S 3.23 Introduction to basic cryptographic terms

Initiation responsibility: Head of IT Section, IT Security management

Implementation responsibility: Head of IT Section, IT Security management

As far as the user is concerned, the use of crypto products may mean additional effort or -- depending on the complexity of the products used - may even require a greater depth of knowledge. All staff who are supposed to make use of cryptographic procedures and products should therefore be made aware of the usefulness and necessity of the cryptographic techniques and be given an introduction to basic cryptographic terminology. This applies in particular of course to staff whose role it is to draw up a crypto concept or select, install or manage crypto products.

The following sections are intended to provide an elementary understanding of the fundamental cryptographic mechanisms. Examples are described as a means of explaining which cryptographic technique can be used in which situation.

Elements of cryptography

The term cryptographic refers to mathematical methods and techniques that can be used for protecting information against unauthorised disclosure and/or intentional manipulation. The protection of information by cryptographic methods - in contrast with infrastructural and technical safeguards - is a mathematical-logical form of protection.

Cryptographic procedures entail the implementation of a mathematical calculation process - an algorithm - through specific techniques. Their effectiveness is based on the assumption that a potential attacker will be unable to solve a certain mathematical problem and not because of a lack of particular skills but because of not having knowledge of quite specific "key" information.

Cryptographic methods always relate to the following situation: a sender A (commonly referred to in cryptography as "Alice") sends a message via a non-secure channel to a recipient B (referred to as "Bob").

The sender and recipient may also be identical in this case, and the term "channel" may refer to any transport medium. When it is a matter of encrypting local data, the sender and recipient are of course identical, and the "channel" is taken to be the storage medium.

Basic cryptographic objectives

Theoretical and practical considerations lead to a distinction being drawn between four basic cryptographic objectives:

1. Confidentiality/secrecy: no unauthorised third party E (let her name be "Eve") is to gain access to the contents of the message or file.

2. Integrity: It must be possible to detect unauthorised manipulation of the message or file (e.g. the insertion, omission or replacement of parts).

3. Authenticity:

• Proof of identity (authentication of communications partners): a communicating party (e.g. a person, organisation or IT system) must be able to prove its identity beyond doubt to another party.

• Proof of origin (authentication of messages): A must be able prove to B that a message originates from A and has not been altered.

4. Non-repudiation: the emphasis here in comparison with message authentication is placed on verifiability with respect to third parties.

• Non-repudiation of origin: it should be impossible for A to deny having sent a certain message to B after the event.

• Non-repudiation of receipt: it should be impossible for B to deny having received a message sent by A after the event.

It is plain that there are connections between these objectives, but one fundamental understanding of modern cryptography is as follows: the guaranteeing of confidentiality and of authenticity are separate basic aims of a cryptographic system: authentication restricts the circle of potential senders of a message, while confidentiality restricts the circle of potential recipients.

The primary cryptographic method for preserving confidentiality is encryption, and the primary methods of guaranteeing integrity, authenticity and non-repudiation are hash functions, message authentication codes (MACs), digital signatures and cryptographic protocols. The individual cryptographic concepts are described briefly in the following.

I. Encryption

Encryption (encipherment) transforms a plaintext, in accordance with an item of additional information known as the key, into an associated secret text (ciphertext or enciphered text) that should not be decryptable for anyone who does not know the key. The reverse transformation - reclaiming the plaintext from the ciphertext - is known as decryption or decipherment. In all state-of-the-art encryption algorithms, plaintexts, ciphertexts and keys are each represented as sequences of bits.

For them to be useable in practice, encryption algorithms must satisfy the following minimum requirements:

• They should be resistant to deciphering, i.e. it must be impossible to decrypt the ciphertext without knowledge of the key; in particular, the quantity of possible keys must be "sufficiently large", because otherwise it would simply be possible to try out all keys.

• They must be easy to use.

• Encryption and decryption must be "fast enough".

The requirement for resistance to deciphering must always be considered relative to current technical and mathematical possibilities. An important factor in the assessment of encryption algorithms is that it must be practically impossible at the time of use to decrypt the ciphertext without knowledge of the key, i.e. impossible with the technology available at the time within an acceptable timescale.

When A and B want to establish a confidential connection, they proceed as follows:

1. They agree on an encryption procedure.

2. They agree on a key or a pair of keys.

3. A encrypts a message and sends this to B.

4. B decrypts the ciphertext sent from A.

There are two major classes of encryption procedures:

Symmetrical encryption procedures use the same key both for encryption and decryption. Symmetrical techniques are therefore also occasionally referred to as "one-key" techniques, because knowledge of one key is sufficient to be able to encrypt and decrypt texts.

Well-known symmetrical encryption procedures include DES, Triple-DES, IDEA and RC5, for example.

Symmetrical procedures are further differentiated, distinguishing between stream ciphers and block ciphers.

In the case of stream ciphers, a key is used to generate a bit sequence (or bit stream) with as random an appearance as possible, which is added to the plain bit sequence (modulo 2). The plain bit sequence is therefore encrypted bit by bit (by the addition of key stream bits). It is essential for the security of stream ciphers that two (different) messages are never encrypted with the same key stream - this must be ensured with the aid of special measures (synchronisation information in the form of a message key). Examples of stream ciphers are RC4 and SEAL.

In the case of block ciphers, on the other hand, an entire block of bits is encrypted in one encryption cycle; nowadays this typically comprises 64 bits. Most symmetrical encryption methods are block ciphers; these also include DES, IDEA and RC5. A range of operating modes have been defined (and standardised) for block ciphers. These are:

• ECB (Electronic Code Book) mode, where every block is encrypted separately - independently of the other blocks

• CBC (Cipher Block Chaining) mode and CFB (Cipher Feed Back) mode; in these modes a dependence is established between the ciphertext blocks and all preceding ciphertext blocks, depending on the choice of an additional initialisation vector

• OFB (Output Feedback Mode), a mode which can be interpreted such that the block cipher is used to generate a "block stream" that is added to the plaintext blocks bit by bit (modulo 2)

When using symmetrical procedures it must always be borne in mind that communication must be preceded by an exchange of keys between the communicating parties. This must take place via a secure channel (such as by courier or personal delivery), and both parties must subsequently keep the key secret. There are various procedures for ensuring secure key exchange. In closed systems the exchange of keys can generally be performed without difficulty, because in this case there are usually "secure channels" available. In open systems with a large number of communication partners, this is more difficult. Generally speaking, however, the problem is that if there are a large number of potential communication partners a correspondingly large number of keys have to be exchanged before the communication process itself can take place, and that the potential communication partners have to be known in advance.

Asymmetric (public key) encryption methods, on the other hand, use two different (but mathematically related) keys: one "public" key for encryption, and one "private" key for decryption. This pair of keys must have the following property: it must be practically impossible for anyone who knows only the public key to determine the associated private key or to decrypt a message encrypted with the public key.

Asymmetric encryption therefore has the nature of a "one-way" method: a message cannot be restored if the private key has been forgotten or deleted.

The name "public key" encryption comes from the fact that the public key can be made known publicly without compromising the security of the procedure. In contrast, the private key must be kept secret.

If we assume that Alice wants to send a message in encrypted form to Bob, Alice picks up Bob's public key from a freely accessible file and uses it to encrypt her message. After receiving the message, Bob uses his secret key to decrypt the message he has received from Alice. If Alice and Bob are using an asymmetric algorithm for the purpose of confidentiality, they therefore do not need a secure channel for the exchange of keys, but Alice must be certain that she is indeed using Bob's public key and not a key that has been foisted on her as being Bob's key. If Alice were to encrypt a message with a foisted key, the perpetrator, who of course knows the matching private key, could decrypt the message. The sender normally requires confirmation from a trusted third party that the recipient's public key really does belong to the recipient. This confirmation, the "certificate", is normally also generated by a cryptographic procedure and is enclosed with the public key.

Two well-known asymmetric encryption methods are the RSA algorithm (named after its inventors, Rivest, Shamir and Adleman) and the class of ElGamal algorithms. The latter also include the encryption procedures based on elliptic curves.

Symmetric and asymmetric encryption algorithms have advantages and disadvantages which in some cases complement each other.

Advantages of (good) symmetric algorithms:

• They are fast, i.e. they have a high data throughput.

• The level of security is largely determined by the length of the key, i.e. with good symmetric procedures there should be no attacks which are considerably better than trying out all keys (brute-force attacks).

• They offer a high level of security with a relatively short key.

• It is easy to generate keys, because usually any bit sequence of a fixed length is allowed as the key and a random number can be chosen as the key.

Disadvantages of symmetric algorithms:

• All users have to keep all keys belonging to their communication partners secret.

• They are less well suited to key distribution than asymmetric procedures, especially if there are a large number of communication partners.

• They are less practicable than asymmetric procedures for non-repudiation purposes, because when symmetric keys are used it is not easy to detect which of the two communication partners has encrypted the message. This can only be ensured by an intermediate third party, which is integrated into the message flow by means of corresponding cryptographic protocols.

Advantages of (good) asymmetric procedures:

• Every party in a confidential communication process only has to keep his own private key secret.

• They can easily be used for digital signatures.

• They offer elegant solutions for the distribution of keys in networks, because the public keys or key certificates can be stored in freely accessible form on central servers without imparing the security of the procedure.

• They are well suited for non-repudiation purposes.

Disadvantages of asymmetric procedures:

• They are slow, i.e. they generally have a low data throughput.

• Security: the following applies to all well-known public key procedures:

• There are considerably better attacks than trying all keys one after the other, which is why (in comparison with symmetric methods) relatively long keys are required in order to achieve an equally high degree of security.

• Security is based "only" on the presumed (but recognised among the experts) algorithmic difficulty of a mathematical problem (for example decomposing a large number into its prime factors).

• Key generation is generally complex and time-consuming, because care must be taken not to generate "weak" key pairs.

Hybrid procedures attempt to combine the advantages of both types of encryption: they use asymmetric encryption to transfer a session key for a symmetric procedure, and encrypt the bulk data with the symmetric procedure. The session key is usually used for only one session (transmission) and is then destroyed. The asymmetric key pair may be used for a long period, depending on the circumstances.

II. Protection of integrity

The objective of integrity protection is to enable the recipient of a message to establish whether he has received the message without it being corrupted. The basic principle of integrity protection is to transmit the message unencrypted and unchanged, but at the same time to send certain checking information with the message, which enables the actual message to be checked to ensure that it is uncorrupted. The prerequisite for this, however, is that the recipient must receive the check data in an unmanipulated state. The check data therefore has to satisfy the following conditions:

• The amount of check information must be kept as small a possible so as to minimise the amount of additional information to be transmitted.

• It must be possible to detect virtually any manipulation, even of only a single bit of the message, on the basis of the check information.

• It must be possible to transmit the check information in an unmanipulable form, or it must be possible to detect manipulations.

Typically there are two methods that are used for the calculation of check information: hash functions and message authentication codes.

A (one-way) hash function is a data transformation with the following characteristics:

• Compression characteristic: bit sequences of any length are mapped to bit sequences of a fixed, generally shorter length (typically 128 - 160 bits).

• "One-way" characteristic: for a specified hash value it must be "practically impossible" to find a message whose hash value is the specified hash value.

• Collision resistance: it must be "practically impossible" to find two messages which lead to the same hash value.

A and B can check the integrity of a message with the aid of a hash function known to both communication partners: Alice hashes her message, and transmits this and the hash value to Bob in such a way that the accuracy of the hash value is guaranteed. Similarly, Bob hashes the message he receives and compares his result with the hash value supplied by Alice. If the two values tally, he can assume that no bit of the message has been changed.

A message authentication code (MAC) is a cryptographic checksum for message security, in other words a data transformation in which a secret key is additionally included in the calculation, with the following characteristics:

• Compression characteristic: bit sequences of any length are mapped to bit sequences of a fixed, generally shorter length.

• Resistance to forging: for anyone who is not in possession of the key it must be "practically impossible" to calculate the MAC value of a new message, even if he has come into possession of a number of old messages with the associated MAC values.

If Alice and Bob have a MAC and a common, secret MAC key, Alice authenticates her message simply by calculating the MAC value of the message and sending it to Bob together with the message. In turn, Bob calculates the MAC value of the received message with the MAC key, which is also known to him. If this tallies with Alice's value, he can assume that the message is authentic (i.e. that it has not been altered and that it really originates from Alice). Alice has therefore authenticated her message to Bob by using the key that is known only to Bob and herself.

MACs are often designed on the basis of symmetric encryption methods. The best known variant is the encryption of a message with DES or another block cipher algorithm in CBC or CFB mode. This involves appending the last encrypted block to the message as the MAC. Apart from this, however, there are also MACs that are not based on encryption methods. The MAC value of a message can be seen as the non-forgeable, key-dependent, cryptographic checksum of the message. The use of MACs for the purpose of authentication requires that both parties reliably protect the secret authentication key.

As a side-effect of integrity protection, the procedures outlined above can be used at the same time by the recipient of the message to check that the message, which has been verified as being unmanipulated, could only have been sent by the sender who is actually known to the recipient. This conclusion can be drawn because only this sender has the necessary keys for encrypting and determining the check information.

III. Proof of authenticity

Certain criteria must be met regarding the authentication of users with respect to communication partners/IT systems or of clients with respect to servers:

• Illegitimate accesses must be detected and warded off

• Legitimate accesses must be permitted

• Sensitive data must remain protected even when transmitted across networks

To ensure this, procedures are required which allow all participants to establish the identity of their communication partners unequivocally. This includes a time aspect: Alice wants to convince Bob in real time that it is indeed she who is communicating with him. The main techniques for authentications of this nature are cryptographic challenge-response protocols.

In these, Bob sends data to Alice and requests (challenges) her to prove to him that she possesses a secret (i.e. an item of key information); Alice demonstrates to him that she has this possession without divulging the secret itself by sending him a response that is dependent on the secret and on his challenge. Bob in turn uses the response that she has sent to check that the correct secret really was used to calculate the response.

To ensure strong authentication, the challenges must not be repeated. Both symmetric and asymmetric techniques can be used with challenge-response procedures.

Example: Alice and Bob agree in advance on a symmetric encryption procedure and a common cryptographic key. For authentication purposes, Bob sends a random number to Alice as a challenge. Alice in turn encrypts this random number with the common secret key, and sends the result back to Bob. At the next stage, Bob decrypts the messages and compares the result with the random number he chose at the outset. It they are the same, it really is Alice, because only she knows the secret key.

IV. Digital signature

The purpose of the cryptographic construct of a digital signature is to allow the use of a counterpart to hand-written signatures for digital files and messages. For this, some of the cryptographic procedures explained previously, such as hash functions and asymmetric algorithms, are used in combination. The essential prerequisite for digital signatures is that every user must be in possession of a secret, known only to him, with which he can generate a digital signature to be used with any files. It must then be possible to check this digital signature on the basis of public information.

In this sense, a digital signature is a special form of integrity protection with additional special features. A digital signature is an item of check information which is appended to a message or file, and which is associated with the following characteristics:

• A digital signature can be used to establish unambiguously who has created the signature.

• It is possible to check, with authentication, whether the file to which the digital signature was appended is identical to the file that was actually signed.

If therefore the digital signature can be verified on the basis of the publicly accessible information, on the one hand the integrity of the signed file is assured but at the same time non-repudiation is also established, because only the person to whom the digital signature can be unambiguously attributed can have generated this signature on the basis of his or her secret information. It must be borne in mind that different files also result in different digital signatures, and that even the smallest changes to files make signatures unverifiable.

Example: One widely used procedure for digital signatures is the reverse application of the RSA algorithm. In this, every user has a secret signing key known only to him or her. Verification key certificates, in which the matching public key and the details of the owner of the matching secret signing key are linked to each other in an unforgeable way, are publicly accessible. These certificates are issued by trustworthy bodies which have previously checked the personal details of the users.

To calculate and check a digital signature for any file, the procedure used is as follows:

• If it is certain that indeed only Alice possesses the secret key, Bob can be sure that the digital signature was generated by Alice, who is shown in the verification key certificate.

It should be emphasised that digital signatures only safeguard the objectives of integrity and non-repudiation, but in no way confidentiality. A digitally signed message is transmitted as plain text; if it is confidential, it must be encrypted in addition.

If a digitally signed file contains a declaration of intent from the signer, the declaration of intent can be attributed indisputably to the signer, if necessary even in a court of law, on the basis of the signature.

The verification key certificates that are used are in turn themselves files that are digitally signed by the trustworthy body; these can be checked in the same way, and provide information about the verification key and the person who holds the matching secret signing key.

It is worth noting the differences between MACs and digital signatures:

• A digital signature can be verified by anyone who is in possession of the verification key certificate, whereas MACs can only be verified by the parties who know the secret authentication key.

• Alice's digital signature on a message can only be created by Alice; the MAC value of a message, on the other hand, can be generated by both parties, Alice and Bob (and anyone else who knows the secret authentication key). It is therefore impossible for MACs to be used for the purpose of ensuring non-repudiation.

A law on digital signatures entered force for the Federal Republic of Germany in the form of Article 3 of the Information and Communication Services Act (Federal Law Gazette 1879, Part 1, 1997). This governs which security requirements have to be satisfied by the technical components that are used for digital signatures, and what tasks are to be performed by certification authorities which issue verification key certificates. In addition it governs how the required security of the components and certification authorities is to be checked. As a result, digital signatures conforming to the Signature law are accorded a high level of security, also in court.

Key management

Whenever encryption is used, the problem arises of ensuring appropriate management of the keys. The question is raised as to how the following tasks are performed throughout the lifecycle of the keys:

• Generation/initialisation

• Agreement/establishment

• Distribution/transport

• Changing/updating

• Storage

• Authentication/certification

• Recall

• Recovery in the event of destruction or loss

• Destruction/deletion

• Archiving

• Escrow (storage in trust)

Key management can, and usually does, also make use of cryptographic techniques. It must be performed for all of the crypto modules of a cryptographically based protection system. Secret keys must be protected against unauthorised disclosure, modification and replacement. Public keys must be protected against unauthorised modification and replacement. Appropriate key management is a necessary precondition if it is to be at all possible to protect information by cryptographic methods. Key management requires its own resources, dedicated specifically to this task.

Certification bodies

Trust centres or certification bodies are required whenever it is considered necessary to use asymmetric crypto algorithms for digital signatures or for encryption and the number of users has risen so much as to be difficult to manage. These procedures require a different key for signature generation or encryption than they do for signature checking or decryption. A pair of corresponding keys is generated for this purpose on a user-related basis. One key, known as the public key, is made known publicly. The other key, known as the private key, must be kept absolutely secret. A digital signature can be generated or a text encrypted with the private key - and only with that key - and the signature can be verified or the text decrypted with the associated public key - again, only with that key. In order to ascertain whether the public keys are genuine and to check that keys are reliably allotted to individuals, it is necessary to use the trust centres or certification bodies mentioned above, which confirm the attribution of a person to a public key by issuing a certificate.

Typically, the following tasks are undertaken at certification bodies such as these:

• Key generation: pairs of keys have to be generated for the certification body and, if appropriate, for users.

• Key certification: the user data, the corresponding public keys and other data are combined to form a certificate, which is digitally signed by the certification body.

• Personalisation: the certificate and, if appropriate, the public and private keys are transferred to a signature component (generally a chip card).

• Identification and registration: the users are identified and registered on presentation of an identification document.

• Directory service: certificates are held ready for retrieval in a public directory. In addition, the directory service must provide information on whether a certificate is blocked or not.

• Time stamp service: it may be necessary to trustworthyly link certain data to a point of time. To do this, the time is appended to the data and the result is digitally signed by the time stamp service.

Trust centres can also offer the safekeeping of keys as an additional service if it is intended to use the cryptographic keys for encryption. In order to ensure that encrypted data can still be accessed if a key is lost, the owner of the key (and no-one else) can be given a duplicate key, which is stored securely at the trust centre.

Key distribution centres

The security of symmetric encryption methods is dependent on whether the commonly used secret key is only known to the users who are authorised to access the protected information. In cases where it is necessary to protect stored data to which only the data's owners are supposed to have access, this is relatively easy to guarantee because these owners merely have to protect the key in such a way that unauthorised users are unable to access it.

The situation is different, however, if it is intended to use a symmetric encryption method to protect messages that are to be transmitted from a sender to a recipient via an insecure transmission medium. In this case the secret key must be available to both the sender and the recipient, i.e. there must be a possibility of engaging a protected exchange of information between the two parties. In practice this is often achieved by the encrypted distribution of communication keys through bodies known as key distribution centres (KDCs); this involves setting up entire hierarchies of keys that are mutually interdependent in security terms. The methods used in such instances are in some cases highly complex and are dependent on a large number of components for their security, in particular on the physical, organisational, staff-related and technical security of the KDCs and on the keys agreed for communication with the KDCs.

If a secret key becomes compromised, in other words if it becomes known to an unauthorised third party, the result is that the confidentiality of all data is lost if it has been encrypted with that key or if encryption of the data is dependent on the key. This is particularly critical if one of the central keys of a key distribution hierarchy has become compromised.

Use of cryptographic methods

Provided they are used properly, cryptographic methods are excellently suited to countering the following threats:

• Disclosure of information to unauthorised persons

• Deliberate manipulation of data by unauthorised persons

• Manipulation of the authorship of information

The use of cryptography alone, however, is not sufficient to ward off all threats.

• The use of cryptographic methods does not make any contribution to guaranteeing the availability of data (if encryption is used inappropriately, there is even a risk that data will be lost).

• Cryptographic methods cannot achieve anything against denial-of-service attacks (see also T 5.28 Denial of services). They may play a part in the early detection of such attacks, however.

• They also do not help to prevent the random corruption of information (for example as a result of noise), but they can make it possible to detect corruption retrospectively