This is a concise yet extensive question and response summary of cryptography. Everything from the basic ‘what is cryptography? to ‘what does KEK mean?’ is covered. It enables you to understand the topic and is a handy reference guide for everyday use. The following samples help to illustrate the depth and quality of this offering:
Table of Contents Page 1:
|FAQ1||What is cryptography?||5|
|FAQ2||What is cryptanalysis?||5|
|FAQ3||What is cryptology?||5|
|FAQ4||What is secret-kev cryptography?||6|
|FAQ5||What is public-key cryptography?||6|
|FAQ6||What is DES?||7|
|FAQ7||What is RSA?||8|
|FAQ8||How secure is DES?||9|
|FAQ9||How secure is RSA?||10|
|FAQ10||When should I use DES?||11|
|FAQ11||When should I use RSA?||12|
|FAQ12||What is MDS?||13|
|FAQ13||What is SHA-1?||13|
|FAQ14||What is HMAC?||13|
|FAQ15||What is a digital signature?||14|
|FAQ16||What is ECB mode?||15|
|FAQ17||What is CBC mode?||16|
|FAQ18||What is CFB mode?||16|
|FAQ19||What is OFB mode?||17|
|FAQ20||What is a MAC?||18|
|FAQ21||What is key parity?||19|
|FAQ22||What is kev tagging?||19|
|FAQ23||What is a control vector?||19|
|FAQ24||What is a key type?||20|
|FAQ25||What is an HSM?||21|
|FAQ26||What is EMV?||22|
|FAQ27||What is a PIN Block?||22|
|FAQ28||What is a rolling MAC?||22|
|FAQ29||What is a key check value?||23|
|FAQ30||What is a kev?||24|
|FAQ31||What is a key pair?||24|
|FAQ32||What is a key component?||25|
|FAQ33||What is a working key?||26|
|FAQ34||What is a KEK?||27|
|FAQ35||What is a KTK?||28|
|FAQ36||What is an LMK?||28|
|FAQ37||What is a key variant?||29|
|FAQ38||What is a key offset?||30|
|FAQ39||What is a derived key?||30|
|FAQ40||What is an ICV?||31|
|FAQ41||What is a one-time pad?||31|
|FAQ42||What is a stream cipher?||31|
|FAQ43||What is a substitution cipher?||32|
|FAQ44||How often should kevs be changed?||33|
|FAQ45||What is a key distribution centre?||34|
|FAQ46||What is a certification authority?||35|
FAQS6: What is DES?
DES (the Data Encryption Standard) is a symmetric block cipher developed by IBM. The algorithm uses a 56-bit key to encipher’decipher a 64-bit block of data. The key is always presented as a 64-bit block, every 8* bit of which is ignored. However, it is usual to set each 8* bit so that each group of 8 bits has an odd number of bits set to 1.
The algorithm is best suited to implementation in hardware, probably to discourage implementations in software, which tend to be slow by comparison. However, modern computers are so fast that satisfactory software implementations are readily available.
DES is the most widely used symmetric algorithm in the world. despite claims that the key length is too short. Ever since DES was first announced, controversy has taged about whether 56 bits is long enough to guarantee security.
The key length argument goes like this. Assuming that the only feasible attack on DES is to try each key in turn until the right one is found, then 1,000,000 machines each capable of testing 1,000,000 keys per second would find (on average) one key every 12 hours. Most reasonable people might find this rather comforting and a good measure of the strength of the algorithm.
Those who consider the exhaustive key-search attack to be a real possibility (and to be fair the technology to do such a search is becoming a reality) can overcome the problem by using double or triple length keys. In fact, double length keys have been recommended for the financial industry for many years.
Use of multiple length keys leads us to the Triple-DES algorithm, in which DES is applied three times. If we consider a triple length key to consist of three 56-bit keys K1, K2, K3 then encryption is as follows:
- Encrypt with K1
- Decrypt with K2
- Encrypt with K3
Decryption is the reverse process:
- Decrypt with K3
- Encrypt with K2
- Decrypt with K1
Setting K3 equal to K1 in these processes gives us a double length key K1, K2.
Setting K1, K2 and K3 all equal to K has the same effect as using a single-length (56-bit key). Thus it is possible for a system using triple-DES to be compatible with a system using single-DES.
FAQ?21: What is key parity?
ADES key is a 56-bit number presented in an 8-byte field. The algorithm ignores the low-order bit in each byte. However, it is usual to set the low-order bits so that each byte contains an odd number of bits set to 1.
For example, the key 0000000000000000 would be adjusted to 0101010101010101. It is strongly recommended that keys be adjusted in this way, if only for debugging purposes. It is also true that some systems will not accept a key that does not have odd parity.
FAQ22: What is key tagging?
In the DES cryptosystem, the algorithm ignores every 8* bit of the key. Traditionally these bits are set so that each byte of the key contains an odd number of bits set to 1. However, some systems use these bits” to indicate the operations for which the key can be used.
Since a single-length DES key has 8 redundant bits this gives 256 possible key types that can be defined (examples are encrypt only, decrypt only, both encrypt and decrypt, and so on).
This is a technique that does not seem to have caught on, and it is probably best avoided.
FAQ23: What is a control vector?
This is a development of the idea of key tagging, and is a feature of IBM’s Common Cryptographic Architecture (CCA).
In CCA every key has a control vector (CV) associated with it. A CV is a 16-byte structure containing information about the key and what it can be used for. Every key is held in encrypted form, and the key used for its encryption depends on the CV. If you try to use a key for the wrong purpose, the wrong CV gets applied, the key is not tecovered correctly and the operation fails.
In principle this looks like a good idea, but the proliferation of key types in the CCA has rendered the whole thing immensely complicated. Some might say that the technique, while good in principle, has got out of hand.
FAQ67: How can I prove an algorithm is secure?
The short answer to this question is that it is impossible to prove that an algorithm is secure. The only provably secure algorithm is the one-time pad, and this is not useful for most practical purposes.
What you can do is perform many tests on an algorithm and look for wealmesses. DES has withstood thorough testing for nearly 30 years, so the cryptographic community is confident that it is good.
The basic test to try out on an algorithm is to encrypt a string of binary zeros, then change one bit at a time and see how these changes affect the ciphertext. If predictable patterns are observed, you can be sure that the algorithm is flawed.
FAQ68: How do I share secret keys with another user?
In a symmetric cryptosystem, high-level keys need to be established manually. Do this by distributing them as components that are securely exclusive-Or’d together to create a KEK (hey-encrypting-key) or KTK (key-transport-key).
Once a KEK or KTK is in place, data keys can be shared electronically, enciphered under the KEK, and KEKs can be shared enciphered under the KTK.
In an asymmetric system, KEKs, KTKs and working keys can be sent to another user enciphered under his public key (provided you are certain that the public key really does belong to that user).
FAQ69: How should I store passwords?
Passwords are best stored encrypted under a one-way function, so that they cannot be decrypted. A good way to do this would be with HMAC, using the User Identifier as the key.
The reason for incorporating the User Identifier into the process is to ensure that if two different users have the same password, the encryption will be different. This compromise of the one user’s password will not necessarily compromise the other user’s password.
When the user enters his password, apply the one-way encryption and compare the result with the entry on the user database.
The Cryptography Management Kit can now be purchased online and downloaded directly to your PC. It couldn’t be easier.
To purchase the product and download for a special price of just $199, simply visit our Crypto Purchase Page.