## Designing a Cryptographic Solution

### Introducing Cryptographic Services

To understand cryptographic services, first you must understand the science of cryptology, which in essence is the making and breaking of secret codes. Cryptology can be broken into two distinct areas: cryptography and cryptanalysis. Cryptography is the development and use of codes. Cryptanalysis is all about the breaking of these codes. This section explores these two disciplines to give you a better understanding of cryptographic services as a whole.

#### Understanding Cryptology

Because cryptography is made up of two halves—the creation of codes and the attempted breaking of those codes—a natural give-and-take relationship is at play. Therefore, it is only natural that at times one side will be ahead of the other.

History offers an excellent example of this during the Hundred Years War between France and England. At that time, the cryptanalysts were ahead of the cryptographers. France believed that the Vigenère cipher was unbreakable. The British, however, cracked the code and broke it.

In another historical example, many historians now believe that the outcome of World War II largely turned on the fact that the winning side on both fronts was much more successful than the other at cracking the encryption of its enemy.

Given these examples, you might wonder who presently has the edge in this game of give and take. For the time being, conventional wisdom within the cryptology community holds that cryptographers currently have the edge. Of course, this can, and likely will, change some day.

So exactly how do we make such judgments about who is ahead or what code is unbreakable? In fact, in cryptography, it truly is impossible to prove that any given algorithm is “secure.” The best that can be accomplished is to show that the algorithm is not

vulnerable to any known cryptanalytic attacks. This limits our certainty to an extent, because there may be methods that have been developed but as of yet are unknown, that could crack the algorithm. The one exception to this rule is a brute-force attack.

All algorithms are vulnerable to brute force. It is simply in the nature of the attack. In other words, if every possible key is tried, one of them will surely work. The issue is time.

Depending on the complexity of the algorithm, a brute-force attack could take an inordinate amount of time to ultimately succeed. But no algorithm is truly unbreakable.

** Cryptography Through the Ages
**Cryptography has a long and storied past, dating back to the courts of kings, who would use early encryption to secure messages sent to other courts. Even these early times involved a degree of intrigue, because some of the courts involved would attempt to steal any message sent to an opposing kingdom.

From the courts of kings to the tools of military commanders, encryption was quickly adopted as a means of securing communications. Because messengers sometimes were killed as they transported critical military messages, encryption was seen as an indispensable means of securing these communications even if they fell into enemy hands.

Even dating back to the days of Julius Caesar, encryption was used to secure communications. Caesar’s simple substitution cipher was used on the battlefield to quickly encrypt messages to his commanders. Thomas Jefferson even invented an encryption system that many historians believe he used while serving as Secretary of State from 1790 to 1793.

One of the great advances in encryption came with a machine invented by Arthur Scherbius in 1918. This machine served as a template for the systems used by each of the major participants in World War II. Scherbius called his machine the Enigma and sold it to Germany. When speaking about the security of his machine, he estimated that if 1000 cryptanalysts tested four keys per minute, all day, every day, it would take 1.8 billion years to try them all.

Throughout World War II, both the Germans and the Allies created machines modeled on the Scherbius machine. Arguably, these were the most sophisticated encryption devices ever developed. To defend against this level of encryption, the British created what most call the world’s first computer, the Colossus. The Colossus was then used to break the encryption that was used by Germany’s Enigma.

** The Substitution Cipher
**Put simply, a cipher is an algorithm for performing encryption and decryption. Typically, ciphers represent a series of well-defined steps that you can follow as a procedure. With a substitution cipher, one letter is substituted for another to encrypt a message. Substitution ciphers vary in complexity, but in their simplest form, the letter frequency of the original message is retained when character substitution is done.

As mentioned, Julius Caesar made use of a simple substitution cipher on ancient battlefields. During these times, each day would have a different key, and that key would be used to adjust the alphabet accordingly. Let’s look at an example.

Let’s say that the key for today is 10. In this case the letter to be substituted for A is the character in the alphabet that is ten spaces forward. In other words, to represent an A, we would substitute a K. If we follow this through the alphabet, a B would be an L, a C would be an M, and so on. To keep the nature of the substitution secret, each day the key might move a random number of places, and the process would begin again.

One of the shortcomings of this simple cipher is its vulnerability to frequency analysis. Let’s say that a message has 15 occurrences of the letter B, and B is to be replaced by L. This would mean that although we are substituting the character, there would still be 15 occurrences of the letter L. So if a message were long enough, it would be vulnerable to frequency analysis. This is because the message would retain the frequency patterns found in the language even though the characters might be different.

Analysts trying to crack this cipher might look at the natural occurrence pattern for each letter in the English language. They could then use this to compare the frequency of a certain letter in the encrypted text. For instance, if the letter S appears in 20 percent of all English words, and the letter X appears in 20 percent of all the words that have been encrypted, analysts might conclude that for this cipher, X equals S. To defend against this core weakness of the substitution cipher, polyalphabetic ciphers were invented.

**The Vigenere Cipher
**Polyalphabetic ciphers were invented to make up for the shortcomings of the substitution cipher. The Vigenère cipher is an excellent example of this kind of cipher. It encrypts text through the use of a series of different Caesar ciphers based on the letters of a particular keyword. Although this is a simple form of polyalphabetic substitution, it still proves invulnerable to frequency analysis.

This form of encryption dates back to a book written in 1553 by Giovan Batista Belaso, although the name of this cipher came from Blaise de Vigenère, a French cryptographer. He was mistakenly credited with its invention, and to this day it carries his name.

Let’s take a look at how we might use this cipher to encrypt a message. We begin with a key of SECRET. This key is then used to encode the message X MARKS THE SPOT. We encode the X by looking at the row starting with S for the letter in the X column. In this case, the X is replaced with P. Next we look for the row that begins with E for the letter M. This results in Q as our second character. To encode the full phrase, we would simply map the characters by row and column and continue our substitution.

**Transposition Ciphers
**If you have ever seen the beginning of the movie Sneakers, as the letters on-screen scramble to then become the correct words, you have a slight feel for a transposition cipher. In these ciphers, no letters are replaced; they are just rearranged. A simple form of this might take a phrase like THE QUICK BROWN FOX and simply transpose the letters so that it becomes XOFNWORBKCIUQEHT.

The Rail Fence Cipher is another kind of transposition cipher in which the words are spelled out as if they were a rail fence. The following example uses a key of three to illustrate how this could be done:

T…U…B…N…J…E…E…E…Y..

.H.Q.I.K.R.W.F.X.U.P.D.V.R.H.L.Z.D.G.

..E…C…O…O…M…O…T…A…O

To read this message, we need to follow the diagonal pattern along the rail fence. Using this form of encoding, the message THE QUICK BROWN FOX JUMPED OVER THE LAZY DOG would be encoded as TUBNJEEEYHQIKRWFXUPDVRHLZDGECOOMOTAO. Much like the earlier example, no letters have been changed; rather, they have merely been transposed.

#### Working with the One-Time Pad

The one-time pad has been around for more than 90 years. It was invented and patented in 1917 by Gilbert Vernam of AT&T. The idea behind the one-time pad was to have a stream cipher that would apply the exclusive OR (XOR) operation to plain text with a key. Vernam’s idea was enhanced with a contribution from Joseph Maubourgne, a captain in the U.S. Army Signal Corps, who suggested the use of random data as a key.

The one-time pad represents such a significant contribution to cryptography that the NS has called this patent “perhaps the most important in the history of cryptography.” However, using this significant idea in a real-world application has a number of difficulties.

One of the more significant challenges is creating random data. On the surface, this sounds simple enough. However, because computers have a mathematical foundation, they cannot create random data. Another significant issue is that should a key be used more than once, it can easily be broken. Adding to these issues, key distribution can also be quite challenging.

One example in which the Vernam cipher has been successfully used is in RC4, which is widely used across the Internet. However, this is not a true one-time pad, because the key used is not random.

**The Encryption Process
**Uses of encryption are all around us, from secured online purchases to transferring data through a VPN connection. When encryption is used, some form of plain, readable text is converted to ciphertext. Ciphertext represents this text in an unreadable form, whereas decryption is the process of reversing this process. The goal of encryption is to guarantee the confidentiality of data so that only those who have authorization may read the original message. Figure 12-1 shows plain text being transformed into ciphertext.

With the various older encryption algorithms we have examined, the key to their success was the secrecy of the algorithm. Today, reverse engineering is often quite simple, making this secrecy less important. Therefore, public-domain algorithms are often used. With these algorithms, successful decryption requires knowledge of the appropriate cryptographic keys. In other words, there has been a shift from the importance of the algorithm’s secrecy to ensuring the secrecy of the keys.

Encryption is used to provide confidentiality in terms of the Open Systems Interconnection (OSI) layers in these ways:

- At the application layer, data encryption is used for secure e-mail, secure database sessions (Oracle SQL*net), and secure messaging (Lotus Notes sessions).
- At the session layer, data is encrypted using a protocol such as Secure Socket Layer (SSL) or Transport Layer Security (TLS).
- At the network layer, data is encrypted using protocols such as those that make up the IPsec protocol suite.

**Cryptanalysis
**When we seek to break encoded data, this undertaking is called cryptanalysis. An attacker who is attempting to break an algorithm or encrypted ciphertext may use one of a variety of attacks:

- Chosen plain-text attack
- Chosen ciphertext attack
- Birthday attack
- Meet-in-the-middle attack
- Brute-force attack
- Ciphertext-only attack
- Known plain-text (the usual brute-force) attack

Table 12-2 describes these attack types to help you understand their usage as a form of cryptanalysis.

#### Understanding the Features of Encryption Algorithms

Good encryption algorithms have several benefits:

- They are resistant to cryptographic attacks.
- They support variable and long key lengths and scalability.
- They create an avalanche effect.
- They have no export or import restrictions.

When an attacker sets out to penetrate data protected by a cryptographic algorithm, the best way to do so is to try to decrypt the data using all the possible keys. Of course, the time required to undertake such an attack is determined by the number of possible keys. In practical terms, this process could take quite a long time. In fact, when appropriately long keys are used, this form of attack generally is infeasible.

A couple of other desirable attributes of a good cryptographic algorithm are variable key lengths and scalability. It stands to reason that the longer the key used for encryption, the longer it will take for an attacker to break it. Having the scalability provided by flexible key lengths lets you select the strength and speed of encryption that you need. Let’s compare a couple of possible key lengths.

If we were to use a 16-bit key (nowhere near the strongest possible), there would be 65,536 possible keys. This may sound like a large number of keys, but consider that a 56-bit key would yield 7.2 * 1016 possible keys. As you can see, variable key lengths can provide an ever-increasing number of keys, creating ever-stronger levels of encryption.

Another desirable attribute is called the avalanche effect. It says that changing only a few bits of a plain-text message causes its ciphertext to be completely different. An encryption algorithm that provides the avalanche effect makes it possible for messages that are quite similar to be sent over an untrusted medium, because the encrypted (ciphertext) messages remain completely different.

Export and import restrictions must also be carefully considered when you use encryption internationally. Certain countries prohibit the export of encryption algorithms or allow only the export of algorithms with smaller (more easily broken) keys. Other countries have strict regulations and restrictions governing the import of cryptographic algorithms. Before importing or exporting a cryptographic algorithm internationally, it is best to check with the governments involved to better understand their laws and regulations.

The U.S. has specific restrictions for the export of cryptographic algorithms, but in January 2000 these restrictions were substantially relaxed. At present, any cryptographic product

may be exported under a license exception unless the end users are governments outside the U.S. or are among those nations that have an embargo in place. To learn more about current practices for the import and export of cryptographic algorithms in the U.S., visit http:// www.commerce.gov.

### Symmetric and Asymmetric Encryption Algorithms

This section discusses both symmetric and asymmetric algorithms, noting their differences and uses. Most striking among these two widely used types of encryption algorithms is their differences in key usage. Whereas symmetric encryption algorithms use a single key for both encryption and decryption, asymmetric encryption algorithms employ two separate keys—one for encryption and the other for decryption. Other differences will also be discussed with regard to the algorithms’ speed and complexity.

#### Encryption Algorithms and Keys

Ciphers are two-part mathematical functions that encrypt and decrypt data. Exposure of the algorithm itself could compromise the security of the encryption system if it is based on the algorithm’s secrecy. If this should happen, each party working with the algorithm must change it. However, this is a dated view of cryptography. In modern cryptography, all algorithms are public, and complex cryptographic keys are used to ensure the secrecy of the data. Cryptographic keys are created from sequences of bits that, together with the data that will be encrypted, are input into an encryption algorithm. Table 12-3 describes the two classes of encryption algorithms and details their use of keys.

#### Symmetric Encryption Algorithms

As shown in Table 12-3, symmetric encryption algorithms use the same key for both encryption and decryption. This means that both the sender and receiver must share the same secret key to transfer data securely. Figure 12-2 shows how symmetric encryption encrypts and decrypts data.

For a symmetric algorithm to be secure, the key itself must remain a secret. Should this key become available, anyone holding it could encrypt and decrypt messages. Because of this need for security, symmetric encryption is frequently called secret-key encryption.

Symmetric encryption represents the more traditional form of cryptography. It uses key lengths ranging from 40 to 256 bits. A number of well-known symmetric encryption algorithms exist. Table 12-4 details some of these, along with their key sizes.

Symmetric encryption cryptography uses a number of different techniques. The most common are

- Block ciphers
- Stream ciphers
- Message Authentication Codes (MAC)

Symmetric algorithms generally are quite fast and therefore are a frequent choice to provide wire-speed encryption in data networks. Because symmetric algorithms are based on lesscomplex mathematical operations, they can be readily accelerated through the use of hardware. Due to their speed, symmetric algorithms may be used for bulk encryption when data privacy is required. One common example of their practical usage in this regard is to protect a VPN.

Despite the benefit of their speed, symmetric encryption algorithms do present a challenge with regard to key management. In particular, all parties involved in the communication must exchange the secret key over a secure channel before the encryption process can begin. This means that the security of any cryptographic system hinges on the ability of the key exchange method to protect the keys. Given this need, symmetric algorithms often are used to provide encryption services while additional key management algorithms are used to secure the key exchange.

#### Asymmetric Encryption Algorithms

Unlike symmetric algorithms, which use the same key for both encryption and decryption, asymmetric algorithms, often called public-key algorithms, use two different keys. One key is used for encryption, and the other is used for decryption. A central facet of this design is that the decryption key cannot feasibly be calculated from the encryption key, and vice versa. Figure 12-3 shows the encryption and decryption process using an asymmetric

#### encryption algorithm.

With asymmetric algorithms, key lengths generally range from 512 to 4096 bits. However, no direct comparison can be made between the key length of asymmetric and symmetric algorithms, because the underlying design of these algorithm classes is quite different. In terms of resistance to brute-force attacks, experts generally agree that an RSA encryption key of 2048 bits generally is equivalent in strength to an RC4 key of only 128 bits.

One downside of symmetric algorithms is that they can be up to 1000 times slower than symmetric algorithms. This is because their design is based on complex mathematical calculations. Often these designs employ such things as factoring extremely large numbers or computing discrete logarithms of extremely large numbers.

Because of the issues with the speed of these algorithms, they generally are used in lowvolume cryptographic mechanisms. For instance, they might be employed in digital signatures or for key exchange. One noted benefit is that key management of these algorithms generally is less complex than for symmetric algorithms. This stems from the fact that typically one of the two keys, either the encryption or decryption key, may be made public.

### The Difference Between Block and Stream Ciphers

Both block and stream ciphers have their place in encryption algorithms as a mechanism for generating ciphertext from plain text. This section explores their basic differences and their uses in modern cryptography.

**Block Ciphers
**Block ciphers derive their name from the fact that they transform a fixed-length “block” of plain text into a “block” of ciphertext. These two blocks are of the same length. When the reverse transformation is applied to the ciphertext block, by using the same secret key, it is decrypted. Block ciphers use a fixed length or block size. Generally this is 128 bits, but they can range in size. For instance, DES has a block size of 64 bits.

The concept of block size determines how much data may be encrypted at a given time. This varies according to key length, because the key length refers to the size of the encryption key. To use the example from earlier, DES encrypts blocks in 64-bit chunks but does so using a 56-bit key length.

Because ciphertext must always be a multiple of the block size, the output data from a block cipher is larger than the input data. Block algorithms work with data one chunk at a time, such as 8 bytes, and then use padding to add artificial data (blanks) should there be less input data than one full block. Here are some of the more common block ciphers:

- DES and 3DES, running in Electronic Code Book (ECB) or Cipher Block Chaining (CBC) mode
- Skipjack
- Blowfish
- RSA
- AES
- IDEA
- Secure and Fast Encryption Routine (SAFER)

**Stream Ciphers
**Stream ciphers use smaller units of plain text than what are used with block ciphers; typically they work with bits. Transformation of these smaller plain-text units also varies, depending on when during the encryption process they are encountered. One of the great benefits of stream ciphers compared to block ciphers is that they are much faster and generally do not increase the message size. This is because they can encrypt an arbitrary number of bits.

Here are some common stream ciphers:

- RC4
- DES and 3DES, running in output feedback (OFB) or cipher feedback (CFB) mode
- Software Encryption Algorithm (SEAL)

### Exploring Symmetric Encryption

Encryption algorithms use encryption keys to provide confidentiality of encrypted data. With symmetric encryption algorithms, the same key is used to encrypt and decrypt data. This section explores the principles that underlie symmetric encryption. It also examines some of the major symmetric encryption algorithms and discusses the means by which they operate, their strengths, and their weaknesses.

#### Functionality of Symmetric Encryption Algorithms

Because of the simplicity of their mathematics and the speed at which they operate, symmetric algorithms are the most commonly used form of cryptography. Symmetric encryption algorithms are also stronger. Therefore, they can use shorter key lengths compared to asymmetric algorithms. This helps increase their speed of execution in software.

**Key Lengths
**Key lengths for current symmetric algorithms range from 40 to 256 bits, giving symmetric algorithms keyspaces that range from 240 (1,099,511,627,776) possible keys to 2256 (1.5 * 1077) possible keys. As discussed previously, a large key space is central to determining how vulnerable an algorithm will be to a brute-force attack. Figure 12-4 shows a symmetric algorithm with 2256 possible keys.

At the low end, a key length of 40 bits may be easily broken using a brute-force attack. On the other hand, if your key length is 256 bits, it is not likely that a brute-force attack will succeed. The keyspace generated with a 256-bit key is simply too large to easily fall victim to a brute-force attack.

Table 12-5 illustrates ongoing expectations for key lengths, assuming that the algorithms are mathematically and cryptographically sound. A further assumption in such calculations is that computing power will continue to keep pace with its present rate of growth and that capacity to perform brute-force attacks will also increase at the same rate. Note that if a method other than brute-force is discovered to crack a given algorithm, the key lengths in the table become obsolete.

#### Features and Functions of DES

One of the most well-known and most widely used symmetric encryption algorithms is Data Encryption Standard (DES). DES typically operates in block mode, where it encrypts data in 64-bit blocks. Like other symmetric algorithms, DES uses the same algorithm and key for both encryption and decryption. DES has stood the test of time. Cryptography researchers have scrutinized it for nearly 35 years and so far have found no significant flaws. Adding to its appeal, because DES is based on relatively simple mathematical functions, it may be easily implemented and accelerated in hardware.

**Working with the DES Key
**DES employs a fixed key length of 64 bits, but only 56 of these bits are used for encryption; the other 8 bits are used for parity.

The least-significant bit of each key byte indicates odd parity.

This means that each DES key is always 56 bits long. If DES is used with a weaker encryption, such as a 40-bit key, this means that the encryption key is 40 secret bits and 16 known bits, so the key length remains at 56 bits. In this case, however, DES would have a key strength of only 40 bits.

**Modes of Operation for DES
**DES uses two different types of ciphers to encrypt or decrypt more than 64 bits of data— the block cipher and the stream cipher.

- Block ciphers use fixed-length groups of bits known as blocks, with an unvarying transformation.
- Stream ciphers operate on individual digits one at a time, with the transformation varying during the encryption.

For block cipher mode, DES uses two standardized modes: - Electronic Code Book (ECB)
- Cipher Block Chaining (CBC)

ECB mode uses the same 56-bit key to serially encrypt each 64-bit plain-text block. Should two identical plain-text blocks be encrypted using the same key, their ciphertext blocks are the same. This means that an attacker could identify similar or identical traffic as it flows across a communications channel. The attacker could use this information to help build a catalogue of messages that have a certain meaning, and then replay them later, without knowing their real meaning. For instance, suppose an attacker captures a login sequence for a user who has administrative privilege and whose traffic is protected by DES-ECB, and then replays it. This sort of risk must be mitigated, and that is why CBC was invented.

With CBC mode, each 64-bit plain-text block is exclusive ORed (XORed) bitwise with the previous ciphertext block. It is then encrypted using the DES key. This means that the encryption of each block depends on previous blocks, and encryption of the same 64-bit plain-text block can result in different ciphertext blocks. Thanks to this, CBC mode can help guard against certain attacks. Of course, it cannot help guard against sophisticated cryptanalysis or if an attacker launches an extended brute-force attack.

Cisco IP Security (IPsec) implementation currently uses DES and Triple Data Encryption Standard (3DES) in CBC mode.

**Working with DES Stream Cipher Modes
**When working with DES in stream cipher mode, the cipher uses previous ciphertext along with the secret key to generate a pseudorandom stream of bits. This may only be generated by the secret key.

To encrypt data, it is XORed with the pseudorandom stream on a bit-by-bit basis. Alternatively, this may be done byte by byte to obtain the ciphertext. To decrypt the data, the process is the same. The receiver uses the secret key to generate the same random stream and then XORs the ciphertext with the pseudorandom stream to gain access to the plain text.

If it is necessary to encrypt or decrypt more than 64 bits of data, two common stream cipher modes may be used:

- Cipher feedback (CFB) is similar to CBC. It may be used to encrypt any number of bits, even single bits or single characters.
- Output feedback (OFB) generates keystream blocks that are then XORed with the plain-text blocks to generate the ciphertext.

#### Usage Guidelines for Working with DES

You should consider a number of things when seeking to protect the security of DESencrypted data, as described in Table 12-6.

#### Understanding How 3DES Works

As mentioned, DES, with its original 56-bit key, is too short to withstand even mediumbudget attackers. One means of increasing the security of DES without changing the wellanalyzed algorithm itself is to use the same algorithm but with different keys multiple times in a row. In essence, that is what 3DES does.

By applying DES three times in a row to a plain-text block, we have what is known as 3DES. This application of DES three times with different keys makes brute-force attacks on 3DES infeasible. This stems from the fact that the basic algorithm has stood the test of time, weathering 35 years in the field and proving quite trustworthy.

#### Encrypting with 3DES

To encrypt plain text, 3DES uses a method called 3DES-encrypt-decrypt-encrypt (3DESEDE). Figure 12-6 shows the 3DES-EDE encryption process, described in the following

steps:

**Step 1** The message to be secured is encrypted using the first 56-bit key (K1).

**Step 2** Data is decrypted using the second 56-bit key (K2).

**Step 3** Data to be secured is again encrypted using a third 56-bit key (K3).

By applying the keys as it does, the 3DES-EDE process provides encryption with an effective key length of 168 bits. Should keys K1 and K3 be equal, a less-secure encryption of 112 bits is achieved.

To decrypt a message that has been encrypted with this process, the following steps, which are the opposite of the 3DES-EDE method, are used:

**Step 1** Use key K3 to decrypt the ciphertext.

**Step 2** Use key K2 to encrypt the data.

**Step 3** Use key K1 to decrypt the data.

Simply encrypting data three times with three different keys does not significantly increase security. To achieve security, the 3DES-EDE method must be employed. In fact, if we were

to simply encrypt data three times in a row using three different 56-bit keys, we would generate an effective 58-bit key strength, rather than the full 168-bit key strength we achieve by using 3DES-EDE.

#### AES

Although DES has withstood the test of time, it has been recognized for some time that DES would eventually reach the end of its usefulness. The Advanced Encryption Standard (AES) initiative was announced in 1997. The public was invited to propose candidate encryption schemes to be evaluated as the encryption standard to replace DES.

#### The Rijndael Cipher

The Rijndael cipher was selected as the AES algorithm in October 2000 by the U.S. National Institute of Standards and Technology (NIST). In 2002 the U.S. Secretary of Commerce approved the adoption of AES as an official U.S. government standard. Joan Daemen and Vincent Rijmen developed the Rijndael cipher, which employs a variable block length and key length. The algorithm provides nine different combinations of key length and block length. Keys with a length of 128, 192, or 256 bits may be used to encrypt blocks with a length of 128, 192, or 256 bits.

The Rijndael cipher is an iterated block cipher. In this cipher the initial input block and cipher key undergo multiple transformation cycles before producing output. This algorithm can operate over variable-length blocks using variable-length keys. Currently, the AES implementation of Rijndael contains only some of the capabilities of the Rijndael algorithm. One of the key features of this algorithm is that it is written so that the block length or the key length (or both) may be extended easily in multiples of 32 bits. This system was designed for efficient implementation in either hardware or software on a range of processors.

#### Comparing AES and 3DES

The key length of AES is much stronger than that of DES, and AES runs much faster than 3DES on comparable hardware. With these features, AES was chosen to replace DES and 3DES. AES is also better suited for high-throughput, low-latency environments. This is especially true when pure software encryption is used.

In terms of longevity, AES is a relatively young algorithm. As mentioned previously, a more mature algorithm is always more trusted. That being the case, 3DES represents a more conservative yet more trusted choice in terms of strength, because it has been analyzed for nearly 35 years.

#### Availability of AES in the Cisco Product Line

Cisco offers AES implementation in a number of virtual private network (VPN) devices as an encryption transform, applied to IPsec-protected traffic:

- Cisco PIX Firewall Software version 6.3 and later
- Cisco ASA Software version 7.0 and later
- Cisco VPN 3000 Software version 3.6 and later
- Cisco IOS Release 12.2(13)T and later

#### SEAL

For those seeking an alternative algorithm to software-based DES, 3DES, and AES, SEAL encryption uses a 160-bit encryption key. SEAL also offers the benefit of having less impact on the CPU compared to other software-based algorithms. Cisco IOS IPsec implementations feature SEAL encryption and provide support for the SEAL algorithm.

The Cisco IOS software Release 12.3(7)T also added support for SEAL.

#### SEAL Restrictions

SEAL is bound by several restrictions:

- IPsec must be supported by your Cisco router and the other peer.
- The k9 subsystem must be supported by your Cisco router and the other peer.
- Only Cisco equipment supports this feature.

A further restriction is that your router and the other peer must not have hardware IPsec encryption.

#### The Rivest Ciphers

Many networking applications employ the Rivest cipher (RC) family of algorithms. This is because of their favorable speed and variable key-length capabilities. Ronald Rivest played a significant role in designing all or at least part of all the RC algorithms. Table 12-7 describes some of the most widely used RC algorithms.

Of the various RC algorithms listed in Table 12-7, the most popular is RC4. RC4 represents a variable key-size stream cipher that employs byte-oriented operations and is based on the use of a random permutation. Via analysis, it has been determined that the period of the cipher is quite large, likely greater than 10100. To give you a better sense of this, each output byte requires from eight to 16 machine operations and can be expected to run very quickly in software.

RC4 is considered a secure algorithm and as such is often used for file encryption. It is also used frequently to encrypt website traffic within the context of the SSL protocol.

### Understanding Security Algorithms

It is almost hard to imagine modern computing and networking without also thinking about the mechanisms that provide for the underlying security of the data that resides on these systems or travels across the wire. Security algorithms are central to securing the data created within an organization, as well as securing it in transit. This section examines the characteristics of the encryption process and what makes for a strong, trustworthy encryption algorithm. This section also explores the use of cryptographic hashes and how key management plays an important role in securing the encryption process.

#### Selecting an Encryption Algorithm

Proper selection of an encryption algorithm is one of the key steps in building a cryptography-based solution. With this selection process, two main criteria should be considered. Table 12-8 details these selection criteria for your consideration.

The following symmetric encryption algorithms are considered trustworthy:

- DES
- 3DES
- IDEA
- RC4
- AES

Each of these algorithms has its place. For instance, because it uses very short key lengths, DES is a good protocol to protect data for a very short period of time. If you need to protect data with an algorithm that is very trusted and has much greater security strength, 3DES would be a much better choice.

AES, although not proven to the degree that 3DES has been, is still a good choice, because it is more efficient. This makes it ideal in high-throughput, low-latency environments. This is particularly the case when 3DES cannot handle the throughput or latency requirements.

Over time, AES will likely gain even greater trust as more attacks are attempted against it. Symmetric encryption algorithms such as RSA and Diffie-Hellman (DH) are considered trustworthy for confidentiality. But many others, like ECC, generally are considered immature in cryptographic terms.

#### Understanding Cryptographic Hashes

Hashing is used to provide data integrity. Hashes are based on one-way mathematical functions. These can be easy to compute but extremely challenging to reverse. The process of hashing and the difficulty of reversing the hash is akin to scrambling an egg and then trying to put it back together again.

#### Working with Hashing

The way that hashing works in practice is that data of arbitrary length is input into the hash function and then is processed through the function, resulting in a fixed-length hash. The resultant fixed-length hash is called a digest or fingerprint. Figure 12-7 shows the hashing process.

If you are familiar with the calculation of cyclic redundancy check (CRC) checksums, hashes are quite similar to this but are cryptographically much stronger. If you’re not too familiar with CRC, if you have the CRC value, it is relatively easy to generate data with the same CRC. Because of the strength of hash functions, it is computationally infeasible for an attacker to possess two separate sets of data that would come up with the same fingerprint.

#### Designing Key Management

One of the most challenging aspects of designing a cryptosystem is planning for key management. In fact, cryptosystem failures have occurred because of shortcomings in key management. Each of the current cryptographic algorithms requires the services of key management procedures, making this an extremely important area to consider. For an attacker, the general target when seeking to attack a cryptographic system is the key management system, rather than the algorithm itself.

#### Components of Key Management

When considering key management, you must consider several components that address the life cycle of key management from generation to destruction:

- Key generation
- Key verification
- Key storage
- Key exchange
- Key revocation and destruction

Modern cryptographic systems generate keys automatically, rather than leaving it to the end user. To help ensure that all keys are likely to be equally generated, so that the attacker cannot predict which keys are likely to be used, quality random-number generators are necessary. It is not uncommon for a cryptographic algorithm to have some weak keys that should not be used. Proper key verification procedures should be used to regenerate these keys when they occur.

Key storage is another factor that must be considered. With today’s modern multiuser operating systems that work with cryptography, a key can be stored in memory. When memory is swapped to the disk, it presents a possible problem, because a Trojan horse program, if installed on the PC, could then gain access to that user’s private keys.

A secure key exchange mechanism is also necessary. It should allow secure agreement on the keying material with the other party, likely over an untrusted medium.

The final element of good key management to consider is key revocation and destruction. The process of key revocation notifies all the parties involved that a given key has been compromised and should not be used. Key destruction goes beyond this by erasing old keys so that a malicious attacker cannot recover them.

#### Understanding Keyspaces

The keyspace of an algorithm represents a defined set of all possible key values. For each key of n bits, a keyspace is produced that has 2n possible key values. This means that adding 1 bit to the key would effectively double the size of the keyspace.

Let’s look at DES by way of an example. DES employs a 56-bit key and with this produces a keyspace of more than 72,000,000,000,000,000 (256) potential keys. If we were to add 1 bit to the key length, the keyspace would double. That means that an attacker would need twice as much time to search the keyspace.

No algorithm is without some weak keys in its keyspace, as discussed previously. These weak keys may enable an attacker to break the encryption via a shortcut. So what exactly constitutes a weak key?

A key is said to be weak when it shows regularities in encryption or poor encryption. A good example is DES. DES has four keys for which encryption is exactly the same as decryption. Should one of these weak keys be encrypted twice, the original plain text would be recovered.

The chance that such keys would be chosen is almost unimaginable. However, each implementation should still verify all keys and take steps to prevent weak keys from being used. This is particularly the case with manual key generation, so you should take special care to avoid defining weak keys.

#### Issues Related to Key Length

As we have discussed, the only way to break a proven cryptographic system is with a bruteforce attack. These attacks search the entire keyspace, trying all possible keys, until the key that decrypts the data is found. To defend against this form of attack, the keyspace must be sufficiently large enough that such a search would require an enormous amount of time, rendering this form of attack impractical.

Even for successful brute-force attacks, generally an attacker has to search half the keyspace to find the correct key. Of course, the time required for such a search depends on the computer resources available to the attacker. With key lengths of significant size, such an attack could take many millions, if not billions, of years to yield success.

The protection strength of modern trusted algorithms depends exclusively on the length of the key. You should select a key length so that it protects data confidentiality or integrity for an adequate period of time. The more sensitive the data, and the longer the period required for secrecy, the longer the key that must be used.

When considering the level of protection required, you must also take into account the characteristics of those likely to attack your data. For instance, you must estimate the attacker’s resources and how long you must protect the data. For example, suppose a would-be attacker has $1 million of funding that can be used toward the attack, and the data must be protected for a period of no less than one year. What form

of encryption should we choose? Classic DES would not be a good choice, because it can be broken by a $1 million machine in only a couple of minutes. If instead we employed 168- bit 3DES or even 128-bit RC4, it would take that same attacker, funded with that same $1 million, a million years or more to crack into your data. Considering our attacker, his funding and our need for security are both important in selecting the proper key length.

Another issue impacting the choice of key length is performance. It is important to strive to balance speed and protection strength for the selected algorithm. Certain algorithms, such as RSA, take much longer to run with large key sizes. We should strive for adequate protection, without hindering communication over untrusted networks.

Finally, you also need to be aware that because of rapid advances in technology and cryptanalytic methods, what may be an adequate key size today may quickly no longer be appropriate. The National Institute of Standards and Technology (NIST) offers recommendations on adequate key lengths for various applications. You may review these on the NIST website at http://www.keylength.com/en/4/.

#### SSL VPNs

Security on the Internet for such applications as web browsing, e-mail, Internet faxing, instant messaging, and other forms of data transfer is provided by cryptographic protocols. Among the most popular choices to support these applications are Transport Layer Security (TLS) and its predecessor, Secure Socket Layer (SSL). Although there are subtle differences between SSL and TLS, the actual protocol remains quite similar.

Both SSL and TLS support a variety of cryptographic algorithms, or ciphers, to help provide such functions as authenticating the server and client to each other, transmitting certificates, and establishing session keys. For bulk encryption, symmetric algorithms are used. Asymmetric algorithms are used for authentication and key exchange. Hashing is used as part of the authentication process.

With an SSL-based VPN, you can easily provide remote-access connectivity from almost any Internet-enabled location. All that is needed is a standard web browser and its native SSL encryption. There is no need for special-purpose client software on the remote system.

This flexibility allows SSL VPNs to provide “anywhere” connectivity from corporate desktops, as well as from noncompany-managed desktops. Employees may use the SSLbased VPN to connect from home on their own PCs, contractor or business partner desktops can also be easily connected, and users can even connect via Internet kiosks. Through dynamic download, clients are supplied with all the software needed for application access across the SSL VPN connection. This feature dramatically minimizes the maintenance of desktop software.

If you need to support the remote resource needs of a diverse user base, SSL VPNs and IPsec VPNs provide complementary technologies that can be deployed together to meet these needs. Each of these VPN solutions offers access to virtually any network application or resource from a remote location. However, SSL VPNs do offer some additional features, allowing for easy connectivity from desktops outside your company’s management, as well as little or no desktop software maintenance, and user-customized web portals upon login.

#### Establishing an SSL Tunnel

Let’s examine the steps involved in establishing an SSL tunnel (see Figure 12-8):

**Step 1** The user makes an outbound connection to TCP port 443.

**Step 2** The router presents a digital certificate that contains a public key that is digitally signed by a trusted certificate authority (CA).

**Step 3** The user’s computer generates a shared-secret symmetric key that will be used by both parties.

**Step 4** The router’s public key is used to encrypt the shared secret and is transmitted to the router. The router’s software uses the private key to decrypt the packet. When this is complete, both parties in the session know the secret key.

**Step 5** The key encrypts the SSL session.

With the SSL tunnel established, two parties may securely transmit data. By using the mechanisms discussed here, you can effectively extend the reach of your corporate network, allowing users to easily and securely gain access to corporate resources from wherever they may be.