An Introduction to Cryptography Jon Callas Chief Technology Officer and Chief Security Officer Rest Secured™ Release Information An Introduction to Cryptography. tember 2006. Copyright Information © 2008 by PGP Corporation. All Rights Reserved. Licensing and Patent Information The IDEA cryptographic cipher described in US patent number 5,214,703 is licensed from Ascom Tech AG. The CAST encryption algorithm is licensed from Northern Telecom, Ltd. PGP Corpor- ation has secured a license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. PGP Corpora- tion may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents. Trademarks PGP , the PGP logo, Pretty Good Privacy , and Pretty Good are all registered trademarks of PGP Corporation. All other registered and unregistered trademarks are the sole property of their respective owners. Acknowledgements The compression code in PGP software is by Mark Adler and Jean-Loup Gailly, used with permission from the free Info-ZIP implementation. Limitations The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation. Export Information Export of PGP software may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau of Industry and Security, US Department of Commerce, which restrict the export and re-export of certain products and technical data. About PGP Corporation PGP Corporation, a global security software company, is the leader in email and data encryption. Based on a d key management and policy infrastructure, the PGP ® Encryption Platform s the broadest set o ntegrated applications for enterprise data security. The platform enables ii organizations to meet current needs and expand as security requirements evolve for email, laptops, desktops, instant messaging, PDAs, network storage, FTP and bulk data transfers, and backups. PGP solutions are used by more than 30,000 enterprises, businesses, and governments worldwide, including 84 percent of the Fortune® 100 and 66 percent of the Fortune® Global 100, As a res- ult, PGP Corporation has earned a global reputation for innovative, standards-based, and trusted solutions. PGP solutions help protect confidential information, secure customer data, achieve reg- ulatory and audit compliance, and safeguard companies’ brands and reputations. Contact PGP Corporation at http://www.pgp.com or +1 650 319 9000. iii iv Contents 1 About This Book 1 Who Should Read This Book .................................. 1 Bricks Made of Mist ....................................... 1 Cryptography is Hard — And That Makes it Easy ...................... 1 Perfectly Hard or Hardly Perfect? ................................ 2 What is Cryptography, Anyway? ................................ 3 A History of This Book ..................................... 4 Special Thanks .......................................... 5 2 Why Cryptography is Important 7 Into the Breach: Horror Stories ................................. 7 Stolen Laptops ....................................... 8 Insecurely Protected Network Resources ......................... 9 A Few Words About Identity Theft ............................ 10 Laws and Regulations ...................................... 11 Privacy Regulations .................................... 11 Compliance Regulations .................................. 12 Breach Notification Regulations .............................. 13 Laws and Regulations Limiting Cryptography ......................... 13 3 An Inadequate History of Cryptography 15 Human Cryptography ...................................... 15 Machine Cryptography ...................................... 18 Computer Cryptography ..................................... 20 Public-Key Cryptography ................................. 20 The Rise of Standard Cryptography ........................... 22 The Advanced Encryption Standard ........................... 23 The Crypto Wars ...................................... 26 4 The Basics of Cryptography 29 Basic Components ........................................ 29 Participants and Variables ................................. 29 Random Numbers ..................................... 30 Keys ............................................. 30 Ciphers ........................................... 31 Block Sizes ..................................... 31 v CONTENTS Families of Public-Key Ciphers .......................... 33 The Factoring Family ............................... 33 The Logarithm Family ............................... 34 Key Sizes ...................................... 36 Unbreakable Ciphers or How Many Bits Are Enough? ............. 37 One-Time Pads, the Truly Unbreakable Encryption ............... 38 The Seduction of the One-Time Pad ....................... 39 Hash Functions ....................................... 41 Commonly Used Hash Functions ......................... 42 Difficulties with Hash Functions .......................... 42 Data Integrity Functions: MACs and Signatures ..................... 45 Certificates ......................................... 46 Why Certificates? ................................. 47 Trust and Authority .................................... 47 Direct Trust ..................................... 47 Hierarchical Trust ................................. 48 Cumulative Trust .................................. 48 Hybrids of the Trust Models ............................ 49 Certificate Dialects and Gory Details ........................... 49 Certificates and Certification ........................... 50 Putting it All Together—Constructing Ciphertext from Plaintext ........... 51 Taking It All Apart—Getting Plaintext from Ciphertext ................ 51 Going on from Here .................................... 52 5 The Future of Cryptography 53 From Noun to Adjective, From Syntax to Semantics ..................... 53 Social Expectations ..................................... 54 Digital Signatures and Semantics ................................ 54 Digital Signatures Aren’t Signatures ........................... 54 The Myth of Non-Repudiation .............................. 56 The Paradox of Stronger Keys .......................... 56 Signatures and Liability .................................. 57 A Real-Wold Semantic Shift ................................ 57 Cryptography and Reliability .................................. 59 The Rise of Hardware ...................................... 59 Rights Management ....................................... 60 Privacy-Enhancing Technologies ................................. 62 What Will Cause Little Change? ................................ 63 New Hash Functions .................................... 63 New Ciphers ........................................ 64 Encrypt+Authenticate Ciphers .......................... 64 New and Redesigned Ciphers ........................... 64 Elliptic Curve Cryptography ........................... 64 Bi-Linear Map Ciphers ............................... 65 Quantum Cryptography, or Perhaps Quantum Secrecy ................. 66 What Could Change the Course? ................................ 66 vi CONTENTS The Effect of Patents .................................... 66 Science-Fictional Technology ............................... 67 Legal Changes ....................................... 67 Additional Reading 69 vii CONTENTS viii Chapter 1 About This Book The right to privacy is protected under the Constitution in various ways. – United States Chief Justice John Roberts Who Should Read This Book Anyone should read this book who is interested in more than the what of the subject, but also the why and the how as well. This book is a basic explanation of the details, the terminology and technology behind cryptography in general and PGP software in specific. If you want to understand cryptography, this is a good place to start. Furthermore, this book has a lot of links to instructive web sites as well as many more sources to go to if you are interested. If you are reading this book in electronic PDF form, you can click the links in blue and they will take you to the reference. Bricks Made of Mist Cryptography is an important part of information technology. It is how we do things that would be straightforward with physical objects when we are working with systems that are nothing but information. If I send you a letter on paper, I can put it in an envelope so no one else can read it. I can sign it at the bottom. It gets a postmark that tells you a bit about where it came from. In business, we might exchange cards or I might show you a customer card that indicates a close relationship between us, such as a frequent customer card. The way we do these things on the Internet, talking privately or demonstrating relationships, is through the use of cryptography. Cryptography brings simple things in the concrete world into the virtual realm. Cryptography is assurance at a distance, privacy at