Cryptographic Key Management Concepts

Transcription

1 83 Cryptographic Key Management Concepts Ralph Spencer Poore 83.1 Cryptographic Security ABrief History Cryptography and Computers An Encryption Standard 83.2 Key Management Myths Myth 1: AKey Qualifies as Randomly Generated If One or More Persons Create the Key Components from Their Imagination Myth 2: An Authorized Person Can Create or Enter Cryptographic Keys without Compromising akey Myth 3: Requiring a Second Person to Supervise or Observe the Key Entry Process Is Dual Control Myth 4: Split Knowledge and Dual Control Are the Same Thing Summary: Sergeant Schultz and Cannot 83.3 Key Management: An Overview Three Rules of Key Management Automated Key Management 83.4 Cryptographic Security Issues in Open Networks Issues beyond Key Exchange Key Escrow 83.5 Advances in Cryptographic Key Management APlethora of Key Management Techniques Quantum Cryptography 83.6 Summary Cryptographic Security A Brief History Cryptography, the art of secret writing, has existed for almost as long as writing itself. Originally, the use of symbols to represent letters or words in phrases was a skill reserved for scribes or learned clerics. However, for a scribe s work to be truly useful, others needed the ability to read the scribe s work. As standardized writing and reading skills became more widespread, the risk of unauthorized reading increased. Primarily for purposes of political intrigue and militarysecrecy,practical applications of secret writing evolved. There are examples of simple alphabetic substitution ciphers dating back to the time of Julius Caesar. Julius Caesar is honored today by our naming an entire class of mono-alphabetic substitution ciphers after him. The following (translated into our modern alphabet) is an example of a cipher he is believed to have used: 1067 AU7495 Chapter83 25/1/ :54 PARTHIBAN XML MODEL CRC12a pp

2 1068 Information Security Management Handbook ABCDEFGHIJKLMNOPQRSTUVWXYZ DEFGHIJKLMNOPQRSTUVWXYZABC The rotation of the alphabet by three places is enough to transform a simple plaintext message from we attack to the north at dawn into ZH DWWDFN WR WKH QRUWK DW GDZQ. Byfinding each letter of plaintext in the first alphabet and substituting the letter underneath from the second alphabet, one can generate the ciphertext. By finding each letter of the ciphertext in the lower alphabet and substituting the letter directly above it, one can translate the ciphertext back to its plaintext. In general, one refers to any rotation of an alphabet as a Caesar alphabet. An improvement on the Caesar alphabet is the keyed mono-alphabetic substitution cipher. It uses a key word or phrase as follows: ABCDEFGHIJKLMNOPQRSTUVWXYZ SHAZMBCDEFGIJKLNOPQRTUVWXY where SHAZAM is the key word from which any duplicate letters (in this case the second A ) are removed, giving SHAZM. The keyword is then used for the first letters of the cipher alphabet, with the unused letters following in order. The recipient of a coded message only needs to know the word SHAZAM in order to create the keyed cipher alphabet. A further improvement, but one that requires the entire cipher alphabet to act as the key, is the use of arandomly generated cipher alphabet. All such mono-alphabetic substitutions, however, are easily solved if enough ciphertext is available for frequency analysis and trial-and-error substitutions. Mono-alphabetic ciphers today are relegated to the entertainment section of the newspaper and no longer serve as protectors of secrecy. Poly-alphabetic systems, however, still pose a challenge. In these systems, each letter comes from a cipher alphabet different from the previously enciphered letter. Asshown in Exhibit 83.1, for example, a EXHIBIT 83.1 Rotating Among Four Cipher Alphabets A H B J K B T I E A C Z D V T D X M O G E L X N O F P Q R S G V U T W H A C Z Y I B G D E J F E A U K W Y B C L D F G H M J K L R N S V Q M O N R X Z P R P M F Q K I Y X R C A W D S Y H U L T O Q S I U E L C B V T N F J W M O I N X I S H P Y G J K Q Z Q T P V

3 Cryptographic Key Management Concepts 1069 system rotating among four cipher alphabets would mean that each possible plaintext letter could be represented by any of four different ciphertext letters. The cipher alphabets are labeled 1, 2, 3, and 4, respectively. Notice that the plaintext letter A can be represented by H, B, J, or K. The use of multiple alphabets complicates frequency analysis. On short messages such as LAUNCH MISSILE NOW, the resulting ciphertext, DBCMZC LEYHDHL VXN, contains no matching letters that have the same plaintext meaning. The letter D, for example, is in the ciphertext twice, but the first time it decodestothe letter L and the second time it decodes to the letter I. Similarly, the letter C decodes first to the letter U and then to the letter H. Verydifficult ciphers used in World WarII(e.g., ENIGMA) relied on more complex variations of this class of ciphers. They used multiple wheels, where each wheel was a cipher alphabet. The wheels would advance some distance after each use. To decode, one needed the wheels, their respective order and starting positions, and the algorithm by which they were advanced Cryptography and Computers With the advent of computers, cryptography really came of age. Computers could quickly execute complex algorithms and convert plaintext to ciphertext (encrypt) and ciphertext back to plaintext (decrypt) rapidly. Up until the 1960s, however, cryptography was almost exclusively the property of governments. A prototype for commercial applications, IBM s Lucifer system was a hardware implementation of a128-bit key system. This system became the basis for the Data Encryption Standard (DES), a64-bit keysystem (8 bits of which were for parity, leaving an effectivekey length of 56 bits), the algorithm for which is known as the Data Encryption Algorithm (DEA) as codified in American National Standard X An Encryption Standard For dependable commercial use, secret or proprietary cryptographic algorithms are problematic. Secret/proprietary algorithms are, by definition, not interoperable. Each requires its own implementation, forcing companies into multiple, bilateral relationships and preventing vendors from obtaining economies of scale. As a practical matter, cryptographic security was cost prohibitive for business use until DEA. With a standard algorithm, interoperability became feasible. High-quality cryptographic security became commercially viable. Auditors and securityprofessionals should also understand twoother importantproblems with secret algorithms. First, who vets the algorithm (i.e., proves that it has no weaknesses or trapdoors that permit solving of the encrypted text without the cryptographic key)? This is both an issue of trust and an issue of competence. If the cryptographic section of a foreign intelligence service certified to a U.S. firm that a secret algorithm was very strong and should be used to protect all of the firm s trade secrets, would the U.S. firm be wise in trusting the algorithm? Such an agency might have the expertise, but can one trust any organization with a vested interest in intelligence gathering to tell you if a security weakness existed in the algorithm? Vetting cryptographic algorithms is not an exact science. Cryptographers design and cryptanalysts (first coined by W. F. Friedman in 1920 in his book entitled Elements of Cryptanalysis) attempt to break new algorithms. When an algorithm is available to a large population of cryptographic experts (i.e., when it is made public), weaknesses, if any, are more likely to be found and published. With secret algorithms, weaknesses found are more likely to remain secret and secretly exploited. However, asecret algorithm is not without merit. If you know the algorithm, analysis of the algorithm and brute-force attacks using the algorithm are easier.also,a standard algorithm in widespread use will attract cryptanalysis. This is one of the reasons why DES is nowobsolete and a new standard (the Advanced Encryption Standard[AES]) was created. In issues of national security, secret algorithms remain appropriate.

4 1070 Information Security Management Handbook Apublicly available algorithm is not the same as an algorithm codified in astandard. One might find the source code or mathematical description of an algorithm in a published book or on the Internet. Some algorithms (e.g., IDEA TM [International Data Encryption Algorithm] invented in 1991 by James Massey and Xuejia Lai of ETH Zurich in Switzerland) used in PGP (Pretty Good Privacy authored by Phil Zimmermann) to package a public key cryptographic algorithm, may prove to be quite strong, while others thought to be strong (e.g., FEAL [Fast Encryption Algorithm invented by Akihiro Shimizu and Shoji Miyaguchi of NTT Japan]) prove breakable. When an algorithm is publicly available, security rests solely with the secrecy of the cryptographic keys. This is true both in symmetric and asymmetric algorithms. Algorithms using the same key todecryptas was used to encrypt are known as symmetric algorithms. The DEA is a symmetric algorithm (as is the algorithm used for AES 1 ). If the key used to decrypt isnot the same as the key used to encrypt, the algorithm is asymmetric. Public key algorithms (e.g., the RSA Data Security algorithm) are asymmetric. Symmetric algorithms are sometimes called secret key algorithms because the one key used for both encryption and decryption must remain secret. Asymmetric algorithms may have one or more public keys, 2 but always have atleast one private key. The private key must remain secret Key Management Myths Cryptographic security using a standard, publicly available algorithm (e.g., the Federal Information Processing Standard (FIPS) 197, Advanced Encryption Standard ) depends on the secrecy of the cryptographic key. Even with secret algorithms that use keys, the secrecy of at least one key (e.g., the private key used in public key cryptography) remains critical to the security of the cryptographic process. This author s experience in evaluating implementations has revealed some common misunderstandings about managing cryptographic keys. This chapter identifies these misunderstandings (referred to as myths ), explains why they are wrong, and describes correct procedures. The examples used are taken from experience with automated teller machine (ATM) and point-of-sale (POS) implementations that depended on DEA (and now depend on Triple DES, 3 abackward-compatible implementation that allows for longer effective key lengths through multiple applications of DEA) for personal identification number (PIN) privacy. The concepts, however, apply to most implementations of cryptography where the objective is either message privacy or integrity. Some implementations may rely on fully automated key management processes. Even these may not be immune to key management fallacies Myth 1: A Key Qualifies as Randomly Generated If One or More Persons Create the Key Components from Their Imagination To meet the statistical test for randomly generated, each possible key in the key space must be equally likely. No matter how hard a person tries, he cannot make up numbers that will meet this requirement. Concatenating the non-random number choices ofseveral persons does not result in arandom number either. When people are asked to select a number at random, they automatically attempt to avoid a number containing a pattern they recognize. This is but one simple example of how people bias their selections. If a person wants to create a random hexadecimal number, that person could number identical balls from 0 through 9 and A through F; place them in a large bowl; mix them; select and remove (without looking) aball; record its value; placethe ball back into the bowl; and repeat the process 16 times for each key component. Another alternative is to use 64 coins of equal size (e.g., all pennies); toss them on to a 1 AES uses the Rijndael algorithm; refer to FIPS 157 for details. 2 While not widely used, public key systems exist that require n of m keys toencrypt ordecrypt. Depending onthe purpose of the cryptography (e.g., confidentiality or authentication), the multiple keys might be the public ones or the private ones (or both). 3 See ANS X9.52 (Triple Data Encryption Algorithm Modes of Operation) for more details on Triple DES.

5 Cryptographic Key Management Concepts 1071 flat surface; and using a large straightedge (e.g., a yardstick), sweep them into a straight line. Starting from the left, record a 1 for each head and a 0 for each tail. The 64 bits can them be translated in blocks of four to form a 16, hexadecimal-character key. Most organizations, however, will simply have their cryptographic device generate an ersatz random number. (You will see documentation refer to pseudo random numbers. These are numbers generated by a repeatable, algorithmic process but exhibit properties ascribed to randomly generated numbers. I refer to these as ersatz random numbers here because pseudo means false [so even a sequence that did not meet statistical requirements for randomness would meet this definition] where ersatz means imitation or artificial and more accurately describes the nature of these numbers. However,the term pseudo random is well established. A newer term deterministic random bit generators has also entered the literature, a term that better addresses this author s linguistic concerns.) Myth 2: An Authorized Person Can Create or Enter Cryptographic Keys without Compromising a Key When a cryptographic key becomes known to anyone, it is compromised (by definition). This is why split knowledge controls are required. No human should ever know an active key. Allowing a person to know an active key places the person at risk (e.g., extortion), places the organization at risk (e.g., potential misuse or disclosure by that person), and creates the potential for accidental disclosure of the key through human error Myth 3: Requiring a Second Person to Supervise or Observe the Key Entry Process Is Dual Control To qualify as a dual control process, it must be infeasible for any one person to perform the entire process alone. If one person can cause all essential steps to happen without the need for at least one additional person, then dual control is not achieved. Because observation and supervision are passive activities, the absence of which would not prevent the process, a person acting in such capacities is not acting as part of a dual control process. If party A has the combination to the vault within an ATMand party B has the key tothe ATM s locked door such that both parties A and B must participate in order to gain access to the cryptographic device within the ATM, then dual control exists. However, if party B learns the combination or party A gains access to the ATM s door key, then dual control ceases to exist Myth 4: Split Knowledge and Dual Control Are the Same Thing The concept of split knowledge as used in cryptography means that two or more parties are needed, each with independent knowledge of a cryptographic key component, such that together they can create a cryptographic key of which each has no knowledge. Split knowledge meets the requirements for dual control, but not vice versa. The usual way ofdoing this is to create two teams of key entry persons. Team A will generate afulllength keycomponent and record it. Team B will do the same. No member of Team A can ever see the Team B key components, and vice versa. One member of each team is then needed to load akey. Note that the use of key halves (once common in the ATM/POS industry) does not qualify as split knowledge, because each person has knowledge of at least half of the actual key. True split knowledge requires that no one have any knowledge of the resulting key. 4 For amorein-depth discussion of apseudo random number generator (PRNG), refer to ANS X9.82 (Random Number Generation) or NIST Special Publication (A Statistical Test Suite for the Validation of Random Number Generators and Pseudo Random Number Generators for Cryptographic Applications).

6 1072 Information Security Management Handbook Summary: Sergeant Schultz and Cannot I call the split knowledge requirement the Sergeant Schultz principle, from the Hogan s Heroes television program where Sergeant Schultz would say, I know nothing, nothing! Properly implemented, every key component holder should always be able to affirm that they know nothing about the resulting live key. This author s equally short name for dual control is the Cannot principle. If one person cannot perform a function because the function can only be accomplished with the collective efforts of two or morepersons, then dual control exists. If anyone person can accomplish all of the steps without anyone else, then dual control does not exist. These are two easily remembered principles that are essential to effective key management Key Management: An Overview Whether or not an algorithm is kept secret, the cryptographic key or keys needed to decipher a message must remain secret if we want to keep the communication private. Knowing the keys and any plaintext encrypted under those keys makes discernment of even a secret algorithm likely. Knowing the keys and the algorithm makes decryption of messages encrypted under those keys straightforward. The objective of key management is to prevent unauthorized disclosure of keying materials. When key management fails, cryptographic security fails Three Rules of Key Management Three rules of key management must be followed if cryptographic keys are to remain secret. First, no human being should ever have access to active, cleartext keys. Benjamin Franklin wrote that three can keep asecret if twoofthem are dead. 5 In cryptography, one might recast this as three can keep asecret if all of them are dead. Second, whenever keys must be distributed and entered manually,one uses full-length key components to facilitate split knowledge. By requiring that two (or more) full-length key components be entered, each by a separate individual who never sees any other component, one can keep any one person from knowing the resulting key. This technique, known as split knowledge, is actually a zero knowledge process for each individual. Each key component (C n K, where n Z 1, 2,. )conveys by itself no knowledge of the ultimate key. This is accomplished by implementing afunction 4 such that C 1 K 4 C 2 K results in a key dependent on every bit in both components. Modulo 2 arithmetic without carry (or logical exclusive OR) is one example of such afunction. Using DEA, TDES, or AES with C 1 Kasthe data and C 2 Kasthe key is another example. Third, use keys only for asingle purpose. If akey was intended to protect other keys, never use it to protect non-key data. If the key was intended to authenticate messages, do not use it to encrypt a message. Using the same key for morethan one purpose may give acryptanalyst abetter opportunity to solve for the key. More significantly,itmakes akey compromise morepainful and less easily investigated when the key was used for multiple purposes Automated Key Management Systems of key generation do exist that require no human intervention or initial manual key distribution. Because some of these systems use proprietary approaches to key management, the buyer should exercise great care. For example, a vendor might deliver each device with a fixed private key of a public key/private key-pair. Each device would transmit its public key, resulting in an exchange of public keys. Each device could then encrypt a random value under the other party s public key and transmit this cryptogram of 5 Poor Richard s Almanac, July 1733.

7 Cryptographic Key Management Concepts 1073 Actual path Actual path Active interloper Intended path Alice Bob EXHIBIT 83.2 Intercepting both public keys and spoofing both sides. the random value. The receiving device could then decryptthe cryptogram using its private keyand add (modulo 2 addition without carry) the result to the cleartext, randomly chosen value it had encrypted and sent, thereby creating a unique session key between the two devices. However, an interloper could intercept both public keys and spoof both sides by substituting public keys for which the interloper knew the private keys. Exhibit 83.2 shows an example of how this might happen. Many different automated schemes for key exchange exist and some are known to be secure, some are probably secure, some are probably not secure, and some are not secure. Because many of the techniques are proprietary (i.e., trade secrets ), evaluating them is difficult. Even when a vendor has patented a technique and is willing to fully disclose it to you, proving its security may require a cryptanalyst s expertise. So when avendor describes what appears to be magic, remember that even David Copperfield relies on illusion. Best practice is to require compliance with a recognized standard for example, ANS X (Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography) or ANS X (Public Key Cryptography for the Financial Services Industry: Key Agreement and Key Management Using Elliptic Curve Cryptography) Cryptographic Security Issues in Open Networks The underlying assumption to open networks is the ability to establish arbitrary connections without previously having established a relationship. This poses a challenge for cryptographic key management

8 1074 Information Security Management Handbook because arbitrary parties will not have preexisting keying relationships. Two different approaches have evolved to answer the challenge: (1) the use of ahierarchy oftrusted agents and (2) the use of keyexchange protocols. In one implementation of a hierarchy of trusted agents, we refer to an agent as a certificate authority (CA) because the agent issues a cryptographic certificate that binds a key representing one party to a chain of certificates from other CAs until a CA common to the parties who wish to securely communicate is reached. Forexample, Edward of Pan Omni Mega Corp. (POMC) wishes to send a secure message to Darwin of Central Middle Obaeratus Partners (CMOP); however, Edward and Darwin have never before communicated. POMC subscribes to AT&T s certificate authority (ATT CA). CMOP subscribes to General Services certificate authority (GS CA) that, in turn, subscribes to MCI s certificate authority (MCI CA). AT&T and MCI have mutual keying relationships with the United States Postal Service certificate authority (USPS CA). POMC s CA chain becomes POMC/ATT/ USPS and CMOP s becomes CMOP/GS/MCI/USPS. By exchanging authenticated certificates of authority, POMC can establish a trusted keying relationship with CMOP without worrying about key substitution. If the chains are long,if transmission speed is slow,or access to CA locations is limited, then Edward may have a long wait. But manual key distribution would usually force a longer wait. If both Edward and Darwin have cryptographic facilities supporting a common keyexchange protocol, they may be able to establish, directly and securely, a cryptographic session key. As described in the previous section, however, one may be unable to vet the vendor s techniques. (The term vet as used in cryptography means to investigate, examine, evaluate, or prove in a thorough or expert way. We trust properly vetted algorithms or protocols; otherwise, caveat emptor!) Best practice is to use standardized techniques whenever feasible, for example, ANS X (Retail Financial Services, Symmetric Key Management, Part 1: Using Symmetric Techniques), ANS X (Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography), ANS X9.44 (Key Agreement and Key Transport using Factoring Based Cryptography), and ANS X9.63 (Key Agreement and Key Transport using Elliptic Curve Cryptography [ECC]) Issues beyond Key Exchange Properly implemented, cryptographic security measures work. As a consequence of their effectiveness, governments have attempted to regulate their use and to control their availability. The United States historically took a two-pronged approach: restricted export and key escrow. Political pressure, however, led the United States to ease the exportrestrictionsand, effectively,toabandon the keyescrow approach. The U.S. Government treats cryptographic security implementations as if they were war munitions. However, not all nations have adopted this approach. Companies should have their legal counsels carefully examine the laws associated with encryption technologyineach jurisdiction in which they plan its use. Import controls reflect a nation s concern for its own exercise of sovereignty. Do secret messages contain government secrets? Do secret messages hide unlawful transactions? Are people evading taxes by electronic smuggling of software? Import controls will remain an issue for many nations. For both import and export, governments generally base their restrictions on how effective the cryptography (including key management) is. Cryptographic effectiveness has at least three major components: The size of the cryptographic key space (i.e., how many possible keys there are) Whether the algorithm permits shortcuts in solving for the key Whether the key management functions introduce weaknesses (e.g., an early release of Netscape relied on a key generation process that was weaker than the resulting key space, making it possible to attack the key generation process to gain the key much faster than by attacking the key space) Exporting cryptographic systems based on keyspaces of 40 bits (i.e., having 2 40 possible keys) or less is not a problem for the United States. Because of advances in computational power (i.e., Moore s law),

9 Cryptographic Key Management Concepts 1075 even systems with much larger keyspaces (e.g., 60 bits) seem to pose no export problem. One of the selection criteria used in the development of an algorithm for the AES was that a 128-bit version would exist that would be exportable. Whereverystrong encryption is desired (e.g., O 128 bits for asymmetric key), some authorities may permit it only if key escrow is used Key Escrow Key escrow is a process through which you entrust your cryptographic keys to a third party who holds them securely until and unless forced to disclose them by legal process (e.g., acourt order). This process is most controversial when that escrow agent is one or more elements of a national government. Key escrow has two serious types of errors: (1) Type Ierror, inwhich the key is disclosed without authorization; and (2) Type II error, in which the key becomes unavailable (corrupted, destroyed, inaccessible) and cannot be disclosed when lawfully demanded. A Type I compromise places the information assets at risk. A Type II compromise places law enforcement at risk (and may place the company injeopardy oflegal action). Because zeroization 6 of keys is acountermeasure used to prevent Type I failures (i.e., any attempt to tamper with the cryptographic equipment causes the keys to be set to zeroes) and because having backup copies of keying materials is a countermeasure for Type II failures, preventing both Type Iand II failures is adifficult balancing act. One is not permitted to prevent atypei failure by causing atype IIfailure; nor is one permitted to protect against atype IIfailure by increasing the risk of a Type Ifailure. In a project directed by Dr. Miles Smid, the National Institute of Standards and Technology (NIST) developed protocols for handling key escrow within the constraints of this delicate balance. For additional information, see FIPS 185 (Escrowed Encryption Standard). In the United States, key escrow receives less attention today in the context of key management for export considerations than it does for business continuity planning where it remains an important technology Advances in Cryptographic Key Management The field of cryptography is experiencing rapid advancement. While many of the advances are more theoretical than currently useful, the auditor and security practitioner should have at least a rudimentary understanding of what is likely in the near future. Several key management techniques that are already technically available (or bleeding edge ), but where standards may not have caught up, include: Diffie-Hellman key exchange using polynomials of base p (where p s 2) 8 Elliptic Curve Menezes-Qu-Vanstone (ECMQV) 9 Efficient Probabilistic Public-Key Encryption (EPOC) and avariant EPOC-3 10 For use further into the future, one of the most promising advances is with quantum cryptography A Plethora of Key Management Techniques With rapid advances in mathematics, almost every conceivable hard problem is potentially a cryptographic algorithm or basis for key agreement or transport. In general, if it is feasible (and preferably efficient and easy) to calculate avalue from known values in one direction but extremely 6 Zeroization isthe technical term for destroying the keys by causing the storage medium to reset toall zeroes. 7 See also Menezes, Alfred J.,Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography.CRC Press, Boca Raton, FL, Chapter 13, especially The Handbook (affectionately known as the HAC ) is an excellent although much more technical and mathematical treatment of cryptography. 8 Rosing, Michael Implementing Elliptic Curve Cryptography.p.299. Manning Publishing Co., Greenwich, CT. 9 IEEE Tatsuaki Okamoto and David Pointcheval. NTT Labs, Japan; paper submitted to IEEE P1363a Working Group, May 2000.

10 1076 Information Security Management Handbook difficult (and preferably computationally infeasible) to work backward from the result without the benefit of secret values (i.e., cryptographic keys), there is the potential for a cryptosystem. One other promising area is the use of hyperelliptic curves. While these are no more hyperelliptic in the geometry sense than elliptic curves are ellipses, they form a class of mathematical curves, an example of which is described by the following formula: y 2 Z x m C ax m K 1 C. C z where m is assumed to be odd and greater than However, the road from theory to practical implementation is a rough one. Some protocols have jumped prematurely to an implementation that was not secure. For example, the widely used Wired Equivalent Privacy (WEP) 12 protocol was found to contain exploitable flaws. 13 The ECMQV protocol may also have exploitable weaknesses under special circumstances. At the time of this writing, the practical implications of those weaknesses are unclear. Best practice will always be to follow well-vetted standards and to keep up with the literature as we practice a rapidly evolving field Quantum Cryptography Quantum cryptography is a key agreement method for establishing a shared secret. It assumes that two users have a common communication channel over which they can send polarized photons. Photons can be polarized vertically or horizontally, circularly (clockwise or counterclockwise), or diagonally. Each of these can be viewed as having two states and assigned abinary representation (i.e., 0or1). By randomly choosing which measurement will be made for each pulse, two independent observers can compare observations and, following an interactive protocol, can agree on a resulting bit string without ever transmitting that string. Quantum cryptography has an advantage over traditional key exchange methods because it is based on the laws of physics instead of assumptions about the intractability of certain mathematical problems. The laws of physics guarantee (probabilistically) that the secret keyexchange will be secure, even when assuming hypothetical eavesdroppers with unlimited computing power. However, a clear,practical disadvantage is the necessityof a communication channel over which the parties can send polarized photons. Stephen Weisner is credited with the initial proposal 14 ( circa 1970) on which quantum cryptographyis based. He called it Conjugate Coding, and eventually published it in 1983 in Sigact News. Charles H. Bennett and Gilles Brassard, 15 who were familiar with Weisner s ideas, published their own ideas shortly thereafter. They produced the first quantum cryptography protocol in 1984, which they named BB It was not until 1991, however, that the first experimental prototype based on this protocol was made operable (over adistanceof32centimeters). An online demonstration of this protocol is available at More recently, systems have been tested successfully on fiber optic cable over distances in the kilometers range Rosing, Michael Implementing Elliptic Curve Cryptography. pp Manning Publishing Co., Greenwich, CT. 12 IEEE (including b). 13 For more information on this weakness, refer towork performed jointly by Nikita Borisov, Ian Goldberg, and David Wagner described at the following Berkeley Website: 14 Weisner,Stephen Conjugate Coding, Sigact News,Vol. 15. No.1,pp , manuscript written circa 1970, but remained unpublished until it appeared in Sigact News. 15 Bennett, Charles H. and Brassard, G Quantum Cryptography: Public Key Distribution and Coin Tossing, International Conference on Computers, Systems & Signal Processing, December 10 12, pp Bangalore, India. 16 Bennett, Charles H., Bessette, F.,Brassard, G., Salvail, L., and Smolin, J Experimental quantum cryptography. Journal of Cryptology, Vol. 5, Stucky, Damien, Gisin, N., Guinnard, O., Ribordy, G., and Zbinden, H Quantum key distribution over 67 km with a plug & play system. New Journal of Physics, Vol. 4,

11 Cryptographic Key Management Concepts 1077 While this scheme may eventually replace more traditional methods (e.g., Diffie-Hellman) and has excellent potential in outer space where point-to-point laser mightbefeasible for long distances, current implementations impose both speed and distance limits (under 100 kilometers as of this writing) and expense that will make commercial implementations an issue for the future generation of information security professionals Summary Cryptology, which embraces both the creation of cipher systems (cryptography) and the breaking of those systems (cryptanalysis), has a long history. While this history is one of secrecy and intrigue and one of centuries of evolution, it was a history of little practical interest to business until only the past three decades. With the explosive proliferation of computers and networks, both cryptography and cryptanalysis have come to center stage. Our open network environments present security problems only cryptography can solve. As cryptography becomes universal, so will cryptanalysis. John Herbert Dillinger is alleged to haveanswered when askedwhy he robbed banks: Because that s wherethe money is. The information security professional who knows little of cryptography will know little of security, for user authentication and access control, privacy protection and message integrity, audit trail assurance and non-repudiation, and automatic records retention will all depend on elements of cryptography. Understanding cryptographic key management and cryptographic implementations will permit us to manage securely the information assets of our enterprises. 18 For avery readable, technical explanation of quantum cryptography, see Gisin, Nicolas, G. Ribordy, W.Tittel, and H. Zbinden. Quantum Cryptography, submitted to Reviews of Modern Physics.

12