "Secure Communication Over an Insecure Channel," to appear CACM, April Rivest, R., A. Shamir, and L. Adleman, "On Digital Signatures and Public-Key Cryptosystems," to appear CACM, February McEliece, R. J. "A Public Key System Based on Algebraic Coding Theory," JPL DSN Progress Report, Merkle, R. C. and M. E. Hellman, "Hiding Information and Signatures in Trap Door Knapsacks," to appear IEEE Trans. on Info. Theory. 12. Simmons, G. J. and M. J. Norris, "Preliminary Comments on the MIT Public-Key Cryptosystem," Cryptologia, Vol. 1, October 1977, pp Wilkes, M. V. Time Sharing Computer Systems, Elsevier, New York, Purdy, G. B. "A High Security Log-In Procedure," CACM, Vol. 17, August 1974, pp Evans, A. Jr., W. Kantrowitz, and E. Weiss, "A User Authentication System Not Requiring Secrecy in the Computer," CACM, Vol. 17, August 1974, pp Pohlig, S. C. and M. E. Hellman, "An Improved Algorithm for Computing Logarithms over GF(p) and its Cryptographic Significance," to appear IEEE Trans. on Info. Theory, Vol. IT-24, January Pohlig, S. C. Algebraic and Combinatoric Aspects of Cryptography, Ph.D. thesis, Stanford University, EE Dept., November Karp, R. M. "Reducibility Among Combinatorial Problems," in Complexity of Computer Computations, R. E. Miller and J. W. Thatcher, Eds. Plenum, New York, 1972, pp

5 PART IV-PEOPLE AND SOCIETY

6