Security for Computer Networks

Transcription

1 Security for Computer Networks An Introduction to Data Security in Teleprocessing and Electronic Funds Transfer D. W. Davies Consultant for Data Security and W. L. Price National Physical Laboratory, Teddington, Middlesex A Wiley-Interscience Publication lecbnischs FACHBEREiCH INFORMATtK LLLLLP THEK Sadigebiste i Standorti JOHN WILEY & SONS Chichester New York Brisbane Toronto Singapore

2 Contents Preface xvii Chapter 1. Data Security The need for data security Assessment of security 3 Software integrity 5 Security and people The effect of technology The notation for encryption 7 The need for key distribution and management Some uses for encipherment General properties of cipher functions 12 Chapter 2. Ciphers and their Properties Introduction Substitution ciphers -' 17 The Caesar cipher 17 Monoalphabetic substitution 19 Polyalphabetic substitution 21 The Vigenere cipher Transposition ciphers 25 Simple transposition 26 The Nihilist cipher Product ciphers Cipher machines 28 The Jefferson cylinder 28 The Wheatstone disc 29 Rotor machines, the Enigma 30 vii

3 Vlll Printing cipher machines 32 Modern cipher machines 33 Substitution in modern ciphers 34 Keyed substitution 34 Transposition in modern ciphers Attacks against enciphered data 35 Classes of attack The stream cipher 38 The Vernam cipher The block cipher Measurement of cipher strength 41 Shannon's theory of secrecy systems 41 Limits of computation 42 An application of Shannon's theory Threats against a secure system 43 Active line taps 44 Methods of protection The encipherment key 46 References 47 Chapter 3. The Data Encryption Standard History of the DES 49 The role of NBS 50 The IBM Lucifer cipher 51 The process of establishing the DES The algorithm of the Data Encryption Standard 54 The ladder diagram 61 An algebraic representation The effect of the DES algorithm on data Known regularities in the DES algorithm 67 Complementation 67 The weak keys 68 The semi-weak keys 69 Hamiltonian cycles in the DES Argument over the security of the DES 71 Exhaustive search for a DES key 73 Multiple DES encipherment 74 Trapdoors in the DES? 75 Senate investigation of the DES 76

4 3.6 Implementations of the Data Encryption Standard 76 Single chips 77 Multiple-chip sets 78 Microprocessor implementations 78 Circuit boards for the Data Encryption Standard 79 Tamper-resistant security modules The IBM cryptographic scheme Future standardization of encipherment algorithms 84 References 86 Chapter 4. Using a Block Cipher in Practice Methods for using a block cipher 88 The limitations of the electronic codebook mode Cipher block chaining 91 The first and last blocks 93 Transmission errors in CBC encipherment 95 Choice of the initializing variable Cipher feedback 97 Error extension in cipher feedback 99 Initializing with CFB 100 Encipherment of an arbitrary character set Output feedback 104 Key stream repetition Standard and non-standard methods of operation The place of encipherment in network architecture 109 Line level encipherment 110 End-to-end encipherment 112 The key distribution problem for end-to-end encipherment 114 Node-by-node encipherment 114 A best place for encipherment in network architecture? Appendix: The birthday problem 116 References Chapter 5. Authentication Introduction Protection against errors in data preparation Protection against accidental errors in data transmission 122 Cyclic redundancy checks Authentication using secret parameters 123 IX

5 5.5 Requirements for an authenticator algorithm 125 The decimal shift and add algorithm 127 A 'main frame' authenticator algorithm 130 Authentication methods using the standard 'modes of operation' Message authentication by encipherment 134 Choice of the plaintext sum check method of authentication 134 Encipherment or authentication? 136 Authentication without a secret key The problem of replay 137 Use of a message sequence number 138 The use of random numbers for entity authentication 140 The use of date and time stamps 141 Authentication of stored data The problem of disputes 143 References 144 Chapter 6. Key Management Introduction Key generation 146 Random bit generators 147 Pseudo-random number generators Terminal and session keys 149 Routes for distribution of session keys 151 Session key distribution protocol 152 Authentication at the key acquisition phase 153 Authentication at the key transfer phase 154 Distribution of terminal keys The IBM key management scheme 156 Physical security requirements 157 The key hierarchy 158 The encipherment and decipherment of data at the host 159 Generation and distribution of a session key 160 Generation and distribution of the terminal key 162 The principles of file security in the IBM key management scheme 164 Generating and retrieving a file key 165 Transfer of enciphered data between hosts 166 Transfer of enciphered files between hosts Key management with tagged keys 168 Generation of new tagged keys 170 Extending the key hierarchy 171

6 6.6 Key management by the key notarization method 172 The operation of key notarization 173 The management of data keys 174 Management of the interchange keys 176 Comparison with the IBM key management scheme 177 References 178 Chapter 7. Identity Verification Introduction Identity verification by something known Passwords Variable passwords based on a one-way function Questionnaires 7.3 Identity verification by a token Magnetic stripe cards Watermark tape Sandwich tape Active cards 7.4 Identity verification by personal characteristics Machine recognition System tolerance 7.5 Hand-written signature verification Techniques for recording pen movement Use of signature verification 7.6 Fingerprint verification Machine recoenitioh of fingerprints XI Voice verification Recognition of retinal patterns The verification process 202 Introduction 203 Verification 203 Tradeoffs Assessment of identity verification techniques 208 The Mitre evaluation studies 208 Voice 209 Signature 210 Fingerprints 211 Comparison of systems Performance of other identity verification systems 213 Speaker verification 213 Signature verification 214

7 Xll Fingerprint verification 215 Retinal patterns 215 Profile verification Selection of an identity verification system 216 References 217 Chapter 8. Public Key Ciphers The principle of public key encipherment 219 Access control with an asymmetric cipher 222 Constructing a public key system 222 One-way functions revisited 223 Number theory and finite arithmetic The exponential function and key distribution 225 The exponential as a one-way function 228 The complexity of the logarithm 230 Key distribution 231 Authentication and transparency The power function 234 Encipherment without key transport The Rivest, Shamir and Adleman public key cipher 237 An attack by iteration and a defence 240 Practical aspects of the RSA cipher The trapdoor knapsack 246 Practical aspects of the trapdoor knapsack A cipher based on error correcting codes The registry of public keys Complexity theory and cryptography 255 The limitations of complexity theory for cryptography Appendix: Finite arithmetic 257 Counting in modulo m arithmetic 257 Addition Subtraction 258 Multiplication 259 Division 260 The Euclidean algorithm 260 Calculation of the reciprocal 261 References 262 Chapter 9. Digital Signatures The problem of disputes 265

8 Xlll 9.2 Digital signature using a public key cipher 266 Signature and encipherment combined 269 Signature using the RSA cipher 270 The asymmetric use of DES as a signature substitute 273 A new, economical signature method Separation of the signature from the message 275 Falsifying a signed message by the 'Birthday' method 278 A one-way function for signature or authentication Signatures employing a symmetric cipher 281 Rabin's signature method 282 Arbitrated signatures The practical application of digital signatures 286 Revocation of signatures 287 References 289 Chapter 10. Electronic Funds Transfer and the Intelligent Token Introduction Established payment mechanisms 292 The bank cheque 293 Credit transfer 294 Summary of the properties of payment methods Inter-bank payments 297 The Society for Worldwide Inter-bank Financial Telecommunication s.c. 297 Message format standards 299 Security in the S.W.I.F.T. system 302 The Clearing Houses Automated Payments System (CHAPS) Automatic teller machines 306 On-line and off-line operation 308 PIN management 310 Algorithmic PIN checking 311 The dialogue for an on-line ATM 313 Shared ATM systems 315 Checking the PIN with an authentication parameter 320 Public key cryptography in a shared ATM system Point-of-sale payments 321 The end-to-end session key in shared ATM and point-of-sale systems 325 Off-line point-of-sale terminals 327 Physical security requirements of the intelligent token 328 PIN checking in an intelligent token 328

9 XIV 10.6 Payments by signed messages 331 Point-of-sale payments by electronic cheque 334 A development of the intelligent token Access control by intelligent tokens 336 Access control for centralized and distributed information services Negotiable documents 340 A general-purpose negotiable document 340 Protection of negotiable documents against theft 343 References 344 Chapter 11. Data Security Standards Introduction 345 The standards authorities Standardization related to the Data Encryption Standard 350 Federal Standard 1027 General security requirements for equipment using the DES Modes of operation Encipherment in the physical layer of data communications 354 Principles for encipherment at the physical layer 356 Signalling the start of transmission 358 Treatment of the break signal 359 The option of bypass control Encipherment in the data link layer Authentication standards Conclusion 365 References 366 Glossary 367 Index 381 Note added in proof The OSS quadratic signature method (p. 274) was described as 'tentative'. Since we wrote this, J. M. Pollard has shown that values of s and t can be obtained to satisfy the signature check, in other words that signatures can be forged, with a reasonable amount of calculation. However, C. P. Schnorr has devised a cubic version which defeats Pollard's attack. Will this prove to be secure?