TUCoPS :: Crypto :: arrl.txt

Use of public key encryption on BBS networks

Original Message Date: 05 Jun 91  08:21:13
From: Uucp
To: Tom Jennings
Subj: BBS mail and encryption...
^AINTL 1:125/111 1:125/111
From  kumr!pozar
From: pozar@kumr.LNS.COM (Tim Pozar)
To:   fidosw!Tom.Jennings
Date: 5 Jun 91 00:21:09 PDT (Wed)
Cc:   hoptoad!gnu

   Found this on the net...  Funny how we were just talking about this...

                      Tim
---
Article: 381 of rec.radio.amateur.packet
From: karn@epic.bellcore.com
Newsgroups: rec.radio.amateur.packet
Subject: Thoughts on BBS authentication
Message-ID: <1991Jun4.174323.1084@bellcore.bellcore.com>
Date: 4 Jun 91 17:43:23 GMT
Sender: usenet@bellcore.bellcore.com (Poster of News)
Reply-To: karn@epic.bellcore.com ()
Organization: Bell Communications Research, Inc
Lines: 304

I've had several requests for the "white paper" on cryptographic
authentication of BBS messages that I wrote recently in response to a query
by Paul Rinaldo, W4RI, of the ARRL. Paul is the chairman of the ARRL 
Digital
Committee, of which I am a member.

In case anybody can't tell, the opinions expressed here are my own.
--Phil

Paul,

This is in response to your request to the Digital Committee for
comments on authentication schemes that might be used to verify the
source and integrity of a message posted to an amateur BBS network.
This letter consists of a quick tutorial on the various forms of
cryptographic authentication, some personal judgements about their
practicality and suitability for the problem at hand, and some personal
opinions on the present regulatory situation.

The scheme that I talked about at the 1987 ARRL Networking Conference
was for authenticating IP datagrams using DES, but the same principles
apply to using any conventional secret key cipher to authenticate any
kind of message. (By "authenticate a message", I mean verifyng that the
message was in fact sent by the claimed sender, and that the message
contents have not be modified along the way.) Such schemes require all
the stations involved to share a single secret key.  Without the key
you cannot compute the proper authenticator for the messages you send,
nor can you verify an authenticator received with an incoming message.

The difficulty of key management with a conventional cipher can range
from "trivial" to "intractible" depending on the application. Key
management is simple as long as there are only a few stations that need
to generate or authenticate messages, and all trust each other. For
example, a DES-based scheme could be applied to a repeater to limit
remote control to a few trusted stations. A single key known to the
repeater would be shared by the control stations and kept secret from
everyone else. An in-person meeting or the telephone would suffice for
distributing the DES keys.

Now consider cases where the operators do not necessarily trust each
other, e.g., autopatch operation. Since many more stations use an
autopatch than control the basic operation of the repeater, its owners
may want individual accountability. A DES-based authentication system
could still work if each user has his or her own key. The same system
could be used to control access to a BBS. In either case, the "server"
(the repeater or BBS) keeps a complete list of keys for all authorized
users and logs each access. This is more work than the previous case,
but it is still entirely practical.

Common to the all these schemes so far is the assumption that only the
server needs to authenticate a request, e.g., the repeater controller
or the BBS. It must protect its users' keys against unauthorized
disclosure, but since the resource being protected by the authentication
system is the server itself, the owner of the server has an incentive
to do this.

But in the more general case where individual pairs of stations must be
able to authenticate each other, things get much more complicated. Each
pair has to have a key that is known only to that pair; if you have N
stations, you need a total of N^2 keys. All these keys must be
exchanged by some secure means before authentication can occur, and
they must be kept secret. To do this for every pair of amateurs in the
world is clearly impractical. And if you want *any* amateur to be able
to verify the authenticity of, say, a broadcast BBS message (to carry
on the amateur "self-policing" tradition, of course), there is *no*
solution using conventional cryptography - the same key needed to
verify a message could be used to forge one.

Some form of secret key authentication might still be practical between
neighbors in a packet backbone or a BBS autoforwarding network. But
this would only authenticate your immediate neighbors; it would not
authenticate the origins of the traffic they pass from other nodes. For
example, one BBS sysop could create illegal traffic and then pass it to
a neighbor claiming that it originated somewhere else, and there would
be no way to disprove this. So you really do want the authentication to
be "end to end", not "hop by hop", and we're left with an unsolved key
management problem.

One way to reduce the N^2 key problem is to establish a "key
distribution center" that maintains a list of all the users' private
keys. Users wishing to authenticate themselves to each other do so by
first authenticating themselves to the KDC. The KDC then generates a
"session key" (a random number) and sends it to the two parties
encrypted in their own keys. The parties then decrypt the session key,
yielding a shared secret that can be used for authentication. Still,
only the parties involved can authenticate each other; someone
listening in could not. (In most environments, this is an advantage;
somebody else's conversations are none of your business.)

MIT has developed a system based on this model called "Kerberos"; it is
in operation at MIT and elsewhere (the code is free). Nevertheless, it
has the drawback that authentication depends on the availability and
reachability of the KDC. But the fact that the KDC must have a complete
list of the users' private keys works against deploying multiple KDCs
with copies of the database for redundancy; the more KDCs there are,
the more opportunities for the database to be compromised. The scheme
also assumes that all of the parties (the two users and the KDC) have
the ability to communicate with each other in real time, a bad
assumption for amateur packet radio.

So the inescapable conclusion is that authentication schemes based
solely on private key cryptography are of limited utility in amateur
packet radio; they cannot solve the general problem. Fortunately, there
is a new alternative: public key cryptography (PKC). In PKC, the keys
used for encryption and decryption are different. Furthermore,
knowledge of the encryption key, Ke, does not imply knowledge of the
decryption key, Kd; in fact, the algorithms ensure that it is extremely
difficult to determine Kd from Ke. The combination of Ke and its
corresponding Kd is called a "key pair"; for this reason, public key
cryptosystems are sometimes called "dual key" ciphers, as opposed to
"single key" ciphers like DES.

The leading public key scheme, RSA, was invented by Ron Rivest, Adi
Shamir and Len Adelman while at MIT. They hold a US patent on it that
is being exploited by RSA Data Security, Inc. (There is no patent
protection on RSA outside the USA).

The original idea behind RSA was to allow you to publish Ke (hence the
name, "public key" cryptography) so anyone could send you a secret
message without prior arrangement.  As long as you keep Kd secret, only
you can decrypt it. But when used "backwards", RSA can also do
authentication. If you encrypt a message using Kd (your DECRYPTION key,
known only to you), then anyone can decrypt it using your Ke (your
public ENCRYPTION key). Anyone who decrypts such a message then knows
that whoever generated it must have known your Kd. This procedure of
using RSA in reverse is called "signing".

In practice, it is not desirable to run an entire message through RSA
to authenticate it because it is very slow, much slower than secret key
ciphers like DES.

There is a better way. Functions exist to quickly "hash" a message of
arbitrary length into a relatively small, fixed size "message digest".
They are much like cyclic redundancy codes (CRCs) except that they are
much more complex because they are designed to detect intentional
"transmission errors" as well as natural ones.  With a good function,
it is computationally infeasible even for someone who knows it to
produce two messages that hash to the same value, or to determine the
input that produces a given value. They are not ciphers, because they
have no key and their outputs cannot be "decrypted".

One message digest algorithm is MD4 ("message digest #4") by
Ron Rivest, who has placed it in the public domain. MD4 takes a message
of any length and produces a 128-bit (16 byte) result. Rivest
conjectures that it would take on the order of 2^64 operations to find
two inputs that hash to the same value, and 2^128 operations to find an
input that hashes to a given value. These are impressive numbers, so if
the algorithm holds up under analysis it should be quite secure in
practice.

Given RSA and MD4, one authenticates a message by first computing its
hash code with MD4. Then RSA is used to "sign" the hash code (by
encryption with the sender's private key, Kd) and the result is appended
to the message. The party wishing to authenticate the message also
computes the message digest. It then decrypts the encrypted message
digest received with the message (using the published key of the
sender, Ke) and compares it to the value it has just computed. If they
match, the message is genuine.

There still remains the problem of distributing the public keys.
Although they may be freely read by anyone, they must still be
protected against modification. Otherwise someone might forge a
signature of a message under someone else's name using a public key/
private key pair of his own creation; if the receiver can be duped into
accepting this bogus public key, then he will believe that the
signature is genuine.

One way is to publish the public keys as widely as possible, in so many
places that no one could possibly modify all of the copies of a
particular key that reach the intended target of a deception. For
example, the keys could be published on CD-ROM, or they could be listed
in the back pages of QST. But these schemes have two drawbacks: cost
and time.

Another refinement, "certification", addresses this problem. If a
"certifying authority" can be set up to sign the public keys of
individual users with its private key, then only the public key of the
certifying authority needs to be widely published. For example, the
ARRL might select and publish its own public key in QST. It could then
accept public keys from individual amateurs (accompanied with some
non-cryptographic form of authentication, such as a notarized
statement). The ARRL would sign the individual public keys with its
private key and return the results. Note that the ARRL need NOT know
the individual's private keys.

The signed public keys are known as "certificates". They can be
distributed by the users themselves (e.g., in a mail header) because
anyone can readily verify their authenticity with the published ARRL
public key. This eliminates the need for an online KDC. The ARRL's
workload might be a problem, but a solution exists for this too: a
hierarchy of certifying authorities. For example, each League Division
might act as the certifying authority for the amateurs in its area,
using a Division public key that has been certified by ARRL HQ.
Divisions might further delegate the workload to their constituent
Sections. The verification of an individual user's certificate would
therefore require the certificates of all of the certifying authorities
in the hierarchy as well as the published key of the ARRL.

So in theory, anyway, authentication based on public key cryptography
solves many of the problems associated with the earlier secret key
schemes. However, many practical obstacles would still remain:

1. The RSA algorithm is patented in the USA, and the owners of the
patent are holding it fairly close to their chest. Negotiations between
RSA and the Internet Activities Board (IAB) have been dragging on for
several years now over an agreement for the use of RSA in the Internet.
It is not at all clear how much the patent royalties will be, or how
they will be charged. (The leading theory is that the royalties will be
tied only to the issuance of certificates, not to the actual
implementation or use of RSA, but this is not yet final.) Would the use
of RSA in amateur packet radio (resulting in the payment of royalties
to RSA DSI) be considered as furthering the "regular business affairs"
of RSA DSI? (Hopefully not, but considering some of the FCC rules
interpretations we've been seeing lately...)

2. The algorithms are, by amateur standards, quite complex. At a
minimum, they would probably require every amateur to have a PC-class
computer to hash and sign messages. Given that a major reason TCP/IP is
still a relatively esoteric mode in amateur packet radio is the
reluctance of many amateurs to upgrade from C-64s and "dumb terminals",
it seems unlikely that universal user authentication could happen any
time soon. And I won't even *begin* to discuss the user education
issues.

3. Even if a full-blown RSA-based authentication system as described
earlier could be deployed, it is not clear that it would solve the
specific problem that originally prompted your query. Someone accused
of posting an illegal message to an amateur BBS could still claim that
his secret key had been stolen and used by someone else. Or he could
accuse the local "Section Certification Manager" of signing a bogus
public key with his callsign on it and using it to "frame" him by
sending verboten traffic. Even if a key really has been stolen and the
owner notifies the certification authorities, how do they spread the
word that the previously distributed public key is no longer valid?
These issues are still the subject of much discussion in the research
community. Furthermore, this technology has yet to have its first test
in a court of law.

In sum, although I find cryptographic authentication to be a
fascinating topic that has some potential for use in amateur radio, I
do not feel that it is "ready for prime time". Mandating its use at
this time would be an enormous overreaction to the "problem" of
controlling inappropriate BBS traffic.

Quite frankly, the FCC's heavy-handed behavior in this case has me
greatly concerned. I think they're going after a fly with a battleship.
I do not know whether they sincerely believe that they're "protecting"
amateur radio or if they have some more sinister motive. I can only
hope for the former, so we can reason with them.  Every new development
carries with it some risk of abuse; the more powerful the technology,
the greater the risk. Amateur packet radio is no exception; even in its
presently primitive state, it is useful enough to tempt some commercial
entities to abuse it. We should be able to convince the FCC that
requiring unrealistically stringent mechanisms to prevent even the
occasional commercial abuse of amateur packet radio runs the far
greater risk of destroying all of the good that it can do.

Lately, several of us (WA8DZP, K3MC, N6RCE, NG6Q and I) have been
taking a close look at the low power spread spectrum modems that are
rapidly becoming available for use under Part 15 rules on 902-928 MHz
and other shared ISM/amateur bands. In my own opinion, building high
speed (say, 100-500kb/s) metropolitan area networks under Part 15 rules
seems entirely feasible, even with the 1W power limit - given proper
design and engineering (good sites, directional antennas, power
control, efficient channel access methods, etc). True, the performance
of the existing generation of equipment is disappointing, mainly due to
the lack of receiver processing gain in most models. But with the new
FCC rules mandating the use of "true" spread spectrum receivers, plus
the commercial drive behind this industry, it seems likely that the
cost/performance ratio of this equipment will rapidly improve.
Unfortunately, the same probably cannot be said for amateur packet
radio gear, where the large scale production of inexpensive, high speed
radio modems seems as far away as ever. Hence our initial interest in
this technology.

But this latest blow from the FCC is making Part 15's complete absence
of licensing requirements, content and/or usage restrictions look
mighty attractive indeed - even though my primary intent is to use the
network for the kind of personal experimentation that has traditionally
been done in the amateur service. Are the FCC's rules really
"protecting" the amateur service if they scare off those who are most
interested in making technical contributions to the service?

I think it's time that the FCC not only remove the burden of
responsibility for content from automatic relay stations, but that it
loosen up its draconian definition of "business communications" as
well. A lot has happened to the telecommunications industry since the
Eyebank Docket; in particular, it is certainly no longer the job of the
FCC to protect a telephone company from "lost business". The amateur
rules should be pragmatic, with the realization that absolute
prohibitions do far more harm than good.

A simple "hams shalt not sell communications services" rule should
suffice to make any abuses self-limiting, as few hams I know would be
willing to use their time and their stations to help make money for
others if they didn't get a cut of it. Such a rule would be far clearer
than the present "no business interest" rule. The current rule has
spawned an entire generation of armchair amateur lawyers who revel in
interpreting the rules in the most restrictive fashion possible. One
only need look at how the field of computer networking is pretty much
passing amateur radio by to see the chilling effect of the present rules.

73,

Phil Karn






TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH