Cryptographic algorithms.
Cryptographic algorithms
A chain is only as secure as its weakest link: the stronger the link, the stronger the chain. A good cryptosystem must have its algorithm, protocol, keys, and everything else thoroughly tested. If a cryptographic algorithm is strong enough, but the random number generator used to create the keys is no good, any experienced cryptanalyst will look at it first. Let's say the generator can be improved, but if the computer's memory is not cleared after the generated key has been in it, then such security is worthless. If a strong cryptographic algorithm and truly random keys are used, which are carefully erased from the computer's memory after they have been used, but before encryption a file containing your entire income for the current year, along with your address and surname, was mistakenly emailed to the tax office, then why on earth did you need a strong algorithm, random keys, and a computer memory wipe?!
You can't envy a cryptographer: in the cryptosystem he designs, he must provide protection against absolutely all types of attacks that the fevered imagination of a cryptanalyst can come up with. A cryptanalyst, on the contrary, only needs to find the only weak link in the chain of cryptographic protection and organize an attack only against this link.
In addition, it should be taken into account that in practice the threat to the information security of any object comes not only from the cryptanalyst. After all, no matter how long the cryptographic key that you use to encrypt files is, if law enforcement agencies need to know what is stored on your computer, they will simply install a camera and meticulously record all the information that appears on the screen. It is not for nothing that, according to NSA officials, most failures in ensuring information security occur not because of weaknesses in cryptographic algorithms and protocols, but because of blatant oversights in their implementation. No matter how strong a cryptographic algorithm is, in a successful attack against it, this strength does not have to be overcome head-on, it can simply be bypassed in some roundabout way. However, one should not neglect good cryptographic algorithms either, lest cryptography become the weakest link in the chain, which will not withstand the attacker's pressure.
How to choose a good cryptographic algorithm?
When it comes to choosing a good cryptographic algorithm, the person choosing usually has several options:
• You can use a well-known algorithm, published relatively long ago in a special edition on cryptographic problems. If no one has yet reported that they have managed to crack this algorithm, then it is worth paying attention to.
• You can trust a well-known company that specializes in selling encryption tools. It is unlikely that this company will risk its good name by selling weak cryptographic algorithms.
• You can contact an independent expert. Most likely, he will be able to objectively assess the advantages and disadvantages of various cryptographic algorithms.
• You can contact the relevant government department for support. It is unlikely that the government will mislead its citizens by giving them false advice about the strength of a particular cryptographic algorithm.
• You can try to create your own cryptographic algorithm. Few people are interested in deceiving themselves. Who knows: what if you have outstanding abilities in the field of cryptography?
All of the above options have their own significant drawbacks. Relying on just one company, one expert, or one agency is not entirely reasonable. Many people who call themselves independent experts know little about cryptography. Most companies that produce encryption tools are no better. The NSA and FAPSI employ the best cryptographers in the world, but for obvious reasons they are in no hurry to share their secrets with the first person they meet. Or with the second person, for that matter. And even if you are a genius in cryptography, it is foolish to use a cryptographic algorithm of your own invention without having it thoroughly analyzed and tested by experienced cryptologists.
Therefore, the first of the listed options seems to be the most preferable. This approach to assessing the strength of cryptographic algorithms could be considered ideal if not for one of its shortcomings.
Unfortunately, nothing is known about the results of cryptanalytic research on these algorithms, which undoubtedly was actively conducted in the past and continues to be actively conducted throughout the world by numerous employees of various government departments whose competence includes cryptological research. These departments are most likely much better funded than academic institutions conducting similar research. And they began to study cryptology much earlier than scientists without military ranks and specialists from private firms. Therefore, it can be assumed that the military found much simpler ways to break known ciphers than those invented outside the strictly guarded buildings of top-secret government departments.
So be it. Even if you are arrested and your hard drive with DES-encrypted files is confiscated as evidence, it is unlikely that government cryptanalysts will show up to court to swear that the evidence for your indictment was obtained by decrypting the confiscated files. The fact that a particular cryptographic algorithm can be broken is often a much bigger secret than the information obtained by breaking that algorithm,
The best assumption is that the NSA, FAPSI, and the like can read any message they want to read. However, these agencies are not able to read all the messages they want to read. The main reason is the limited resources allocated by the government for cryptanalysis. Another reasonable assumption is that it is much easier for the competent authorities to gain access to encrypted information by brute physical force than by elegant but very labor-intensive mathematical calculations that lead to breaking the cipher.
In any case, it is much more reliable to use a known cryptographic algorithm that was invented quite a long time ago and that has managed to withstand numerous attempts to break it by reputable cryptologists.
Cryptographic Algorithms Intended for Export
Currently, personal computer users have the opportunity to use encryption algorithms built into various software products. It is enough to purchase, for example, the Word text editor, or the Windows NT and Netware operating systems, or the Excel spreadsheet editor. All of these software products have one more common feature, in addition to the presence of built-in encryption algorithms. They are made in the United States, and before they begin to sell them abroad, American manufacturers must obtain permission from their government to export them outside the United States.
It is widely believed that no cryptographic algorithm that is allowed for export from the United States is strong enough to be unbreakable by NSA cryptanalysts. It is believed that companies that want to sell their products abroad that allow data encryption are, at the insistence of the NSA, reworking the cryptographic algorithms they use so that
• from time to time individual bits of the key are mixed into the ciphertext;
• the key is only 30 bits long instead of the officially stated 100 bits, since most keys are equivalent;
• a fixed header is inserted at the beginning of each encrypted message to facilitate a cryptanalytic attack with knowledge of the plaintext;
• any encrypted message contains a piece of random-plaintext together with its corresponding ciphertext.
The source code of the encryption programs is transferred to the NSA for safekeeping, but outside this top-secret agency, access to them is tightly closed. It is quite natural that neither the NSA nor the American companies that have received permission from the NSA to export their encryption tools are interested in advertising the weaknesses of the cryptographic algorithms that underlie the functioning of these tools.
Therefore, it is advisable to exercise great caution if you are going to protect your data using US encryption programs that are approved by the US government for export outside the country.
Symmetric or Asymmetric Cryptographic Algorithm?
Which algorithm is better — symmetric or asymmetric? The question is not entirely correct, since it assumes the use of the same criteria when comparing cryptosystems with a secret and public key. And such criteria do not exist.
However, the debate about the advantages and disadvantages of the two main types of cryptosystems has been going on since the invention of the first public key algorithm. It is noted that symmetric cryptographic algorithms have a shorter key length and work faster than asymmetric ones.
However, according to one of the inventors of public key cryptosystems, the American cryptologist W. Diffie, they should not be considered as some completely new type of universal cryptosystem.
Public key cryptography and secret key cryptography are «two very different things»; they are designed to solve completely different problems related to information security. Symmetric cryptographic algorithms are used to encrypt data; they work several orders of magnitude faster than asymmetric algorithms. However, public key cryptography also has areas of application where secret key cryptography has nothing to do. These include working with keys and numerous cryptographic protocols.
Encryption in communication channels of a computer network
One of the distinguishing characteristics of any computer network is its division into so-called levels, each of which is responsible for observing certain conditions and performing functions that are necessary for communication between computers connected to the network. This division into levels is fundamental to the creation of standard computer networks. Therefore, in 1984, several international organizations and committees joined forces and developed a rough model of a computer network, known as OSI (Open Systems Interconnection).
OSI separates communication functions into layers. Each of these layers operates independently of the layers below and above it. It can directly communicate with only two adjacent layers, but is completely isolated from direct access to the following layers. The OSI model distinguishes seven layers: the top three are used for communication with the end user, and the bottom four are focused on performing communication functions in real time.
In theory, encryption of data for transmission over computer network communication channels can be performed at any level of the OSI model. In practice, this is usually done either at the lowest or highest levels. If data is encrypted at the lowest levels, the encryption is called channel encryption. If data encryption is performed at the highest levels, it is called end-to-end encryption. Both of these approaches to data encryption have their advantages and disadvantages.
Channel encryption
With channel encryption, absolutely all data passing through each communication channel is encrypted, including the plaintext message, as well as information about its routing and the communication protocol used (Fig. 1). However, in this case, any intelligent network node (for example, a switch) will be forced to decrypt the incoming data stream in order to process it accordingly, and encrypt it again in order to transmit it to another network node.
Fig. 1. Channel encryption
Nevertheless, channel encryption is a very effective means of protecting information in computer networks. Since all data moving from one network node to another is subject to encryption, the cryptanalyst has no additional information about who is the source of the transmitted data, who it is intended for, what its structure is, and so on. And if you also take care to transmit a random bit sequence over the channel while it is idle, an outside observer will not even be able to tell where the text of the transmitted message begins and ends.
Working with keys is not too complicated either. Only two neighboring nodes of the communication network should be provided with the same keys, which can then change the keys used independently of other pairs of nodes.
The biggest drawback of channel encryption is that data must be encrypted as it travels across each physical channel in a computer network. Sending unencrypted information over any one channel compromises the security of the entire network. As a result, the cost of implementing channel encryption in large networks can be prohibitive.
In addition, when using channel encryption, it will be necessary to additionally protect each node of the computer network through which the data transmitted over the network passes. If the network subscribers completely trust each other and each node is located in a place protected from intruders, this disadvantage of channel encryption can be ignored. However, in practice, such a situation is extremely rare. After all, every company has confidential data that can only be accessed by employees of one specific department, and outside of it, access to this data must be limited to a minimum.
End-to-end encryption
With end-to-end encryption, the cryptographic algorithm is implemented at one of the upper layers of the OSI model. Only the content of the message that needs to be transmitted over the network is subject to encryption. After encryption, service information necessary for routing the message is added to it, and the result is forwarded to lower layers for sending to the addressee.
Now the message does not need to be constantly decrypted and encrypted when passing through each intermediate node of the communication network. The message remains encrypted all the way from the sender to the recipient (Fig. 2).
Fig. 2. End-to-end encryption
The main problem faced by users of computer networks where end-to-end encryption is used is that the service information used to route messages is transmitted over the network in unencrypted form. An experienced cryptanalyst can extract a lot of useful information for himself by knowing who, with whom, for how long and at what time communicates over a computer network. To do this, he does not even need to be aware of the subject of communication.
Compared to channel encryption, end-to-end encryption is characterized by more complex key handling, since each pair of users in a computer network must be provided with identical keys before they can communicate with each other. In addition, since the cryptographic algorithm is implemented at the upper layers of the OSI model, one must also deal with many significant differences in communication protocols and interfaces depending on the types of computer networks and computers connected to the network. All this complicates the practical application of end-to-end encryption.
Combined encryption
The combination of channel and end-to-end encryption of data in a computer network is significantly more expensive than channel or end-to-end encryption separately. However, this approach allows the best protection of data transmitted over the network. Encryption in each communication channel does not allow the enemy to analyze the service information used for routing. And end-to-end encryption reduces the likelihood of access to unencrypted data in network nodes.
With combined encryption, the keys are handled separately: network administrators are responsible for the keys used for channel encryption, while users themselves are responsible for the keys used for end-to-end encryption.
File encryption
At first glance, file encryption can be completely compared to the encryption of messages, the sender and recipient of which are the same person, and the transmission medium is one of the computer storage devices (magnetic or optical disk, magnetic tape, RAM). However, everything is not as simple as it seems at first glance.
When transmitted over a communication channel, a message has little value. If it gets lost on the way from the sender to the recipient, you can try to transmit it again. When encrypting data intended for storage in the form of computer files, things are completely different. If you are unable to decrypt your file, you are unlikely to succeed on the second, third, or even hundredth try. Your data is lost once and for all. This means that when encrypting files, special mechanisms must be provided to prevent errors in the ciphertext.
Cryptography helps turn big secrets into small ones. Instead of trying unsuccessfully to remember the contents of a huge file, a person only needs to encrypt it and remember the key used for this purpose. If the key is used to encrypt a message, then it only needs to be at hand until the message reaches its addressee and is successfully decrypted. Unlike messages, encrypted files can be stored for years, and during this entire time it is necessary to remember and keep secret the corresponding key.
There are other features of file encryption that must be remembered regardless of the cryptographic algorithm used for this purpose:
• often after encrypting a file, its unencrypted copy is safely forgotten on another magnetic disk, on another computer, or in the form of a printout made on a printer;
• the block size in a block encryption algorithm can significantly exceed the size of a single portion of data in a structured file, as a result of which the final length of the encrypted file will be much longer than the length of the original file;
• the speed of file encryption using the cryptographic algorithm selected for this purpose must correspond to the speeds at which input/output devices of modern computers operate;
• working with keys is quite a tricky business, since different users usually need to have access not only to different files, but also to individual parts of the same file.
If the file is a single entity (e.g., contains a piece of text), restoring the file to its original form will not require much effort: it will be enough to decrypt the entire file before use. However, if the file is structured (e.g., divided into records and fields, as is done in databases), then decrypting the entire file every time you need to access a separate portion of data will make working with such a file extremely inefficient. And if portions of data in a structured file are individually encrypted, it will make it vulnerable to an attack in which an intruder finds the desired portion of data in the file and replaces it with another at his own discretion.
A user who wants to encrypt every file on a computer's hard drive has two options. If he uses one key to encrypt all files, he will subsequently be unable to restrict access to individual files by other users. In addition, the cryptanalyst will end up with a significant amount of ciphertext obtained on one key, which will make it much easier for him to crack that key.
It is better to encrypt each file with a separate key, and then encrypt all keys with a master key. This will save users the hassle of organizing the secure storage of a large number of keys. Access control for groups of users to different files will be achieved by dividing the set of all keys into subsets and encrypting these subsets with different master keys. The security of such a cryptosystem will be significantly higher than in the case of using a single key to encrypt all files on a hard drive, since the keys used to encrypt files can be made more random and, therefore, more resistant to a dictionary attack.
Hardware and software encryption
Hardware encryption
Most cryptographic data protection tools are implemented as specialized hardware devices. These devices are built into the communication line and encrypt all information transmitted over it. The prevalence of hardware encryption over software is due to several reasons.
First, hardware encryption is faster. Cryptographic algorithms consist of a huge number of complex operations performed on plaintext bits. Modern general-purpose computers are poorly suited to perform these operations efficiently. Specialized hardware can do them much faster.
Secondly, it is easier to physically protect the hardware from outside penetration. A program running on a personal computer is practically defenseless. Armed with a debugger, an intruder can secretly make changes to it in order to reduce the strength of the cryptographic algorithm used, and no one will notice anything. As for the hardware, it is usually placed in special containers that make it impossible to change its operating scheme. The chip is covered with a special chemical composition on top, and as a result, any attempt to overcome the protective layer of this chip leads to self-destruction of its internal logical structure. And although electromagnetic radiation can sometimes serve as a good source of information about what is happening inside the chip, this radiation can be easily eliminated by shielding the chip. A computer can be shielded in a similar way, but this is much more difficult to do than in the case of a miniature chip.
And thirdly, encryption hardware is easier to install. Very often encryption is required where additional computer hardware is completely unnecessary. Telephones, fax machines and modems are much cheaper to equip with hardware encryption devices than to build microcomputers with the appropriate software into them.
Even in computers, installing specialized encryption equipment creates fewer problems than upgrading system software to add data encryption functions. Ideally, encryption should be done unnoticed by the user. To achieve this using software, encryption must be hidden deep in the bowels of the operating system. It is not so easy to do this painlessly with a ready-made and debugged operating system. But even any non-professional can connect the encryption unit to a personal computer on one side and to an external modem on the other.
The modern market of hardware for data encryption offers potential buyers three types of such devices — self-sufficient encryption modules (they independently perform all the work with keys), encryption units in communication channels and encryption expansion cards for installation in personal computers. Most devices of the first and second types are highly specialized, and therefore, before making a final and irrevocable decision to purchase them, it is necessary to thoroughly study the restrictions that these devices impose on the corresponding hardware, operating systems and application software during installation. Otherwise, you can throw money down the drain, not getting any closer to the desired goal. True, sometimes the choice is made easier by the fact that some companies sell communication equipment that already has pre-installed data encryption equipment.
Expansion cards for personal computers are a more general-purpose means of hardware encryption and can usually be easily configured to encrypt all information written to the computer's hard drive, as well as all data sent to its floppy disk and serial ports. EMI protection is typically not included in encryption expansion cards, since there is no point in protecting these cards unless similar measures are taken with respect to the entire computer.
Software Encryption
Any cryptographic algorithm can be implemented as a corresponding program. The advantages of such an implementation are obvious: encryption software is easy to copy, it is simple to use, and it is not difficult to modify it to meet specific needs.
All common operating systems have built-in file encryption tools. They are usually designed to encrypt individual files, and the user is entirely responsible for handling the keys. Therefore, using these tools requires special attention: firstly, keys should never be stored on disk together with files encrypted with them, and secondly, unencrypted copies of files must be erased immediately after encryption.
Of course, an intruder can get into a computer and make unwanted changes to the encryption program without being noticed. However, this is not the main problem. If an intruder is able to get into the room where the computer is installed, he is unlikely to tinker with the program, but will simply install a hidden camera in the wall, a listening device in the phone, or a sensor to retransmit electromagnetic radiation to the computer. After all, if the intruder can do all this without hindrance, the battle with him is already lost before it even begins.
Compression and encryption
Data compression algorithms are very well suited for use in conjunction with cryptographic algorithms. There are two reasons for this:
• When cracking a cipher, a cryptanalyst relies most on the redundancy inherent in any plaintext. Compression helps to get rid of this redundancy.
• Encrypting data is a very labor-intensive operation. Compression reduces the length of the plaintext, thereby reducing the time that would be spent on encrypting it.
You just need to remember to compress the file before it is encrypted, not after. After encrypting the file using a high-quality cryptographic algorithm, the resulting ciphertext cannot be compressed, since its characteristics will be close to the characteristics of a completely random set of letters. By the way, compression can serve as a kind of test for checking the quality of a cryptographic algorithm: if the ciphertext can be compressed, then this algorithm is better replaced with a more advanced one.
How to hide one ciphertext in another
Let's assume that two hypothetical individuals named Anton and Boris exchanged encrypted messages for several months. Counterintelligence intercepted all of these messages, but was unable to read a single word. Counterintelligence agents got tired of collecting Anton and Boris's correspondence without knowing its contents, and they decided to arrest the suspicious couple. The very first interrogation began with the words:
«Where are the keys to the cipher?»
«To what cipher?!»
Anton and Boris exclaimed in unison, but then stopped short and turned pale, noticing on the investigator's desk a pair of sinister-looking pliers, covered in spots of either rust or blood.
Anton and Boris could get out of this situation if they encrypted each of their messages so that it could be decrypted in two different ways, depending on the key used. Anton could encrypt his real secret message to Boris with one key, and the completely innocent plaintext with another. Now, if Anton is asked for the key to the cipher, he will give a dummy key that will allow the completely innocent message to be read, and he will keep the key to the real message a secret.
The easiest way to do this would involve using a one-time pad. Let P be the real plaintext, D the innocent plaintext, C the ciphertext, K the real key, and K the dummy key. Anton encrypts P:
PAK=C.
Since Boris has a copy of K, he can easily decrypt Anton's message:
CAK=P.
If counterintelligence tries to force Anton and Boris to reveal the key they are using, instead of K they can report to counterintelligence:
K=CAD.
As a result, counterintelligence agents will be able to read the innocent plaintext:
САК’=D.
Since Anton and Boris use a one-time pad, K is completely random, and it is almost impossible to prove that K’ is a fake key (without resorting to torture).
Anton could have encrypted P not with a one-time pad, but using any of his favorite cryptographic algorithms and the key K. By adding C to a segment of some well-known work (for example, an excerpt from the second chapter of Dostoevsky's The Idiot) modulo 2, Anton will get K’. Now if Anton is pestered by counterintelligence «uncles», he will show them C along with K’ and say that K’ — this is a one-time pad for C and that he simply wanted to practice cryptography by encrypting a passage from the first book he came across for this purpose. And until the counterintelligence agents get their hands on K's key, they won't be able to prove that Anton was doing anything illegal.