mirror of git://git.gnupg.org/gnupg.git
346 lines
13 KiB
Plaintext
346 lines
13 KiB
Plaintext
<chapter id="concepts" xreflabel="2">
|
|
<docinfo>
|
|
<date>
|
|
$Id$
|
|
</date>
|
|
</docinfo>
|
|
<title>
|
|
Concepts
|
|
</title>
|
|
|
|
<para>
|
|
&Gnupg; makes uses of several cryptographic concepts including
|
|
<firstterm>symmetric ciphers</firstterm>,
|
|
<firstterm>public-key ciphers</firstterm>, and
|
|
<firstterm>one-way hashing</firstterm>.
|
|
You can make basic use &gnupg; without fully understanding these concepts,
|
|
but in order to use it wisely some understanding of them is necessary.
|
|
</para>
|
|
|
|
<para>
|
|
This chapter introduces the basic cryptographic concepts used in GnuPG.
|
|
Other books cover these topics in much more detail.
|
|
A good book with which to pursue further study is
|
|
<ulink url="http://www.counterpane.com/schneier.html">Bruce
|
|
Schneier</ulink>'s
|
|
<ulink url="http://www.counterpane.com/applied.html">"Applied
|
|
Cryptography"</ulink>.
|
|
</para>
|
|
|
|
<sect1>
|
|
<title>
|
|
Symmetric ciphers
|
|
</title>
|
|
|
|
<para>
|
|
A symmetric cipher is a cipher that uses the same key for both encryption
|
|
and decryption.
|
|
Two parties communicating using a symmetric cipher must agree on the
|
|
key beforehand.
|
|
Once they agree, the sender encrypts a message using the key, sends it
|
|
to the receiver, and the receiver decrypts the message using the key.
|
|
As an example, the German Enigma is a symmetric cipher, and daily keys
|
|
were distributed as code books.
|
|
Each day, a sending or receiving radio operator would consult his copy
|
|
of the code book to find the day's key.
|
|
Radio traffic for that day was then encrypted and decrypted using the
|
|
day's key.
|
|
Modern examples of symmetric ciphers include 3DES, Blowfish, and IDEA.
|
|
</para>
|
|
|
|
<para>
|
|
A good cipher puts all the security in the key and none in the algorithm.
|
|
In other words, it should be no help to an attacker if he knows which
|
|
cipher is being used.
|
|
Only if he obtains the key would knowledge of the algorithm be needed.
|
|
The ciphers used in &gnupg; have this property.
|
|
</para>
|
|
|
|
<para>
|
|
Since all the security is in the key, then it is important that it be
|
|
very difficult to guess the key.
|
|
In other words, the set of possible keys, &ie;, the <emphasis>key
|
|
space</emphasis>, needs
|
|
to be large.
|
|
While at Los Alamos, Richard Feynman was famous for his ability to
|
|
crack safes.
|
|
To encourage the mystique he even carried around a set of tools
|
|
including an old stethoscope.
|
|
In reality, he used a variety of tricks to reduce the number of
|
|
combinations he had to try to a small number and then simply guessed
|
|
until he found the right combination.
|
|
In other words, he reduced the size of the key space.
|
|
</para>
|
|
|
|
<para>
|
|
Britain used machines to guess keys during World War 2.
|
|
The German Enigma had a very large key space, but the British built
|
|
speciailzed computing engines, the Bombes, to mechanically try
|
|
keys until the day's key was found.
|
|
This meant that sometimes they found the day's key within hours of
|
|
the new key's use, but it also meant that on some days they never
|
|
did find the right key.
|
|
The Bombes were not general-purpose computers but were precursors
|
|
to modern-day computers.
|
|
</para>
|
|
|
|
<para>
|
|
Today, computers can guess keys very quickly, and this is why key
|
|
size is important in modern cryptosystems.
|
|
The cipher DES uses a 56-bit key, which means that there are
|
|
<!-- inlineequation -->
|
|
2<superscript>56</superscript> possible keys.
|
|
<!-- inlineequation -->
|
|
2<superscript>56</superscript> is 72,057,594,037,927,936 keys.
|
|
This is a lot of keys, but a general-purpose computer can check the
|
|
entire key space in a matter of days.
|
|
A specialized computer can check it in hours.
|
|
On the other hand, more recently designed ciphers such as 3DES,
|
|
Blowfish, and IDEA
|
|
<!-- inlineequation -->
|
|
all use 128-bit keys, which means there are 2<superscript>128</superscript>
|
|
possible keys.
|
|
This is many, many more keys, and even if all the computers on the
|
|
planet cooperated, it could still take more time than the age of
|
|
the universe to find the key.
|
|
</para>
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>
|
|
Public-key ciphers
|
|
</title>
|
|
|
|
<para>
|
|
The primary problem with symmetric ciphers is not their security but
|
|
with key exchange.
|
|
Once the sender and receiver have exchanged keys, that key can be
|
|
used to securely communicate, but what secure communication channel
|
|
was used to communicate the key itself?
|
|
In particular, it would probably be much easier for an attacker to work
|
|
to intercept the key than it is to try all the keys in the key space.
|
|
Another problem is the number of keys needed.
|
|
<!-- inlineequation -->
|
|
If there are <emphasis>n</emphasis> people who need to communicate, then
|
|
<!-- inlineequation -->
|
|
<emphasis>n(n-1)/2</emphasis> keys
|
|
are needed for each pair of people to communicate privately.
|
|
This may be ok for a small number of people but quickly becomes unwieldly
|
|
for large groups of people.
|
|
</para>
|
|
|
|
<para>
|
|
Public-key ciphers were invented to avoid the key-exchange problem
|
|
entirely.
|
|
A public-key cipher uses a pair of keys for sending messages.
|
|
The two keys belong to the person receiving the message.
|
|
One key is a <emphasis>public key</emphasis> and may be given to anybody.
|
|
The other key is a <emphasis>private key</emphasis> and is kept
|
|
secret by the owner.
|
|
A sender encrypts a message using the public key and once encrypted,
|
|
only the private key may be used to decrypt it.
|
|
</para>
|
|
|
|
<para>
|
|
This protocol solves the key-exchange problem inherent with symmetric
|
|
ciphers.
|
|
There is no need for the sender and receiver to agree
|
|
upon a key.
|
|
All that is required is that some time before secret communication the
|
|
sender gets a copy of the receiver's public key.
|
|
Furthermore, the one public key can be used by anybody wishing to
|
|
communicate with the receiver.
|
|
<!-- inlineequation -->
|
|
So only <emphasis>n</emphasis> keypairs are needed for <emphasis>n</emphasis>
|
|
people to communicate secretly
|
|
with one another,
|
|
</para>
|
|
|
|
<para>
|
|
Public-key ciphers are based on one-way trapdoor functions.
|
|
A one-way function is a function that is easy to compute,
|
|
but the inverse is hard to compute.
|
|
For example, it is easy to multiply two prime numbers together to get
|
|
a composite, but it is difficult to factor a composite into its prime
|
|
components.a
|
|
A one-way trapdoor function is similar, but it has a trapdoor.
|
|
That is, if some piece of information is known, it becomes easy
|
|
to compute the inverse.
|
|
For example, if you have a number made of two prime factors, then knowing
|
|
one of the factors makes it easy to compute the second.
|
|
Given a public-key cipher based on prime factorization, the public
|
|
key contains a composite number made from two large prime factors, and
|
|
the encryption algorithm uses that composite to encrypt the
|
|
message.
|
|
The algorithm to decrypt the message requires knowing the prime factors,
|
|
so decryption is easy if you have the private key containing one of the
|
|
factors but extremely difficult if you do not have it.
|
|
</para>
|
|
|
|
<para>
|
|
As with good symmetric ciphers, with a good public-key cipher all of the
|
|
security rests with the key.
|
|
Therefore, key size is a measure of the system's security, but
|
|
one cannot compare the size of a symmetric cipher key and a public-key
|
|
cipher key as a measure of their relative security.
|
|
In a brute-force attack on a symmetric cipher with a key size of 80 bits,
|
|
<!-- inlineequation -->
|
|
the attacker must enumerate up to 2<superscript>81</superscript>-1 keys to
|
|
find the right key.
|
|
In a brute-force attack on a public-key cipher with a key size of 512 bits,
|
|
the attacker must factor a composite number encoded in 512 bits (up to
|
|
155 decimal digits).
|
|
The workload for the attacker is fundamentally different depending on
|
|
the cipher he is attacking.
|
|
While 128 bits is sufficient for symmetric ciphers, given today's factoring
|
|
technology public keys with 1024 bits are recommended for most purposes.
|
|
</para>
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>
|
|
Hybrid ciphers
|
|
</title>
|
|
|
|
<para>
|
|
Public-key ciphers are no panacea.
|
|
Many symmetric ciphers are stronger from a security standpoint,
|
|
and public-key encryption and decryption are more expensive than the
|
|
corresponding operations in symmetric systems.
|
|
Public-key ciphers are nevertheless an effective tool for distributing
|
|
symmetric cipher keys, and that is how they are used in hybrid cipher
|
|
systems.
|
|
</para>
|
|
|
|
<para>
|
|
A hybrid cipher uses both a symmetric cipher and a public-key cipher.
|
|
It works by using a public-key cipher to share a key for the symmetric
|
|
cipher.
|
|
The actual message being sent is then encrypted using the key and sent
|
|
to the recipient.
|
|
Since symmetric key sharing is secure, the symmetric key used is different
|
|
for each message sent.
|
|
Hence it is sometimes called a session key.
|
|
</para>
|
|
|
|
<para>
|
|
Both PGP and &gnupg; use hybrid ciphers.
|
|
The session key, encrypted using the public-key cipher, and the message
|
|
being sent, encrypted with the symmetric cipher, are automatically
|
|
combined in one package.
|
|
The recipient uses his private-key to decrypt the session key and the
|
|
session key is then used to decrypt the message.
|
|
</para>
|
|
|
|
<para>
|
|
A hybrid cipher is no stronger than the public-key cipher or symmetric
|
|
cipher it uses, whichever is weaker.
|
|
In PGP and &gnupg;, the public-key cipher is probably the weaker of
|
|
the pair.
|
|
Fortunately, however, if an attacker could decrypt a session key it
|
|
would only be useful for reading the one message encrypted with that
|
|
session key.
|
|
The attacker would have to start over and decrypt another session
|
|
key in order to read any other message.
|
|
</para>
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>
|
|
Digital signatures
|
|
</title>
|
|
|
|
<para>
|
|
A hash function is a many-to-one function that maps its input to a
|
|
value in a finite set.
|
|
Typically this set is a range of natural numbers.
|
|
<!-- inlineequation -->
|
|
A simple ehash function is <emphasis>f</emphasis>(<emphasis>x</emphasis>) = 0
|
|
for all integers <emphasis>x</emphasis>.
|
|
A more interesting hash function is
|
|
<emphasis>f</emphasis>(<emphasis>x</emphasis>) = <emphasis>x</emphasis>
|
|
<emphasis>mod</emphasis> 37, which
|
|
maps <emphasis>x</emphasis> to the remainder of dividing <emphasis>x</emphasis> by 37.
|
|
</para>
|
|
|
|
<para>
|
|
A document's digital signature is the result of applying a hash
|
|
function to the document.
|
|
To be useful, however, the hash function needs to satisfy two
|
|
important properties.
|
|
First, it should be hard to find two documents that hash to the
|
|
same value.
|
|
Second, given a hash value it should be hard to recover the document
|
|
that produced that value.
|
|
</para>
|
|
|
|
<para>
|
|
Some public-key ciphers<footnote><para>
|
|
The cipher must have the property that the actual public key or private
|
|
key could be used by the encryption algorithm as the public key.
|
|
RSA is an example of such an algorithm while ElGamal is not an example.
|
|
</para>
|
|
</footnote> could be used to sign documents.
|
|
The signer encrypts the document with his <emphasis>private</emphasis> key.
|
|
Anybody wishing to check the signature and see the document simply
|
|
uses the signer's public key to decrypt the document.
|
|
This algorithm does satisfy the two properties needed from a good hash
|
|
function, but in practice, this algorithm is too slow to be useful.
|
|
</para>
|
|
|
|
<para>
|
|
An alternative is to use hash functions designed to satisfy these
|
|
two important properties.
|
|
SHA and MD5 are examples of such algorithms.
|
|
Using such an algorithm, a document is signed by hashing it, and
|
|
the hash value is the signature.
|
|
Another person can check the signature by also hashing their copy of the
|
|
document and comparing the hash value they get with the hash value of
|
|
the original document.
|
|
If they match, it is almost certain that the documents are identical.
|
|
</para>
|
|
|
|
<para>
|
|
Of course, the problem now is using a hash function for digital
|
|
signatures without permitting an attacker to interfere with signature
|
|
checking.
|
|
If the document and signature are sent unencrypted, an attacker could
|
|
modify the document and generate a corresponding signature without the
|
|
recipient's knowledge.
|
|
If only the document is encrypted, an attacker could tamper with the
|
|
signature and cause a signature check to fail.
|
|
A third option is to use a hybrid public-key encryption to encrypt both
|
|
the signature and document.
|
|
The signer uses his private key, and anybody can use his public key
|
|
to check the signature and document.
|
|
This sounds good but is actually nonsense.
|
|
If this algorithm truly secured the document it would also
|
|
secure it from tampering and there would be no need for the signature.
|
|
The more serious problem, however, is that this does not protect either
|
|
the signature or document from tampering.
|
|
With this algorithm, only the session key for the symmetric cipher
|
|
is encrypted using the signer's private key.
|
|
Anybody can use the public key to recover the session key.
|
|
Therefore, it is straightforward for an attacker to recover the session
|
|
key and use it to encrypt substitute documents and signatures to send
|
|
to others in the sender's name.
|
|
</para>
|
|
|
|
<para>
|
|
An algorithm that does work is to use a public key algorithm to
|
|
encrypt only the signature.
|
|
In particular, the hash value is encrypted using the signer's private
|
|
key, and anbody can check the signature using the public key.
|
|
The signed document can be sent using any other encryption algorithm
|
|
including none if it is a public document.
|
|
If the document is modified the signature check will fail, but this
|
|
is precisely what the signature check is supposed to catch.
|
|
The Digital Signature Standard (DSA) is a public key signature
|
|
algorithm that works as just described.
|
|
DSA is the primary signing algorithm used in &Gnupg;.
|
|
</para>
|
|
|
|
</sect1>
|
|
</chapter>
|
|
|