|
Archive-name: cryptography-faq/rsa/part2 Last-modified: 93/09/20 Version: 2.0 Distribution-agent: tmp@netcom.com (This document has been brought to you in part by CRAM. See the bottom for more information, including instructions on how to obtain updates.) === Answers To FREQUENTLY ASKED QUESTIONS About Today's Cryptography Paul Fahn RSA Laboratories 100 Marine Parkway Redwood City, CA 94065 Copyright (c) 1993 RSA Laboratories, a division of RSA Data Security, Inc. All rights reserved. Version 2.0, draft 2f Last update: September 20, 1993 ------------------------------------------------------------------------ Table of Contents [ part 2 ] 3 Key Management 3.1 What key management issues are involved in public-key cryptography? 3.2 Who needs a key? 3.3 How does one get a key pair? 3.4 Should a public key or private key be shared among users? 3.5 What are certificates? 3.6 How are certificates used? 3.7 Who issues certificates and how? 3.8 What is a CSU, or, How do certifying authorities store their private keys? 3.9 Are certifying authorities susceptible to attack? 3.10 What if the certifying authority's key is lost or compromised? 3.11 What are Certificate Revocation Lists (CRLs)? 3.12 What happens when a key expires? 3.13 What happens if I lose my private key? 3.14 What happens if my private key is compromised? 3.15 How should I store my private key? 3.16 How do I find someone else's public key? 3.17 How can signatures remain valid beyond the expiration dates of their keys, or, How do you verify a 20-year-old signature? 3.18 What is a digital time-stamping service? 4 Factoring and Discrete Log 4.1 What is a one-way function? 4.2 What is the significance of one-way functions for cryptography? 4.3 What is the factoring problem? 4.4 What is the significance of factoring in cryptography? 4.5 Has factoring been getting easier? 4.6 What are the best factoring methods in use today? 4.7 What are the prospects for theoretical factoring breakthroughs? 4.8 What is the RSA Factoring Challenge? 4.9 What is the discrete log problem? 4.10 Which is easier, factoring or discrete log? 5 DES 5.1 What is DES? 5.2 Has DES been broken? 5.3 How does one use DES securely? 5.4 Can DES be exported from the U.S.? 5.5 What are the alternatives to DES? 5.6 Is DES a group? -------------------------------------------------------------------- 3 Key Management 3.1 What key management issues are involved in public-key cryptography? Secure methods of key management are extremely important. In practice, most attacks on public-key systems will probably be aimed at the key management levels, rather than at the cryptographic algorithm itself. The key management issues mentioned here are discussed in detail in later questions. Users must be able to obtain securely a key pair suited to their efficiency and security needs. There must be a way to look up other people's public keys and to publicize one's own key. Users must have confidence in the legitimacy of others' public keys; otherwise an intruder can either change public keys listed in a directory, or impersonate another user. Certificates are used for this purpose. Certificates must be unforgeable, obtainable in a secure manner, and processed in such a way that an intruder cannot misuse them. The issuance of certificates must proceed in a secure way, impervious to attack. If someone's private key is lost or compromised, others must be made aware of this, so that they will no longer encrypt messages under the invalid public key nor accept messages signed with the invalid private key. Users must be able to store their private keys securely, so that no intruder can find it, yet the keys must be readily accessible for legitimate use. Keys need to be valid only until a specified expiration date. The expiration date must be chosen properly and publicized securely. Some documents need to have verifiable signatures beyond the time when the key used to sign them has expired. Although most of these key management issues arise in any public-key cryptosystem, for convenience they are discussed here in the context of RSA. 3.2 Who needs a key? Anyone who wishes to sign messages or to receive encrypted messages must have a key pair. People may have more than one key. For example, someone might have a key affiliated with his or her work and a separate key for personal use. Other entities will also have keys, including electronic entities such as modems, workstations, and printers, as well as organizational entities such as a corporate department, a hotel registration desk, or a university registrar's office. 3.3 How does one get a key pair? Each user should generate his or her own key pair. It may be tempting within an organization to have a single site that generates keys for all members who request one, but this is a security risk because it involves the transmission of private keys over a network as well as catastrophic consequences if an attacker infiltrates the key-generation site. Each node on a network should be capable of local key generation, so that private keys are never transmitted and no external key source need be trusted. Of course, the local key generation software must itself be trustworthy. Secret-key authentication systems, such as Kerberos, often do not allow local key generation but instead use a central server to generate keys. Once generated, a user must register his or her public key with some central administration, called a certifying authority. The certifying authority returns to the user a certificate attesting to the veracity of the user's public key along with other information (see Questions 3.5 and following). Most users should not obtain more than one certificate for the same key, in order to simplify various bookkeeping tasks associated with the key. 3.4 Should a public key or private key be shared among users? In RSA, each person should have a unique modulus and private exponent, i.e., a unique private key. The public exponent, on the other hand, can be common to a group of users without security being compromised. Some public exponents in common use today are 3 and 2^{16}+1; because these numbers are small, the public-key operations (encryption and signature verification) are fast relative to the private key operations (decryption and signing). If one public exponent becomes a standard, software and hardware can be optimized for that value. In public-key systems based on discrete logarithms, such as ElGamal, Diffie-Hellman, or DSS, it has often been suggested that a group of people should share a modulus. This would make breaking a key more attractive to an attacker, however, because one could break every key with only slightly more effort than it would take to break a single key. To an attacker, therefore, the average cost to break a key is much lower with a common modulus than if every key has a distinct modulus. Thus one should be very cautious about using a common modulus; if a common modulus is chosen, it should be very large. 3.5 What are certificates? Certificates are digital documents attesting to the binding of a public key to an individual or other entity. They allow verification of the claim that a given public key does in fact belong to a given individual. Certificates help prevent someone from using a phony key to impersonate someone else. In their simplest form, certificates contain a public key and a name. As commonly used, they also contain the expiration date of the key, the name of the certifying authority that issued the certificate, the serial number of the certificate, and perhaps other information. Most importantly, it contains the digital signature of the certificate issuer. The most widely accepted format for certificates is defined by the CCITT X.509 international standard [19]; thus certificates can be read or written by any application complying with X.509. Further refinements are found in the PKCS set of standards (see Question 8.9), and the PEM standard (see Question 8.7). A detailed discussion of certificate format can also be found in Kent [40]. A certificate is issued by a certifying authority (see Question 3.7) and signed with the certifying authority's private key. 3.6 How are certificates used? A certificate is displayed in order to generate confidence in the legitimacy of a public key. Someone verifying a signature can also verify the signer's certificate, to insure that no forgery or false representation has occurred. These steps can be performed with greater or lesser rigor depending on the context. The most secure use of authentication involves enclosing one or more certificates with every signed message. The receiver of the message would verify the certificate using the certifying authority's public key and, now confident of the public key of the sender, verify the message's signature. There may be two or more certificates enclosed with the message, forming a hierarchical chain, wherein one certificate testifies to the authenticity of the previous certificate. At the end of a certificate hierarchy is a top-level certifying authority, which is trusted without a certificate from any other certifying authority. The public key of the top-level certifying authority must be independently known, for example by being widely published. The more familiar the sender is to the receiver of the message, the less need there is to enclose, and to verify, certificates. If Alice sends messages to Bob every day, Alice can enclose a certificate chain on the first day, which Bob verifies. Bob thereafter stores Alice's public key and no more certificates or certificate verifications are necessary. A sender whose company is known to the receiver may need to enclose only one certificate (issued by the company), whereas a sender whose company is unknown to the receiver may need to enclose two certificates. A good rule of thumb is to enclose just enough of a certificate chain so that the issuer of the highest level certificate in the chain is well-known to the receiver. According to the PKCS standards for public-key cryptography (see Question 8.9), every signature points to a certificate that validates the public key of the signer. Specifically, each signature contains the name of the issuer of the certificate and the serial number of the certificate. Thus even if no certificates are enclosed with a message, a verifier can still use the certificate chain to check the status of the public key. 3.7 Who issues certificates and how? Certificates are issued by a certifying authority (CA), which can be any trusted central administration willing to vouch for the identities of those to whom it issues certificates. A company may issue certificates to its employees, a university to its students, a town to its citizens. In order to prevent forged certificates, the CA's public key must be trustworthy: a CA must either publicize its public key or provide a certificate from a higher-level CA attesting to the validity of its public key. The latter solution gives rise to hierarchies of CAs. Certificate issuance proceeds as follows. Alice generates her own key pair and sends the public key to an appropriate CA with some proof of her identification. The CA checks the identification and takes any other steps necessary to assure itself that the request really did come from Alice, and then sends her a certificate attesting to the binding between Alice and her public key, along with a hierarchy of certificates verifying the CA's public key. Alice can present this certificate chain whenever desired in order to demonstrate the legitimacy of her public key. Since the CA must check for proper identification, organizations will find it convenient to act as a CA for its own members and employees. There will also be CAs that issue certificates to unaffiliated individuals. Different CAs may issue certificates with varying levels of identification requirements. One CA may insist on seeing a driver's license, another may want the certificate request form to be notarized, yet another may want fingerprints of anyone requesting a certificate. Each CA should publish its own identification requirements and standards, so that verifiers can attach the appropriate level of confidence in the certified name-key bindings. An example of a certificate-issuing protocol is Apple Computer's Open Collaborative Environment (OCE). Apple OCE users can generate a key pair and then request and receive a certificate for the public key; the certificate request must be notarized. 3.8 What is a CSU, or, How do certifying authorities store their private keys? It is extremely important that private keys of certifying authorities are stored securely, because compromise would enable undetectable forgeries. One way to achieve the desired security is to store the key in a tamperproof box; such a box is called a Certificate Signing Unit, or CSU. The CSU would, preferably, destroy its contents if ever opened, and be shielded against attacks using electromagnetic radiation. Not even employees of the certifying authority should have access to the private key itself, but only the ability to use the private key in the process of issuing certificates. There are many possible designs for CSUs; here is a description of one design found in some current implementations. The CSU is activated by a set of data keys, which are physical keys capable of storing digital information. The data keys use secret-sharing technology such that several people must all use their data keys to activate the CSU. This prevents one disgruntled CA employee from producing phony certificates. Note that if the CSU is destroyed, say in a fire, no security is compromised. Certificates signed by the CSU are still valid, as long as the verifier uses the correct public key. Some CSUs will be manufactured so that a lost private key can be restored into a new CSU. See Question 3.10 for discussion of lost CA private keys. Bolt, Beranek, and Newman (BBN) currently sells a CSU, and RSA Data Security sells a full-fledged certificate issuing system built around the BBN CSU. 3.9 Are certifying authorities susceptible to attack? One can think of many attacks aimed at the certifying authority, which must be prepared against them. Consider the following attack. Suppose Bob wishes to impersonate Alice. If Bob can convincingly sign messages as Alice, he can send a message to Alice's bank saying ``I wish to withdraw $10,000 from my account. Please send me the money.'' To carry out this attack, Bob generates a key pair and sends the public key to a certifying authority saying ``I'm Alice. Here is my public key. Please send me a certificate.'' If the CA is fooled and sends him such a certificate, he can then fool the bank, and his attack will succeed. In order to prevent such an attack the CA must verify that a certificate request did indeed come from its purported author, i.e., it must require sufficient evidence that it is actually Alice who is requesting the certificate. The CA may, for example, require Alice to appear in person and show a birth certificate. Some CAs may require very little identification, but the bank should not honor messages authenticated with such low-assurance certificates. Every CA must publicly state its identification requirements and policies; others can then attach an appropriate level of confidence to the certificates. An attacker who discovers the private key of a certifying authority could then forge certificates. For this reason, a certifying authority must take extreme precautions to prevent illegitimate access to its private key. The private key should be kept in a high-security box, known as a Certificate Signing Unit, or CSU (see Question 3.8). The certifying authority's public key might be the target of an extensive factoring attack. For this reason, CAs should use very long keys, preferably 1000 bits or longer, and should also change keys regularly. Top-level certifying authorities are exceptions: it may not be practical for them to change keys frequently because the key may be written into software used by a large number of verifiers. In another attack, Alice bribes Bob, who works for the certifying authority, to issue to her a certificate in the name of Fred. Now Alice can send messages signed in Fred's name and anyone receiving such a message will believe it authentic because a full and verifiable certificate chain will accompany the message. This attack can be hindered by requiring the cooperation of two (or more) employees to generate a certificate; the attacker now has to bribe two employees rather than one. For example, in some of today's CSUs, three employees must each insert a data key containing secret information in order to authorize the CSU to generate certificates. Unfortunately, there may be other ways to generate a forged certificate by bribing only one employee. If each certificate request is checked by only one employee, that one employee can be bribed and slip a false request into a stack of real certificate requests. Note that a corrupt employee cannot reveal the certifying authority's private key, as long as it is properly stored. Another attack involves forging old documents. Alice tries to factor the modulus of the certifying authority. It takes her 15 years, but she finally succeeds, and she now has the old private key of the certifying authority. The key has long since expired, but she can forge a certificate dated 15 years ago attesting to a phony public key of some other person, say Bob; she can now forge a document with a signature of Bob dated 15 year ago, perhaps a will leaving everything to Alice. The underlying issue raised by this attack is how to authenticate a signed document dated many years ago; this issue is discussed in Question 3.17. Note that these attacks on certifying authorities do not threaten the privacy of messages between users, as might result from an attack on a secret-key distribution center. 3.10 What if the certifying authority's key is lost or compromised? If the certifying authority's key is lost or destroyed but not compromised, certificates signed with the old key are still valid, as long as the verifier knows to use the old public key to verify the certificate. In some CSU designs, encrypted backup copies of the CA's private key are kept. A CA which loses its key can then restore it by loading the encrypted backup into the CSU, which can decrypt it using some unique information stored inside the CSU; the encrypted backup can only be decrypted using the CSU. If the CSU itself is destroyed, the manufacturer may be able to supply another with the same internal information, thus allowing recovery of the key. A compromised CA key is a much more dangerous situation. An attacker who discovers a certifying authority's private key can issue phony certificates in the name of the certifying authority, which would enable undetectable forgeries; for this reason, all precautions must be taken to prevent compromise, including those outlined in Questions 3.8 and 3.9. If a compromise does occur, the CA must immediately cease issuing certificates under its old key and change to a new key. If it is suspected that some phony certificates were issued, all certificates should be recalled, and then reissued with a new CA key. These measures could be relaxed somewhat if certificates were registered with a digital time-stamping service (see Question 3.18). Note that compromise of a CA key does not invalidate users' keys, but only the certificates that authenticate them. Compromise of a top-level CA's key should be considered catastrophic, since the key may be built into applications that verify certificates. 3.11 What are Certificate Revocation Lists (CRLs)? A Certificate Revocation List (CRL) is a list of public keys that have been revoked before their scheduled expiration date. There are several reasons why a key might need to be revoked and placed on a CRL. A key might have been compromised. A key might be used professionally by an individual for a company; for example, the official name associated with a key might be ``Alice Avery, Vice President, Argo Corp.'' If Alice were fired, her company would not want her to be able to sign messages with that key and therefore the company would place the key on the CRL. When verifying a signature, one can check the relevant CRL to make sure the signer's key has not been revoked. Whether it is worth the time to perform this check depends on the importance of the signed document. CRLs are maintained by certifying authorities (CAs) and provide information about revoked keys originally certified by the CA. CRLs only list current keys, since expired keys should not be accepted in any case; when a revoked key is past its original expiration date it is removed from the CRL. Although CRLs are maintained in a distributed manner, there may be central repositories for CRLs, that is, sites on networks containing the latest CRLs from many organizations. An institution like a bank might want an in-house CRL repository to make CRL searches feasible on every transaction. 3.12 What happens when a key expires? In order to guard against a long-term factoring attack, every key must have an expiration date after which it is no longer valid. The time to expiration must therefore be much shorter than the expected factoring time, or equivalently, the key length must be long enough to make the chances of factoring before expiration extremely small. The validity period for a key pair may also depend on the circumstances in which the key will be used, although there will also be a standard period. The validity period, together with the value of the key and the estimated strength of an expected attacker, then determines the appropriate key size. The expiration date of a key accompanies the public key in a certificate or a directory listing. The signature verification program should check for expiration and should not accept a message signed with an expired key. This means that when one's own key expires, everything signed with it will no longer be considered valid. Of course, there will be cases where it is important that a signed document be considered valid for a much longer period of time; Question 3.17 discusses ways to achieve this. After expiration, the user chooses a new key, which should be longer than the old key, perhaps by several digits, to reflect both the performance increase of computer hardware and any recent improvements in factoring algorithms. Recommended key length schedules will likely be published. A user may recertify a key that has expired, if it is sufficiently long and has not been compromised. The certifying authority would then issue a new certificate for the same key, and all new signatures would point to the new certificate instead of the old. However, the fact that computer hardware continues to improve argues for replacing expired keys with new, longer keys every few years. Key replacement enables one to take advantage of the hardware improvements to increase the security of the cryptosystem. Faster hardware has the effect of increasing security, perhaps vastly, but only if key lengths are increased regularly (see Question 4.5). 3.13 What happens if I lose my private key? If your private key is lost or destroyed, but not compromised, you can no longer sign or decrypt messages, but anything previously signed with the lost key is still valid. This can happen, for example, if you forget the password used to access your key, or if the disk on which the key is stored is damaged. You need to choose a new key right away, to minimize the number of messages people send you encrypted under your old key, messages which you can no longer read. 3.14 What happens if my private key is compromised? If your private key is compromised, that is, if you suspect an attacker may have obtained your private key, then you must assume that some enemy can read encrypted messages sent to you and forge your name on documents. The seriousness of these consequences underscores the importance of protecting your private key with extremely strong mechanisms (see Question 3.15). You must immediately notify your certifying authority and have your old key placed on a Certificate Revocation List (see Question 3.11); this will inform people that the key has been revoked. Then choose a new key and obtain the proper certificates for it. You may wish to use the new key to re-sign documents that you had signed with the compromised key; documents that had been time-stamped as well as signed might still be valid. You should also change the way you store your private key, to prevent compromise of the new key. 3.15 How should I store my private key? Private keys must be stored securely, since forgery and loss of privacy could result from compromise. The private key should never be stored anywhere in plaintext form. The simplest storage mechanism is to encrypt the private key under a password and store the result on a disk. Of course, the password itself must be maintained with high security, not written down and not easily guessed. Storing the encrypted key on a disk that is not accessible through a computer network, such as a floppy disk or a local hard disk, will make some attacks more difficult. Ultimately, private keys may be stored on portable hardware, such as a smart card. Furthermore, a challenge-response protocol will be more secure than simple password access. Users with extremely high security needs, such as certifying authorities, should use special hardware devices to protect their keys (see Question 3.8). 3.16 How do I find someone else's public key? Suppose you want to find Bob's public key. There are several possible ways. You could call him up and ask him to send you his public key via e-mail; you could request it via e-mail as well. Certifying authorities may provide directory services; if Bob works for company Z, look in the directory kept by Z's certifying authority. Directories must be secure against unauthorized tampering, so that users can be confident that a public key listed in the directory actually belongs to the person listed. Otherwise, you might send private encrypted information to the wrong person. Eventually, full-fledged directories will arise, serving as online white or yellow pages. If they are compliant with CCITT X.509 standards [19], the directories will contain certificates as well as public keys; the presence of certificates will lower the directories' security needs. 3.17 How can signatures remain valid beyond the expiration dates of their keys, or, How do you verify a 20-year-old signature? Normally, a key expires after, say, two years and a document signed with an expired key should not be accepted. However, there are many cases where it is necessary for signed documents to be regarded as legally valid for much longer than two years; long-term leases and contracts are examples. How should these cases be handled? Many solutions have been suggested but it is unclear which will prove the best. Here are some possibilities. One can have special long-term keys as well as the normal two-year keys. Long-term keys should have much longer modulus lengths and be stored more securely than two-year keys. If a long-term key expires in 50 years, any document signed with it would remain valid within that time. A problem with this method is that any compromised key must remain on the relevant CRL until expiration (see Question 3.11); if 50-year keys are routinely placed on CRLs, the CRLs could grow in size to unmanageable proportions. This idea can be modified as follows. Register the long-term key by the normal procedure, i.e., for two years. At expiration time, if it has not been compromised, the key can be recertified, that is, issued a new certificate by the certifying authority, so that the key will be valid for another two years. Now a compromised key only needs to be kept on a CRL for at most two years, not fifty. One problem with the previous method is that someone might try to invalidate a long-term contract by refusing to renew his key. This problem can be circumvented by registering the contract with a digital time-stamping service (see Question 3.18) at the time it is originally signed. If all parties to the contract keep a copy of the time-stamp, then each can prove that the contract was signed with valid keys. In fact, the time-stamp can prove the validity of a contract even if one signer's key gets compromised at some point after the contract was signed. This time-stamping solution can work with all signed digital documents, not just multi-party contracts. 3.18 What is a digital time-stamping service? A digital time-stamping service (DTS) issues time-stamps which associate a date and time with a digital document in a cryptographically strong way. The digital time-stamp can be used at a later date to prove that an electronic document existed at the time stated on its time-stamp. For example, a physicist who has a brilliant idea can write about it with a word processor and have the document time-stamped. The time-stamp and document together can later prove that the scientist deserves the Nobel Prize, even though an arch rival may have been the first to publish. Here's one way such a system could work. Suppose Alice signs a document and wants it time-stamped. She computes a message digest of the document using a secure hash function (see Question 8.2) and then sends the message digest (but not the document itself) to the DTS, which sends her in return a digital time-stamp consisting of the message digest, the date and time it was received at the DTS, and the signature of the DTS. Since the message digest does not reveal any information about the content of the document, the DTS cannot eavesdrop on the documents it time-stamps. Later, Alice can present the document and time-stamp together to prove when the document was written. A verifier computes the message digest of the document, makes sure it matches the digest in the time-stamp, and then verifies the signature of the DTS on the time-stamp. To be reliable, the time-stamps must not be forgeable. Consider the requirements for a DTS of the type just described. First, the DTS itself must have a long key if we want the time-stamps to be reliable for, say, several decades. Second, the private key of the DTS must be stored with utmost security, as in a tamperproof box. Third, the date and time must come from a clock, also inside the tamperproof box, which cannot be reset and which will keep accurate time for years or perhaps for decades. Fourth, it must be infeasible to create time-stamps without using the apparatus in the tamperproof box. A cryptographically strong DTS using only software [4] has been implemented by Bellcore; it avoids many of the requirements just described, such as tamperproof hardware. The Bellcore DTS essentially combines hash values of documents into data structures called binary trees, whose ``root'' values are periodically published in the newspaper. A time-stamp consists of a set of hash values which allow a verifier to recompute the root of the tree. Since the hash functions are one-way (see Question 8.2), the set of validating hash values cannot be forged. The time associated with the document by the time-stamp is the date of publication. The use of a DTS would appear to be extremely important, if not essential, for maintaining the validity of documents over many years (see Question 3.17). Suppose a landlord and tenant sign a twenty-year lease. The public keys used to sign the lease will expire after, say, two years; solutions such as recertifying the keys or resigning every two years with new keys require the cooperation of both parties several years after the original signing. If one party becomes dissatisfied with the lease, he or she may refuse to cooperate. The solution is to register the lease with the DTS at the time of the original signing; both parties would then receive a copy of the time-stamp, which can be used years later to enforce the integrity of the original lease. In the future, it is likely that a DTS will be used for everything from long-term corporate contracts to personal diaries and letters. Today, if an historian discovers some lost letters of Mark Twain, their authenticity is checked by physical means. But a similar find 100 years from now may consist of an author's computer files; digital time-stamps may be the only way to authenticate the find. 4 Factoring and Discrete Log 4.1 What is a one-way function? A one-way function is a mathematical function that is significantly easier to perform in one direction (the forward direction) than in the opposite direction (the inverse direction). One might, for example, compute the function in minutes but only be able to compute the inverse in months or years. A trap-door one-way function is a one-way function where the inverse direction is easy if you know a certain piece of information (the trap door), but difficult otherwise. 4.2 What is the significance of one-way functions for cryptography? Public-key cryptosystems are based on (presumed) trap-door one-way functions. The public key gives information about the particular instance of the function; the private key gives information about the trap door. Whoever knows the trap door can perform the function easily in both directions, but anyone lacking the trap door can perform the function only in the forward direction. The forward direction is used for encryption and signature verification; the inverse direction is used for decryption and signature generation. In almost all public-key systems, the size of the key corresponds to the size of the inputs to the one-way function; the larger the key, the greater the difference between the efforts necessary to compute the function in the forward and inverse directions (for someone lacking the trap door). For a digital signature to be secure for years, for example, it is necessary to use a trap-door one-way function with inputs large enough that someone without the trap door would need many years to compute the inverse function. All practical public-key cryptosystems are based on functions that are believed to be one-way, but have not been proven to be so. This means that it is theoretically possible that an algorithm will be discovered that can compute the inverse function easily without a trap door; this development would render any cryptosystem based on that one-way function insecure and useless. 4.3 What is the factoring problem? Factoring is the act of splitting an integer into a set of smaller integers (factors) which, when multiplied together, form the original integer. For example, the factors of 15 are 3 and 5; the factoring problem is to find 3 and 5 when given 15. Prime factorization requires splitting an integer into factors that are prime numbers; every integer has a unique prime factorization. Multiplying two prime integers together is easy, but as far as we know, factoring the product is much more difficult. 4.4 What is the significance of factoring in cryptography? Factoring is the underlying, presumably hard problem upon which several public-key cryptosystems are based, including RSA. Factoring an RSA modulus (see Question 2.1) would allow an attacker to figure out the private key; thus, anyone who can factor the modulus can decrypt messages and forge signatures. The security of RSA therefore depends on the factoring problem being difficult. Unfortunately, it has not been proven that factoring must be difficult, and there remains a possibility that a quick and easy factoring method might be discovered (see Question 4.7), although factoring researchers consider this possibility remote. Factoring large numbers takes more time than factoring smaller numbers. This is why the size of the modulus in RSA determines how secure an actual use of RSA is; the larger the modulus, the longer it would take an attacker to factor, and thus the more resistant to attack the RSA implementation is. 4.5 Has factoring been getting easier? Factoring has become easier over the last fifteen years for two reasons: computer hardware has become more powerful, and better factoring algorithms have been developed. Hardware improvement will continue inexorably, but it is important to realize that hardware improvements make RSA more secure, not less. This is because a hardware improvement that allows an attacker to factor a number two digits longer than before will at the same time allow a legitimate RSA user to use a key dozens of digits longer than before; a user can choose a new key a dozen digits longer than the old one without any performance slowdown, yet a factoring attack will become much more difficult. Thus although the hardware improvement does help the attacker, it helps the legitimate user much more. This general rule may fail in the sense that factoring may take place using fast machines of the future, attacking RSA keys of the past; in this scenario, only the attacker gets the advantage of the hardware improvement. This consideration argues for using a larger key size today than one might otherwise consider warranted. It also argues for replacing one's RSA key with a longer key every few years, in order to take advantage of the extra security offered by hardware improvements. This point holds for other public-key systems as well. Better factoring algorithms have been more help to the RSA attacker than have hardware improvements. As the RSA system, and cryptography in general, have attracted much attention, so has the factoring problem, and many researchers have found new factoring methods or improved upon others. This has made factoring easier, for numbers of any size and irrespective of the speed of the hardware. However, factoring is still a very difficult problem. Overall, any recent decrease in security due to algorithm improvement can be offset by increasing the key size. In fact, between general computer hardware improvements and special-purpose RSA hardware improvements, increases in key size (maintaining a constant speed of RSA operations) have kept pace or exceeded increases in algorithm efficiency, resulting in no net loss of security. As long as hardware continues to improve at a faster rate than that at which the complexity of factoring algorithms decreases, the security of RSA will increase, assuming RSA users regularly increase their key size by appropriate amounts. The open question is how much faster factoring algorithms can get; there must be some intrinsic limit to factoring speed, but this limit remains unknown. 4.6 What are the best factoring methods in use today? Factoring is a very active field of research among mathematicians and computer scientists; the best factoring algorithms are mentioned below with some references and their big-O asymptotic efficiency. O notation measures how fast an algorithm is; it gives an upper bound on the number of operations (to order of magnitude) in terms of n, the number to be factored, and p, a prime factor of n. For textbook treatment of factoring algorithms, see [41], [42], [47], and [11]; for a detailed explanation of big-O notation, see [22]. Factoring algorithms come in two flavors, special purpose and general purpose; the efficiency of the former depends on the unknown factors, whereas the efficiency of the latter depends on the number to be factored. Special purpose algorithms are best for factoring numbers with small factors, but the numbers used for the modulus in the RSA system do not have any small factors. Therefore, general purpose factoring algorithms are the more important ones in the context of cryptographic systems and their security. Special purpose factoring algorithms include the Pollard rho method [66], with expected running time O(sqrt(p)), and the Pollard p-1 method [67], with running time O(p'), where p' is the largest prime factor of p-1. Both of these take an amount of time that is exponential in the size of p, the prime factor that they find; thus these algorithms are too slow for most factoring jobs. The elliptic curve method (ECM) [50] is superior to these; its asymptotic running time is O(exp (sqrt (2 ln p ln ln p)) ). The ECM is often used in practice to find factors of randomly generated numbers; it is not strong enough to factor a large RSA modulus. The best general purpose factoring algorithm today is the number field sieve [16], which runs in time approximately O(exp ( 1.9 (ln n)^{1/3} (ln ln n)^{2/3}) ). It has only recently been implemented [15], and is not yet practical enough to perform the most desired factorizations. Instead, the most widely used general purpose algorithm is the multiple polynomial quadratic sieve (mpqs) [77], which has running time O(exp ( sqrt (ln n ln ln n)) ). The mpqs (and some of its variations) is the only general purpose algorithm that has successfully factored numbers greater than 110 digits; a variation known as ppmpqs [49] has been particularly popular. It is expected that within a few years the number field sieve will overtake the mpqs as the most widely used factoring algorithm, as the size of the numbers being factored increases from about 120 digits, which is the current threshold of general numbers which can be factored, to 130 or 140 digits. A ``general number'' is one with no special form that might make it easier to factor; an RSA modulus is a general number. Note that a 512-bit number has about 155 digits. Numbers that have a special form can already be factored up to 155 digits or more [48]. The Cunningham Project [14] keeps track of the factorizations of numbers with these special forms and maintains a ``10 Most Wanted'' list of desired factorizations. Also, a good way to survey current factoring capability is to look at recent results of the RSA Factoring Challenge (see Question 4.8). 4.7 What are the prospects for theoretical factoring breakthroughs? Although factoring is strongly believed to be a difficult mathematical problem, it has not been proved so. Therefore there remains a possibility that an easy factoring algorithm will be discovered. This development, which could seriously weaken RSA, would be highly surprising and the possibility is considered extremely remote by the researchers most actively engaged in factoring research. Another possibility is that someone will prove that factoring is difficult. This negative breakthrough is probably more likely than the positive breakthrough discussed above, but would also be unexpected at the current state of theoretical factoring research. This development would guarantee the security of RSA beyond a certain key size. 4.8 What is the RSA Factoring Challenge? RSA Data Security Inc. (RSADSI) administers a factoring contest with quarterly cash prizes. Those who factor numbers listed by RSADSI earn points toward the prizes; factoring smaller numbers earns more points than factoring larger numbers. Results of the contest may be useful to those who wish to know the state of the art in factoring; the results show the size of numbers factored, which algorithms are used, and how much time was required to factor each number. Send e-mail to challenge-info@rsa.com for information. 4.9 What is the discrete log problem? The discrete log problem, in its most common formulation, is to find the exponent x in the formula y=g^x mod p; in other words, it seeks to answer the question, To what power must g be raised in order to obtain y, modulo the prime number p? There are other, more general, formulations as well. Like the factoring problem, the discrete log problem is believed to be difficult and also to be the hard direction of a one-way function. For this reason, it has been the basis of several public-key cryptosystems, including the ElGamal system and DSS (see Questions 2.15 and 6.8). The discrete log problem bears the same relation to these systems as factoring does to RSA: the security of these systems rests on the assumption that discrete logs are difficult to compute. The discrete log problem has received much attention in recent years; descriptions of some of the most efficient algorithms can be found in [47], [21], and [33]. The best discrete log problems have expected running times similar to that of the best factoring algorithms. Rivest [72] has analyzed the expected time to solve discrete log both in terms of computing power and money. 4.10 Which is easier, factoring or discrete log? The asymptotic running time of the best discrete log algorithm is approximately the same as for the best general purpose factoring algorithm. Therefore, it requires about as much effort to solve the discrete log problem modulo a 512-bit prime as to factor a 512-bit RSA modulus. One paper [45] cites experimental evidence that the discrete log problem is slightly harder than factoring: the authors suggest that the effort necessary to factor a 110-digit integer is the same as the effort to solve discrete logarithms modulo a 100-digit prime. This difference is so slight that it should not be a significant consideration when choosing a cryptosystem. Historically, it has been the case that an algorithmic advance in either problem, factoring or discrete logs, was then applied to the other. This suggests that the degrees of difficulty of both problems are closely linked, and that any breakthrough, either positive or negative, will affect both problems equally. 5 DES 5.1 What is DES? DES is the Data Encryption Standard, an encryption block cipher defined and endorsed by the U.S. government in 1977 as an official standard; the details can be found in the official FIPS publication [59]. It was originally developed at IBM. DES has been extensively studied over the last 15 years and is the most well-known and widely used cryptosystem in the world. DES is a secret-key, symmetric cryptosystem: when used for communication, both sender and receiver must know the same secret key, which is used both to encrypt and decrypt the message. DES can also be used for single-user encryption, such as to store files on a hard disk in encrypted form. In a multi-user environment, secure key distribution may be difficult; public-key cryptography was invented to solve this problem (see Question 1.3). DES operates on 64-bit blocks with a 56-bit key. It was designed to be implemented in hardware, and its operation is relatively fast. It works well for bulk encryption, that is, for encrypting a large set of data. NIST (see Question 7.1) has recertified DES as an official U.S. government encryption standard every five years; DES was last recertified in 1993, by default. NIST has indicated, however, that it may not recertify DES again. 5.2 Has DES been broken? DES has never been ``broken'', despite the efforts of many researchers over many years. The obvious method of attack is brute-force exhaustive search of the key space; this takes 2^{55} steps on average. Early on it was suggested [28] that a rich and powerful enemy could build a special-purpose computer capable of breaking DES by exhaustive search in a reasonable amount of time. Later, Hellman [36] showed a time-memory trade-off that allows improvement over exhaustive search if memory space is plentiful, after an exhaustive precomputation. These ideas fostered doubts about the security of DES. There were also accusations that the NSA had intentionally weakened DES. Despite these suspicions, no feasible way to break DES faster than exhaustive search was discovered. The cost of a specialized computer to perform exhaustive search has been estimated by Wiener at one million dollars [80]. Just recently, however, the first attack on DES that is better than exhaustive search was announced by Eli Biham and Adi Shamir [6,7], using a new technique known as differential cryptanalysis. This attack requires encryption of 2^{47} chosen plaintexts, i.e., plaintexts chosen by the attacker. Although a theoretical breakthrough, this attack is not practical under normal circumstances because it requires the attacker to have easy access to the DES device in order to encrypt the chosen plaintexts. Another attack, known as linear cryptanalysis [51], does not require chosen plaintexts. The consensus is that DES, when used properly, is secure against all but the most powerful enemies. In fact, triple encryption DES (see Question 5.3) may be secure against anyone at all. Biham and Shamir have stated that they consider DES secure. It is used extensively in a wide variety of cryptographic systems, and in fact, most implementations of public-key cryptography include DES at some level. 5.3 How does one use DES securely? When using DES, there are several practical considerations that can affect the security of the encrypted data. One should change DES keys frequently, in order to prevent attacks that require sustained data analysis. In a communications context, one must also find a secure way of communicating the DES key to both sender and receiver. Use of RSA or some other public-key technique for key management solves both these issues: a different DES key is generated for each session, and secure key management is provided by encrypting the DES key with the receiver's RSA public key. RSA, in this circumstance, can be regarded as a tool for improving the security of DES (or any other secret key cipher). If one wishes to use DES to encrypt files stored on a hard disk, it is not feasible to frequently change the DES keys, as this would entail decrypting and then re-encrypting all files upon each key change. Instead, one should have a master DES key with which one encrypts the list of DES keys used to encrypt the files; one can then change the master key frequently without much effort. A powerful technique for improving the security of DES is triple encryption, that is, encrypting each message block under three different DES keys in succession. Triple encryption is thought to be equivalent to doubling the key size of DES, to 112 bits, and should prevent decryption by an enemy capable of single-key exhaustive search [53]. Of course, using triple-encryption takes three times as long as single-encryption DES. Aside from the issues mentioned above, DES can be used for encryption in several officially defined modes. Some are more secure than others. ECB (electronic codebook) mode simply encrypts each 64-bit block of plaintext one after another under the same 56-bit DES key. In CBC (cipher block chaining) mode, each 64-bit plaintext block is XORed with the previous ciphertext block before being encrypted with the DES key. Thus the encryption of each block depends on previous blocks and the same 64-bit plaintext block can encrypt to different ciphertext depending on its context in the overall message. CBC mode helps protect against certain attacks, although not against exhaustive search or differential cryptanalysis. CFB (cipher feedback) mode allows one to use DES with block lengths less than 64 bits. Detailed descriptions of the various DES modes can be found in [60]. In practice, CBC is the most widely used mode of DES, and is specified in several standards. For additional security, one could use triple encryption with CBC, but since single DES in CBC mode is usually considered secure enough, triple encryption is not often used. 5.4 Can DES be exported from the U.S.? Export of DES, either in hardware or software, is strictly regulated by the U.S. State Department and the NSA (see Question 1.6). The government rarely approves export of DES, despite the fact that DES is widely available overseas; financial institutions and foreign subsidiaries of U.S. companies are exceptions. 5.5 What are the alternatives to DES? Over the years, various bulk encryption algorithms have been designed as alternatives to DES. One is FEAL (Fast Encryption ALgorithm), a cipher for which attacks have been discovered [6], although new versions have been proposed. Another recently proposed cipher designed by Lai and Massey [44] and known as IDEA seems promising, although it has not yet received sufficient scrutiny to instill full confidence in its security. The U.S. government recently announced a new algorithm called Skipjack (see Question 6.5) as part of its Capstone project. Skipjack operates on 64-bit blocks of data, as does DES, but uses 80-bit keys, as opposed to 56-bit keys in DES. However, the details of Skipjack are classified, so Skipjack is only available in hardware from government-authorized manufacturers. Rivest has developed the ciphers RC2 and RC4 (see Question 8.6), which can be made as secure as necessary because they use variable key sizes. Faster than DES, at least in software, they have the further advantage of special U.S. government status whereby the export approval is simplified and expedited if the key size is limited to 40 bits. 5.6 Is DES a group? It has been frequently asked whether DES encryption is closed under composition; i.e., is encrypting a plaintext under one DES key and then encrypting the result under another key always equivalent to a single encryption under a single key? Algebraically, is DES a group? If so, then DES might be weaker than would otherwise be the case; see [39] for a more complete discussion. However, the answer is no, DES is not a group [18]; this issue was settled only recently, after many years of speculation and circumstantial evidence. This result seems to imply that techniques such as triple encryption do in fact increase the security of DES. -------------------------------------------- RSA Laboratories is the research and consultation division of RSA Data Security, Inc., the company founded by the inventors of the RSA public-key cryptosystem. RSA Laboratories reviews, designs and implements secure and efficient cryptosystems of all kinds. Its clients include government agencies, telecommunications companies, computer manufacturers, software developers, cable TV broadcasters, interactive video manufacturers, and satellite broadcast companies, among others. For more information about RSA Laboratories, call or write to RSA Laboratories 100 Marine Parkway Redwood City, CA 94065 (415) 595-7703 (415) 595-4126 (fax) PKCS, RSAREF and RSA Laboratories are trademarks of RSA Data Security, Inc. All other trademarks belong to their respective companies. This document is available in ASCII, Postscript, and Latex formats via anonymous FTP to rsa.com:/pub/faq. Please send comments and corrections to faq-editor@rsa.com. === DISTRIBUTION: How to obtain this document This document has been brought to you in part by CRAM, involved in the redistribution of valuable information to a wider USENET audience (see below). The most recent version of this document can be obtained via the author's instructions above. The following directions apply to retrieve the possibly less-current USENET FAQ version. FTP --- This FAQ is available from the standard FAQ server rtfm.mit.edu via FTP in the directory /pub/usenet/news.answers/cryptography-faq/rsa/ Email ----- Email requests for FAQs go to mail-server@rtfm.mit.edu with commands on lines in the message body, e.g. `help' and `index'. Usenet ------ This FAQ is posted every 21 days to the groups sci.crypt talk.politics.crypto alt.security.ripem sci.answers talk.answers alt.answers news.answers _ _, _ ___ _, __, _, _ _, ___ _ _, _, _ _ _, __, _, _ _ ___ __, | |\ | |_ / \ |_) |\/| / \ | | / \ |\ | | (_ |_) / \ | | |_ | ) | | \| | \ / | \ | | |~| | | \ / | \| | , ) | \ / |/\| | |~\ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~~~ ~ ~ === CRAM: The Cyberspatial Reality Advancement Movement In an effort to bring valuable information to the masses, and as a service to motivated information compilers, a member of CRAM can help others unfamiliar with Usenet `publish' their documents for widespread dissemination via the FAQ structure, and act as a `sponsor' knowledgable in the submissions process. This document is being distributed under this arrangement. We have found these compilations tend to appear on various mailing lists and are valuable enough to deserve wider distribution. If you know of an existing compilation of Internet information that is not currently a FAQ, please contact us and we may `sponsor' it. The benefits to the author include: - use of the existing FAQ infrastructure for distribution: - automated mail server service - FTP archival - automated posting - a far wider audience that can improve the quality, accuracy, and coverage of the document enormously through email feedback - potential professional inquiries for the use of your document in other settings, such as newsletters, books, etc. - with us as your sponsor, we will also take care of the technicalities in the proper format of the posted version and updating procedures, leaving you free of the `overhead' to focus on the basic updates alone The choice of who we `sponsor' is entirely arbitrary. You always have the option of handling the submission process yourself. See the FAQ submission guidelines FAQ in news.answers. For information, send mail to <tmp@netcom.com>. \ \ \ \ \ \ \ \ \ | / / / / / / / / / / _______ ________ _____ _____ _____ /// \\\ ||| \\\ /// \\\ |||\\\///||| ||| ~~ ||| /// ||| ||| ||| \\// ||| ||| __ |||~~~\\\ |||~~~||| ||| ~~ ||| \\\ /// ||| \\\ ||| ||| ||| ||| ~~~~~~~ ~~~ ~~~ ~~~ ~~~ ~~~ ~~~ / / / / / / / / / | \ \ \ \ \ \ \ \ \ \ C y b e r s p a t i a l R e a l i t y A d v a n c e m e n t M o v e m e n t * CIVILIZING CYBERSPACE: send `info cypherwonks' to majordomo@lists.eunet.fi *