|
Original Message Date: 05 Jun 91 08:21:13 From: Uucp To: Tom Jennings Subj: BBS mail and encryption... ^AINTL 1:125/111 1:125/111 From kumr!pozar From: pozar@kumr.LNS.COM (Tim Pozar) To: fidosw!Tom.Jennings Date: 5 Jun 91 00:21:09 PDT (Wed) Cc: hoptoad!gnu Found this on the net... Funny how we were just talking about this... Tim --- Article: 381 of rec.radio.amateur.packet From: karn@epic.bellcore.com Newsgroups: rec.radio.amateur.packet Subject: Thoughts on BBS authentication Message-ID: <1991Jun4.174323.1084@bellcore.bellcore.com> Date: 4 Jun 91 17:43:23 GMT Sender: usenet@bellcore.bellcore.com (Poster of News) Reply-To: karn@epic.bellcore.com () Organization: Bell Communications Research, Inc Lines: 304 I've had several requests for the "white paper" on cryptographic authentication of BBS messages that I wrote recently in response to a query by Paul Rinaldo, W4RI, of the ARRL. Paul is the chairman of the ARRL Digital Committee, of which I am a member. In case anybody can't tell, the opinions expressed here are my own. --Phil Paul, This is in response to your request to the Digital Committee for comments on authentication schemes that might be used to verify the source and integrity of a message posted to an amateur BBS network. This letter consists of a quick tutorial on the various forms of cryptographic authentication, some personal judgements about their practicality and suitability for the problem at hand, and some personal opinions on the present regulatory situation. The scheme that I talked about at the 1987 ARRL Networking Conference was for authenticating IP datagrams using DES, but the same principles apply to using any conventional secret key cipher to authenticate any kind of message. (By "authenticate a message", I mean verifyng that the message was in fact sent by the claimed sender, and that the message contents have not be modified along the way.) Such schemes require all the stations involved to share a single secret key. Without the key you cannot compute the proper authenticator for the messages you send, nor can you verify an authenticator received with an incoming message. The difficulty of key management with a conventional cipher can range from "trivial" to "intractible" depending on the application. Key management is simple as long as there are only a few stations that need to generate or authenticate messages, and all trust each other. For example, a DES-based scheme could be applied to a repeater to limit remote control to a few trusted stations. A single key known to the repeater would be shared by the control stations and kept secret from everyone else. An in-person meeting or the telephone would suffice for distributing the DES keys. Now consider cases where the operators do not necessarily trust each other, e.g., autopatch operation. Since many more stations use an autopatch than control the basic operation of the repeater, its owners may want individual accountability. A DES-based authentication system could still work if each user has his or her own key. The same system could be used to control access to a BBS. In either case, the "server" (the repeater or BBS) keeps a complete list of keys for all authorized users and logs each access. This is more work than the previous case, but it is still entirely practical. Common to the all these schemes so far is the assumption that only the server needs to authenticate a request, e.g., the repeater controller or the BBS. It must protect its users' keys against unauthorized disclosure, but since the resource being protected by the authentication system is the server itself, the owner of the server has an incentive to do this. But in the more general case where individual pairs of stations must be able to authenticate each other, things get much more complicated. Each pair has to have a key that is known only to that pair; if you have N stations, you need a total of N^2 keys. All these keys must be exchanged by some secure means before authentication can occur, and they must be kept secret. To do this for every pair of amateurs in the world is clearly impractical. And if you want *any* amateur to be able to verify the authenticity of, say, a broadcast BBS message (to carry on the amateur "self-policing" tradition, of course), there is *no* solution using conventional cryptography - the same key needed to verify a message could be used to forge one. Some form of secret key authentication might still be practical between neighbors in a packet backbone or a BBS autoforwarding network. But this would only authenticate your immediate neighbors; it would not authenticate the origins of the traffic they pass from other nodes. For example, one BBS sysop could create illegal traffic and then pass it to a neighbor claiming that it originated somewhere else, and there would be no way to disprove this. So you really do want the authentication to be "end to end", not "hop by hop", and we're left with an unsolved key management problem. One way to reduce the N^2 key problem is to establish a "key distribution center" that maintains a list of all the users' private keys. Users wishing to authenticate themselves to each other do so by first authenticating themselves to the KDC. The KDC then generates a "session key" (a random number) and sends it to the two parties encrypted in their own keys. The parties then decrypt the session key, yielding a shared secret that can be used for authentication. Still, only the parties involved can authenticate each other; someone listening in could not. (In most environments, this is an advantage; somebody else's conversations are none of your business.) MIT has developed a system based on this model called "Kerberos"; it is in operation at MIT and elsewhere (the code is free). Nevertheless, it has the drawback that authentication depends on the availability and reachability of the KDC. But the fact that the KDC must have a complete list of the users' private keys works against deploying multiple KDCs with copies of the database for redundancy; the more KDCs there are, the more opportunities for the database to be compromised. The scheme also assumes that all of the parties (the two users and the KDC) have the ability to communicate with each other in real time, a bad assumption for amateur packet radio. So the inescapable conclusion is that authentication schemes based solely on private key cryptography are of limited utility in amateur packet radio; they cannot solve the general problem. Fortunately, there is a new alternative: public key cryptography (PKC). In PKC, the keys used for encryption and decryption are different. Furthermore, knowledge of the encryption key, Ke, does not imply knowledge of the decryption key, Kd; in fact, the algorithms ensure that it is extremely difficult to determine Kd from Ke. The combination of Ke and its corresponding Kd is called a "key pair"; for this reason, public key cryptosystems are sometimes called "dual key" ciphers, as opposed to "single key" ciphers like DES. The leading public key scheme, RSA, was invented by Ron Rivest, Adi Shamir and Len Adelman while at MIT. They hold a US patent on it that is being exploited by RSA Data Security, Inc. (There is no patent protection on RSA outside the USA). The original idea behind RSA was to allow you to publish Ke (hence the name, "public key" cryptography) so anyone could send you a secret message without prior arrangement. As long as you keep Kd secret, only you can decrypt it. But when used "backwards", RSA can also do authentication. If you encrypt a message using Kd (your DECRYPTION key, known only to you), then anyone can decrypt it using your Ke (your public ENCRYPTION key). Anyone who decrypts such a message then knows that whoever generated it must have known your Kd. This procedure of using RSA in reverse is called "signing". In practice, it is not desirable to run an entire message through RSA to authenticate it because it is very slow, much slower than secret key ciphers like DES. There is a better way. Functions exist to quickly "hash" a message of arbitrary length into a relatively small, fixed size "message digest". They are much like cyclic redundancy codes (CRCs) except that they are much more complex because they are designed to detect intentional "transmission errors" as well as natural ones. With a good function, it is computationally infeasible even for someone who knows it to produce two messages that hash to the same value, or to determine the input that produces a given value. They are not ciphers, because they have no key and their outputs cannot be "decrypted". One message digest algorithm is MD4 ("message digest #4") by Ron Rivest, who has placed it in the public domain. MD4 takes a message of any length and produces a 128-bit (16 byte) result. Rivest conjectures that it would take on the order of 2^64 operations to find two inputs that hash to the same value, and 2^128 operations to find an input that hashes to a given value. These are impressive numbers, so if the algorithm holds up under analysis it should be quite secure in practice. Given RSA and MD4, one authenticates a message by first computing its hash code with MD4. Then RSA is used to "sign" the hash code (by encryption with the sender's private key, Kd) and the result is appended to the message. The party wishing to authenticate the message also computes the message digest. It then decrypts the encrypted message digest received with the message (using the published key of the sender, Ke) and compares it to the value it has just computed. If they match, the message is genuine. There still remains the problem of distributing the public keys. Although they may be freely read by anyone, they must still be protected against modification. Otherwise someone might forge a signature of a message under someone else's name using a public key/ private key pair of his own creation; if the receiver can be duped into accepting this bogus public key, then he will believe that the signature is genuine. One way is to publish the public keys as widely as possible, in so many places that no one could possibly modify all of the copies of a particular key that reach the intended target of a deception. For example, the keys could be published on CD-ROM, or they could be listed in the back pages of QST. But these schemes have two drawbacks: cost and time. Another refinement, "certification", addresses this problem. If a "certifying authority" can be set up to sign the public keys of individual users with its private key, then only the public key of the certifying authority needs to be widely published. For example, the ARRL might select and publish its own public key in QST. It could then accept public keys from individual amateurs (accompanied with some non-cryptographic form of authentication, such as a notarized statement). The ARRL would sign the individual public keys with its private key and return the results. Note that the ARRL need NOT know the individual's private keys. The signed public keys are known as "certificates". They can be distributed by the users themselves (e.g., in a mail header) because anyone can readily verify their authenticity with the published ARRL public key. This eliminates the need for an online KDC. The ARRL's workload might be a problem, but a solution exists for this too: a hierarchy of certifying authorities. For example, each League Division might act as the certifying authority for the amateurs in its area, using a Division public key that has been certified by ARRL HQ. Divisions might further delegate the workload to their constituent Sections. The verification of an individual user's certificate would therefore require the certificates of all of the certifying authorities in the hierarchy as well as the published key of the ARRL. So in theory, anyway, authentication based on public key cryptography solves many of the problems associated with the earlier secret key schemes. However, many practical obstacles would still remain: 1. The RSA algorithm is patented in the USA, and the owners of the patent are holding it fairly close to their chest. Negotiations between RSA and the Internet Activities Board (IAB) have been dragging on for several years now over an agreement for the use of RSA in the Internet. It is not at all clear how much the patent royalties will be, or how they will be charged. (The leading theory is that the royalties will be tied only to the issuance of certificates, not to the actual implementation or use of RSA, but this is not yet final.) Would the use of RSA in amateur packet radio (resulting in the payment of royalties to RSA DSI) be considered as furthering the "regular business affairs" of RSA DSI? (Hopefully not, but considering some of the FCC rules interpretations we've been seeing lately...) 2. The algorithms are, by amateur standards, quite complex. At a minimum, they would probably require every amateur to have a PC-class computer to hash and sign messages. Given that a major reason TCP/IP is still a relatively esoteric mode in amateur packet radio is the reluctance of many amateurs to upgrade from C-64s and "dumb terminals", it seems unlikely that universal user authentication could happen any time soon. And I won't even *begin* to discuss the user education issues. 3. Even if a full-blown RSA-based authentication system as described earlier could be deployed, it is not clear that it would solve the specific problem that originally prompted your query. Someone accused of posting an illegal message to an amateur BBS could still claim that his secret key had been stolen and used by someone else. Or he could accuse the local "Section Certification Manager" of signing a bogus public key with his callsign on it and using it to "frame" him by sending verboten traffic. Even if a key really has been stolen and the owner notifies the certification authorities, how do they spread the word that the previously distributed public key is no longer valid? These issues are still the subject of much discussion in the research community. Furthermore, this technology has yet to have its first test in a court of law. In sum, although I find cryptographic authentication to be a fascinating topic that has some potential for use in amateur radio, I do not feel that it is "ready for prime time". Mandating its use at this time would be an enormous overreaction to the "problem" of controlling inappropriate BBS traffic. Quite frankly, the FCC's heavy-handed behavior in this case has me greatly concerned. I think they're going after a fly with a battleship. I do not know whether they sincerely believe that they're "protecting" amateur radio or if they have some more sinister motive. I can only hope for the former, so we can reason with them. Every new development carries with it some risk of abuse; the more powerful the technology, the greater the risk. Amateur packet radio is no exception; even in its presently primitive state, it is useful enough to tempt some commercial entities to abuse it. We should be able to convince the FCC that requiring unrealistically stringent mechanisms to prevent even the occasional commercial abuse of amateur packet radio runs the far greater risk of destroying all of the good that it can do. Lately, several of us (WA8DZP, K3MC, N6RCE, NG6Q and I) have been taking a close look at the low power spread spectrum modems that are rapidly becoming available for use under Part 15 rules on 902-928 MHz and other shared ISM/amateur bands. In my own opinion, building high speed (say, 100-500kb/s) metropolitan area networks under Part 15 rules seems entirely feasible, even with the 1W power limit - given proper design and engineering (good sites, directional antennas, power control, efficient channel access methods, etc). True, the performance of the existing generation of equipment is disappointing, mainly due to the lack of receiver processing gain in most models. But with the new FCC rules mandating the use of "true" spread spectrum receivers, plus the commercial drive behind this industry, it seems likely that the cost/performance ratio of this equipment will rapidly improve. Unfortunately, the same probably cannot be said for amateur packet radio gear, where the large scale production of inexpensive, high speed radio modems seems as far away as ever. Hence our initial interest in this technology. But this latest blow from the FCC is making Part 15's complete absence of licensing requirements, content and/or usage restrictions look mighty attractive indeed - even though my primary intent is to use the network for the kind of personal experimentation that has traditionally been done in the amateur service. Are the FCC's rules really "protecting" the amateur service if they scare off those who are most interested in making technical contributions to the service? I think it's time that the FCC not only remove the burden of responsibility for content from automatic relay stations, but that it loosen up its draconian definition of "business communications" as well. A lot has happened to the telecommunications industry since the Eyebank Docket; in particular, it is certainly no longer the job of the FCC to protect a telephone company from "lost business". The amateur rules should be pragmatic, with the realization that absolute prohibitions do far more harm than good. A simple "hams shalt not sell communications services" rule should suffice to make any abuses self-limiting, as few hams I know would be willing to use their time and their stations to help make money for others if they didn't get a cut of it. Such a rule would be far clearer than the present "no business interest" rule. The current rule has spawned an entire generation of armchair amateur lawyers who revel in interpreting the rules in the most restrictive fashion possible. One only need look at how the field of computer networking is pretty much passing amateur radio by to see the chilling effect of the present rules. 73, Phil Karn