You are on page 1of 4

Information Security Technical Report, Vol. 2, No.

2 (1997) 1O-l 3

Introduction to Cryptology
By Professor Fred Piper, Information Security the appropriate deciphering key k(D)
Group, Royal Holloway, University of London reproduces the plaintext from the ciphertext.
This is shown diagrammatically by the
This article provides a general introduction to the following figure.
subject of Cryptology, explains the terminology
I
and the practical application of cryptographic
I

security techniques. I key k(E) key k(D)


I

In this brief introduction our aim is to define


the basic terms, explain some of the
fundamental concepts and highlight a few of
the problems that arise when using Figure 1
encryption. In particular we stress that having
a strong algorithm is no guarantee for security. Even if they know the deciphering algorithm
Management and the establishment of trust eavesdroppers will not, in general, know the
are the two fundamental issues which concern deciphering key and it is this lack of
those with responsibility for secure networks knowledge which, it is hoped, will prevent
and, in particular, those who are trying to them from knowing the plaintext.
establish secure electronic commerce over the Cryptography is the science of designing
Internet. cipher systems and cryptanalysis is the name
given to the process of deducing the plaintext
Some basic concepts and definitions from the ciphertext without knowing the key.
Cryptology is the collective term for both
The idea of a cipher system is to disguise cryptography and cryptanalysis.
confidential information in such a way that its
meaning is unintelligible to an unauthorized In practice most cryptanalytic attacks involve
person. The information to be concealed is trying to determine the deciphering key
called the plaintext (or just the message) and because, if successful, the attacker will then
have the same knowledge as the intended
the operation of disguising it is known as
recipient and will be able to decipher all other
enciphering or encryption. The enciphered
communications until the key is changed.
message is called the ciphertext or However, there may be instances where an
cryptogram. The person who *enciphers the attacker’s sole objective is to read a particular
message is known as the encipherer, while the message.
person to whom they send the cryptogram is
called the recipient or receiver. The set of rules One important fact should already be clear
which the encipherer uses to encipher his from our introduction: knowledge of the
plaintext is the enciphering algorithm. enciphering key is not necessary for obtaining
Normally the operation of this algorithm will the message from the ciphertext. This simple
depend on an enciphering key k(E) which the observation has had a dramatic impact on
encipherer inputs to the algorithm together modern cryptology and has led to a natural
with his message. division into two types of cipher systems.

In order that the recipient can obtain the A cipher system is called conventional or
message from the cryptogram there has to be a symmetric if it is easy to deduce the
deciphering algorithm which, when seeded by deciphering key k(D) from the enciphering

10 0167-4048/97/$17.00 0 1997, Elsevier Science Ltd


Introduction to Cryptology

key k(E). However, if it is computationally When we were introducing the difference


infeasible to deduce k(D) from k(E) then the between symmetric and asymmetric systems
system is called asymmetric or a public key we assumed that the attacker knew the
system. The reason for distinguishing between algorithm. This, of course, will not always be
these two types of system should be clear. In true. Nevertheless, it is probably best for the
order to prevent an interceptor with designer of a cipher system to assume that any
knowledge of the algorithm from obtaining would-be attacker has as much knowledge
the plaintext from intercepted ciphertext it is and general ‘intelligence’ information as
essential that k(D) should be secret. Whereas possible.
for a symmetric system this necessitates that
k(E) should also be secret, if the system is One of the main problems facing anyone
asymmetric then knowledge of k(E) is of no wishing to design or implement a cipher
practical use to the attacker. Indeed it can, and system is how to assess whether or not the
usually is, made public. system is ‘secure enough’ for the particular
implementation. In order to assess the security
Although the statements made in the last of a system it is customary to make the
paragraph may appear to be simple and self- following three assumptions.
evident, their consequences are far reaching.
In Figure 2 our diagram assumes that the WC1 The cryptanalyst has a complete
sender and recipient have a ‘matching pair’ of knowledge of the cipher system.
keys, It may, in practice, be quite difficult for
WC2 The cryptanalyst has obtained a
them to reach this situation. If, for instance,
considerable amount of ciphertext.
the system is symmetric then there may be a
need to distribute a secret key value before WC3 The cryptanalyst knows the plaintext
secret messages can be exchanged. The problem equivalent of a certain amount of the
of providing adequate protection for these ciphertext.
keys should not be underestimated. In fact, the
general problem of key management, which In any given situation it is, of course,
includes key generation, distribution, storage, necessary to quantify realistically what is
change and destruction, is one of the most meant by ‘considerable’ and ‘certain’. This
difficult aspects of obtaining a secure system. will depend on the particular system under
consideration.
The problems associated with key
management tend to be different for Condition WC1 implies that there should be
symmetric and asymmetric systems. If the no reliance on keeping details of the cipher
system is symmetric then, as we have seen, system secret. However, this does not imply
there is a need to be able to distribute keys that the system should be made public.
while keeping their values secret. If the system Naturally the cryptanalyst’s task is
is asymmetric then it may be possible to avoid considerably harder if he does not know the
this particular problem by distributing only system used and it is now possible to conceal
the enciphering keys, which do not need to be this information to a certain extent, although
secret. However, it is then replaced by the there is considerable debate about how much
problem of guaranteeing the authenticity of reliance can be placed on the tamper
each participant’s enciphering key i.e. of resistance of cryptographic devices such as
guaranteeing that the person using an smartcards. From any manufacturer’s or
enciphering key knows the identify of the designer’s point of view, WC1 is an essential
‘owner’ of the corresponding deciphering key. assumption, since it removes a great deal of

Information Security Technical Report, Vol. 2, No. 2 11


Introduction to Cryptology

the ultimate responsibility involved in important and it must be recognized that there
keeping a system secret. is a ‘market’ for low level security. For almost
all non-military implementations the
WC2 is a reasonable assumption. If there is no provision of security is a costly overhead.
possibility of interception then there is no Furthermore, the addition of the security
need to use a cipher system. However, if facilities frequently degrades the overall
interception is a possibility then, presumably, performance of the system. Thus there is a
the communicators will not be able to dictate natural requirement to keep the security to a
when the interception takes place and the minimum. One common way of trying to
safest option is to assume that all determine the level of security required is to
transmissions will be intercepted. try to estimate the length of time for which the
information needs protection. If we call this
WC3 is also a realistic condition. The attacker the desired cover time of the system then we
might gain this type of information by have a crude indication of the security level
observing traffic or making intelligent required. For instance the cipher system
guesses. He might also even be able to choose suitable for a tactical network with a cover
the plaintext for which the ciphertext is time of a few minutes may be considerably
known. ‘weaker’ than that required for a
strategic system where, as in the case of
An attack which utilizes the existence of government secrets, the cover time may be
known plaintext/ciphertext pairs is called a tens of years.
known plaintext attack. If the plaintext is
selected by the attacker then it is a chosen If we assume that our deciphering algorithm
plaintext attack. is known then there is one obvious method of
attack available to the interceptor. They could,
One consequence of accepting these worst at least in theory, try each possible
case conditions is that we have to assume that deciphering key and ‘hope’ that they identify
the only information which distinguishes the the correct one. Such an attack is called an
genuine recipient from the interceptor is exhaustive key search. Of course such an
knowledge of k(D). Thus the security of the attack cannot possibly succeed unless the
system is totally dependent on the secrecy of attacker has some way of recognizing the
the deciphering key. This reinforces our earlier correct key or, as is more common, at least
assertion about the importance of good key being able to eliminate some obviously
management. incorrect ones. In a known plaintext attack, for
instance, it is clear that any choice of k(D)
We must stress that assessing the security level which does not give the correct plaintext for
of a cipher system is not an exact science. All all the corresponding ciphertext cannot
assessments are based upon assumptions, not possibly be the correct key.
only on the knowledge available to an
attacker, but also on the facilities available to Uses of cryptography
them. The best general principle is to assume
the worst and/or err on the side of caution. It In the introductory section we assumed that
is also worth stressing that, in general, the cryptography was being used to provide
relevant question is not “is this an secrecy. Although this is its ‘traditional’ use it
exceptionally secure system?” but, rather, “is is no longer its only application. In fact, it is
this system secure enough for this particular probably true to say the provision of secrecy is
application?” This latter observation is very no longer its main purpose.

12 Information Security Technical Report, Vol. 2, No. 2


Introduction to Cryptology

When messages are sent over open networks symmetric systems. In each case an attacker
there may not be any need for confidentiality, has two different methods of attacking the
but the user is likely to need assurance that the system. One is to obtain the relevant secret
message received has not been altered during key. This might be achieved by computing the
transmission. Furthermore, they will also need secret key from the public key or by obtaining
to be confident that they know the identity of a device which stores and/or uses that key.
the sender. Cryptography may be used to (The computation attack is prevented by using
provide these assurances. suitable large keys and relying on the
infeasibility of the attacker successfully
This is an appropriate place to point out a completing the necessary calculations. Attacks
fundamental difference between the use of which involve the misuse of devices must be
symmetric and asymmetric algorithms. If a thwarted by good management and/or the
symmetric algorithm is used then the receiver use of suitably tamper resistant devices.) The
and sender share the same secret key and it is other attack is to substitute a public key for the
the use of this secret key that identifies them to genuine one. If the public key system is being
each other and provides the assurances about used to encrypt a symmetric key then, since
the integrity of the data and the identity of the the attacker’s key has been used for the
sender. Provided that they remain the only encryption, it will be the attacker and not the
two people who know the secret key then they intended recipient who obtains the symmetric
have protection against all third parties. key. If the public key system is being used to
However, they have no protection from each provide digital signatures then, clearly, the
other. Either one of them could use the secret attacker can forge the signature of the genuine
key and claim that the other must be signer.
responsible. Thus symmetric systems are only
appropriate when the two parties trust each This last paragraph highlights the need for
other. If two parties need protection from each being able to guarantee the authenticity of
public keys. This is not an easy problem and
other, in the sense that, say, the sender should
most solutions involve the use of a trusted
not be able to deny sending a particular
third party, called a Certification Authority
message, then there must be some form of
(CA), which digitally signs a certificate which
asymmetry between them. In this case data
binds the identity of the key owner to the
integrity and user authentication are provided
value of the public key. Anyone who has an
by the use of a digital signature which is a authentic copy of the CA’s public key, and has
cryptographic checksum added by the sender confidence that the CA will have checked the
but with the property that only the sender, key owner’s credentials, will then be able to
could have computed it. In most confirm the authenticity of the public key by
circumstances any third party, e.g. a judge, checking the CA’s signature. These certificates
will be able to verify that the checksum was can also be used to verify a user’s identity by
computed by the actual sender. issuing a challenge which they must encrypt
using their secret key. The issuer of the
Public key systems tend to use arithmetic challenge can use the public key value in the
processes involving very large numbers and, certificate to decrypt the response and, if the
as a result, are usually significantly slower answer is correct, knows that the response
than symmetric algorithms. Thus they tend must have come from the user identified in the
not to be used for encrypting large passages of certificate. Of course the problem now is
text. The two main uses of public key systems ensuring that we can have confidence in the
are the provision of digital signature and as CA and be sure that we have an authentic
key encrypting keys to distribute keys for copy of that CA’s public key.

Information Security Technical Report, Vol. 2, No. 2 13