Crypto: Some historical and Technical Background April 5, 2001

1
Crypto Some historical and Technical
BackgroundApril 5, 2001

2
Some Definitions
3

• Plaintext the unencrypted text
• Ciphertext the encrypted message
• Steganography hiding message in other message
  (or even in a picture)
• one-time pad a set of keys used at most once
• sender/receiver must both have it
• unbreakable, unless enemy obtains copy
• extremely inconvenient for long messages

4
Symmetric Algorithms

• Decryption key can be calculated from encryption
  key vice versa
• keys must be kept secret
• example shifting letters in alphabet
• stream algorithms operate on plaintext a single
  bit or byte at a time
• block ciphers operate on a group of bits from
  the plaintext

5
Public-key(asymmetric) Algorithms

• Encryption key public decryption key private -
  not easily obtainable from encryption key
• How to distribute public keys? Spoofing?
• Useful for digital signature
• You sign using your private key
• I decrypt using your public key

6
Requirements for crypto alg

• Confidentiality infeasible to break
• Authentication receiver is certain of sender
• Integrity receiver know was not modified after
  being sent
• Non-repudiation cant be denied by sender

7
Some Algorithms and Protocols
8
Distribution of Public Keys

• Key Management Facility stores everyones public
  keys
• Must be trusted and reachable
• Pretty Good Privacy (PGP) uses distributed system
  based on web of trust
• One of trusted group verifies that your public
  key is indeed yours

9
Data Encryption Standard (DES)

• Developed by IBM modified by NSA
• Algorithm public
• Symmetric
• 56 bit limitation questioned at the time and is
  now obsolete
• Triple DES a stronger version used by financial
  institutions - has been exportable for a long
  time
• uses 3 keys encrypts with first, decrypts with
  second, encrypts with third - thought to be secure

10
Secure Socket Layer (SSL)

• Session key used for a particular message or
  communication
• If a session key is broken or compromised, only
  communication sent under that key is vulnerable
• Use public key exchange to negotiate session key
• Public key time consuming
• Communications much faster using session key

11
A Brief Historical Review
12
WWI and after

• Radio used for first time - msgs enciphered
• (US Navy took over almost all rights to airwaves,
  essentially displacing individuals)
• Codes and hand cipher systems - slow and
  inefficient
• After WW1, rotor machines widely used
• Mechanical devices for passing each letter
  through multiple layers of encryption
• Patented! (Far cry from later secrecy)

13
WWII

• US crypto systems appear to have been unbroken
• US read Japanese and German codes
• Sigaly - the first digital secure telephone
• 1-time key stored on phonograph records

14
Alan Turing (1912 - 1954)

• Turing Machine - theoretical basis for analyzing
  computation
• Broke the German Enigma cypher
• U-boat war against England
• Top secret, even from the British
• Arrested for homosexuality 1952 - forced to take
  estrogen
• Committed suicide in 1954

15
Cold War

• CIA created in 1947
• Claude Shannon paper on information theory
• first mathematically rigorous def of secure
  crypto
• National Security Agency (NSA) in 1952
• Horst Feistel at Air Force Cambridge Research
  Center
• First practical block ciphers

16
History - the 1970s

• Data Encryption Standard (DES) 1975
• Designed by IBM (Horst Feistel)
• 56 bit key
• Diffie/Hellman public key paper 1976
• RSA paper (Rivest, Shamir, Adelman) published 1978

17
Efforts to control dissemination

• 1977 Rivest received letter warning not to
  present paper at IEEE meeting because presence of
  foreigners might violate US International Treaty
  in Arms Regs (ITAR)
• Authors stopped sending copies
• Deborah Shapley, journalist at Science,
  discovered letter writer (J. A. Meyer) worked at
  NSA
• NSA denied involvement
• Rivest gave talk continued distributing copies

18
Efforts to control dissemination- patents (1978)

• Carl Nicolai telephone scrambler
• George Davida a technical result for
  cryptosystems (U of Wisc)
• Both subject to secrecy orders
• even existence of secrecy not to be revealed
• Both fought and won
• Nicolai - secrecy order was a mistake
• Davida - already appeared as a CS dept report

19
Efforts to control dissemination - research
funding (1970s)

• Rick Weingarten, program officer at NSF
• Told that funding crypto research probably
  against the law (he hadnt been funding any)
• Len Adelman submitted crypto research proposal to
  NSF, which forwarded it to NSA
• Adelman didnt want NSA funding
• prior review could be classified as secret
• (Could have been classified with NSF funding)

20
Funding issues (cont)

• Admiral Bobby Inman, NSA Dir publication of
  crypto research harmful to national security 1979
• NSF NSA both fund crypto research
• In response to Inmans concerns, NSA panel
  established to review crypto papers prior to
  publication voluntary submission
• Not many requests for modifications at least two
  publications withheld not major impediment more
  or less moot now

21
History - the 1980s

• NSA attempted to prevent recertification of DES
  in 1988 because DES algorithm public
• Wanted to substitute equipment based on secret
  algorithms
• Opposed by banking industry, esp since DES was
  being used internationally by financial
  institutions
• National Bureau of Standards recertified DES

22
Sensitive, but Unclassified

• Nat Security Decision Directive (NSDD-145),
  Reagan 1984
• FBI tried to learn what scientific info foreign
  students reading in university libraries
• Librarians demanded subpoenas
• Hearings on NSDD-145 committee of House of Reps
  complaints by industry, academia, and others
  resulted in withdrawal

23
The Computer Security Act 1987

• Congress gave National Institute of Standards
  Technology (NIST), responsibility for developing
  civilian crypto standards
• Memorandum of Understand (MOU) 1989 between NIST
  and NSA
• Raymond Kammer, acting Dir of NIST, son of two
  NSA employees
• MOU gave NSA significant control

24
Computer Security Act MOU

• Technical Working Group (TWG) with 3 reps from
  NIST 3 from NSA would review issues prior to
  public disclosure
• Digital Signature Standard
• RSA proposed
• TWG delayed agreement on standard
• NSA proposed classified algorithm instead

25
Digital Signature

• Requirements
• Authentic
• Unforgeable
• Document cannot be altered
• Signature cannot be repudiated
• Not reusable
• Public key works except for reusable requirement
  - use timestamp

26
NSAs Digital Signature (DSS) 1991

• Patent issues Claus Schnorr
• Not compatible with other dig sig systems
• 512 bit key size shown not to be secure (Bell
  Labs)
• About 10 times slower than RSA

27
NSA and NIST

• Its increasingly evident that it is difficult,
  if not impossible, to reconcile the requirements
  of NSA, NIST and the general public using the
  approach of the TWG.
• Jan 1990 memo from NIST members of the TWG,
  obtained using the Freedom of Information Act
  (FOIA)
• OTA and others concluded that NSA in charge

28
FBI involvement

• NSA had attempted to include FBI in MOU, but NIST
  refused
• FBI had not been involved with crypto
• Kammer and Clint Brooks from NSA convinced FBI
  that they should be
• James Kallstrom picked up ball for FBI, which had
  policy by 1991. Kallstrom later headed
  investigation of TWA 800 crash.

29
Import/Export of Crypto Products
30
Import of Crypto products

• There has never been any restriction on import or
  sale of crypto products into the US
• Oxley-Manton Amendment 1997
• Amendment to the Security and Freedom through
  Encryption (SAFE) Act that would have liberalized
  export of crypto
• Would have required that all domestic crypto
  contain key escrow or recovery - didnt pass
• Pushed by Louis Freeh, head of FBI

31
Export Controls

• Arms Export Control Act (AECA) regulates
  munitions (1949)
• AECA is basis for ITAR (used in 77 to try to
  prevent Rivest from presenting his paper)
• Export Administrative Act (EAA) regulates
  dual-use products
• dual-use both military and commercial
  applications

32
Export Controls

• Crypto defined to be munitions, requiring
  licenses
• Licensing requirements gradually weakened
• In general weak (40 bit) exports allowed, but
  strong disallowed
• Individuals free to use strong crypto
  domestically
• Strong crypto not included in most mass market
  software

33
Export Controls

• Strong crypto available outside the US and even
  on Internet
• US industry lost business to foreign competitors
  who could export strong crypto into US

34
Impact of Open Source Software

• Software developed by programmers throughout the
  world
• Source code available to all - free downloads
• Linux best known
• Distributed under license that guarantees the
  right to read, redistribute, modify, and
  use the software freely
• Who authorized to apply for license?

35
Export Controls

• Export regs relaxed on open source code Jan 2000
• Export regs significantly liberalized in response
  to European Unions creation of license free
  zone for most crypto products Oct 2000

36
Court Cases
37
Philip Karn

• Applied for export license for Applied
  Cryptography by Bruce Schneier (1994)
• licence granted
• Then applied for export license for appendix of
  Schneiers book on floppy
• Contained source code for crypto algorithms
• license denied

38
Karn (cont)

• Filed suit in District Court Sept 95
• Case thrown out in 96
• Appealed to Court of Appeals
• Export regs moved from State dept to Dept of
  Commerce Dec. 30, 1996 - days before oral
  arguments scheduled
• Remanded back to District Court

39
Karn (cont)

• Requested permission from DoC
• When refused, returned to Dist Court 98
• New export regs made lawsuit moot

40
Daniel Bernstein

• CS prof at U. of Ill.
• While Ph.D. student at Berkeley developed crypto
  algorithm called Snuffle
• Filed request with State Dept to determine if
  could publish Snuffle source code 92
• Needed license to post on Internet and show to
  non-US citizens (eg some of his students)
• Was never granted license

41
Bernstein (cont)

• Filed action in 95 in the District Court
• Claimed ITAR restrictions violated 1st Amendment
  because source code is speech
• Court agreed with 1st Amendment argument
• Nov 96 jurisdiction for crypto export
  transferred from State Dept to Commerce
• Commerce adopted amendments restricting crypto
  exports essentially identical to ITAR

42
Bernstein (cont)

• District Court ruled in 1997 in favor of
  Bernstein (prior restraint on speech)
• Ruling upheld by 3 judge panel of 9th Circuit
  Court of Appeals May, 1999
• Govt requested review by full court June 1999
• New export regs issued Jan. 2000
• Govt claimed that new regs made case moot
• Court agreed

43
Peter Junger

• Prof at Case Western Reserve
• Filed suit against State Dept/ITAR 96
• Export regs vague and overbroad -
  unconstitutional
• Prevented him from teaching crypto to US college
  class with foreign students
• Sought injunctive relief

44
Junger (cont)

• Filed amended complaint after regs moved to DoC
  1997
• Govt won summary judgment July 1998
• Appealed to Appeals Court March 1999
• Appeals Court ruled that source code protected
  speech April 2000
• Issue of difference between source code and
  object code came up in DVD/2600 case

45
Key Escrow Key Recovery
46
Escrowed Encryption Standard 1993

• Key escrow third party has copy of key
• Clipper was a chip containing classified Skipjack
  algorithm and key escrow feature
• Escrowed key broken into two pieces and stored to
  be stored in separate locations in govt
• attempt to increase security by not having all of
  key in single location

47
Key Escrow

• Goal of enabling law enforcement to obtain key
• Was to be exportable
• How to work out key escrow with other countries
  never defined
• Could be defeated by prior use of non-escrowed
  crypto algorithm

48
Key Recovery

• Some mechanism for obtaining access to plaintext
  of encrypted communication
• Govt requirements
• Access without end-user knowledge or consent
• Ubiquitous adoption
• Rapid recovery of plaintext
• Should work for encrypted communications as well
  as stored data

49
Risks of key recovery

• Security
• Creating secure crypto without additional
  features already very difficult
• Addition of back door increases vulnerability
  to outside attack
• Storage location of keys are obvious targets
• Requirement of rapid translation to plain text
  increases risks

50
Costs of key recovery

• Not obvious that a secure system can even be
  built, let alone built at reasonable cost
• Costs of developing infrastructure, including
  storage and retrieval mechanism for keys
• Costs of operating storage mechanism
• Vulnerability of employees to bribery
• Costs of replacing current technologies

51
How is crypto broken?

• Key length allows for brute force attack
• 40 bit breakable in seconds
• 56 bit DES broken in 1998 by EFF (John Gilmore)
• Custom built machine cost 210K, including
  research and testing
• Poorly designed or implemented protocols

52
Human Rights Issues

• Encryption of member names, email communications,
  etc can offer some protection to opponents of
  repressive regimes
• Preventing access to strong crypto or requiring
  that all crypto have key recovery (to be used by
  local govt?) can facilitate repression