Summary

• you intend to establish confidentiality of communication with other people, in a way that prevents other people reading the message in plain text except of the intended addressee,
• you intend to guarantee the reliability of the source of information (authenticity), in a way that prevents someone masquerading as the author of a message actually having been created by somebody else (protection of intellectual property),
• you intend to guarantee the integrity of a message, in a way that a composed message cannot be changed accidentially or deliberately without this alteration being noticed.

There are two possible strategies to attack the security of the Pure Crypto Program:

• theoretical attacks

  which try to make use of the possible weakness of cryptographic methods used by PCP compromising PCP's reliability and security fundamentally, and

• practical attacks

  which try to exploit weaknesses of the practical use of PCP. These attacks intend to compromise the passphrase to gain access to the user's secret key or try to deceive other people by distributing faked public keys.

The asymmetric cipher RSA is used to enable persons to establish themselves as the only legitimate author or to ensure that only the intended person can read a message. Other crypto programs usually use a symmetric cipher and a randomly selected session key to ensure the confidentiality of a message because RSA is slow when long keys are being used to encrypt and decrypt relevant information. But a solution to the complexity-problem will make it necessary to reduce the number of different crypto-algorithms to a bare minimum, giving preference to the most concise and clear concepts available in the field. If one does not worry about performance, there is really no need for a symmetric cipher, which will burden the cryptosystem with a number of avoidable security weaknesses or risks only. Given a proper padding of the plaintext and sufficient key lengths, the public key cipher RSA can do all encryption with a simple, intuitive operation, modular exponentiation. Basically, RSA is used to link to a single person the ability to individually decrypt a message or to sign a document.

The second basic method which is put to use by PCP is the hash function SDLH, which relies on a similar clear and intuitive concept, so that the security of both methods are based on the same foundations. The main purpose of the hash function is to convert a very long text into a single number of a few hundred decimal digits which is used as a fingerprint to replace the long text in a digital signature.

One of the fundamental questions to be answered is of course:

Can you really be sure that only the legitimate recipient of your message is able to read it in plain text?

A satisfying answer will imply that one can be sure that someone who has really enormous computational powers will not be able to invert the encryption process in a reasonable time scale, i.e. that the clear text will remain unaccessible and secondly that only the person who is the intended addressee of the message has the necessary information to turn the encrypted message back into readable plain text.

Systems which use symmetric ciphers usually guarantee the first condition showing that a brute force attack on the session key is computationally infeasible, because of the large number of possible session keys that can be used. To estimate the amount of work we have to perform to find a session key by brute force it is helpful to realize the fact, that computers have limits and that there simply is not an endless source of improvement in the computational abilities of supercomputers.

An attacker will only be able to replace a crypted block by another one, if she can manage to keep the lower 256 bits inside the encrypted packet the same. Otherwise the hash-chain is broken and the decrypted material will disappear forever. But that would imply that she could fix the lower 256 bits (the CHALLENGE) of the new forged plaintext encrypted under the recipient's public key without knowing its value.

Chosen Cipertext-Attacks and Signatures

What Is a Fingerprint ?

Of course it is possible that some other text will accidentally produce the same hash value because even if the number of different hash values is very large, it is also limited. But such a collision could not be constructed intentionally because you have to try about 10⁷⁷ variations to find one. The one-way function does not give any clue for an appropriate choice of the forgery and the possibility to get the same hash value from any two different texts is almost close to zero (1/2²⁵⁶ or even less than 1/2¹⁰²⁴ for the hash values used in signatures).

The Birthday-Attack

How many people are required to make the possibility for two of them having their birthday on the same day reach 50 percent ? The wrong answer is: 365/2 = 182 people. Actually you only need 23 people which is far less than expected, and related to forging a digital signature, the forger can benefit from this situation considerably. If she does not intend to forge a certain existing document but rather confines herself to submit a document to the potential victim for signing and she has already found a forged document which hashes to the same fingerprint, forging someone's digital signature is possible, using such a "suitable pair of documents" (benign and malicious document). The number of pairs of documents she has to check until she will probably find one working pair is no longer 2256 (115 792 089 237 316 195 423 570 985 008 687 907 853 269 984 665 640 564 039 457 584 007 913 129 639 936), "but merely" 2128 (170 141 183 460 469 231 731 687 303 715 884 105 728), that is 1039 pairs of documents. Finding a working pair of documents still is "bloody lotta work", and way beyond today's computational abilities (see my argumentation concerning the brute-force attack) but anyway, it far less work than expected. Proof With N different documents (benign and malicious all in all) there are N(N-1)/2 pairs. Given that there are K = 2160 different hash values the probability of two different documents sharing the same hash value is 1/K. To be on the safe side one must try at least half of N2 pairs of documents, for if the probability for a collision should be 50 percent, 280 pairs of documents will be sufficient. (N2 * 1/K) / 2 = 0,5 N = sqrt(K) = 280. Among those 1 208 925 819 614 629 174 706 176 different pairs one will probably be suitable for forging a digital signature. It might be necessary to check slightly more than 280 documents, because of the fact that there are half malicious and half benign documents a matching pair can be within one of the groups which does not help to make a forgery. But since there are twice as many "cross-community" pairs than "single-community" pairs, 281 documents will provide a fair chance for a forgery.

Note that this is a calculation which would apply for a hash function like SHA-1 with 160 bit hash values. In PCP the hash values used in signatures are all longer than 1000 bits as shorter hash moduli are not accepted by PCP.

How it really works: Shamir Discrete Logarithm Hashfunction

The SDLH is based on a simple idea that once the message is converted into a long integer a hash of the message can be computed as follows: hash(x) = g x (mod p*q) given, that both p and q are large primes which are being kept secret so that factoring n = p*q is computationally infeasible. This hash function is provably collision-resistant, as Ronald L. Rivest showed in his posting to the cryptography discussion forum: Adi Shamir once proposed the following hash function: Let n = p*q be the product of two large primes, such that factoring n is believed to be infeasible. Let g be an element of maximum order in Z_n^* (i.e. an element of order lambda(n) = lcm(p-1,q-1)). Assume that n and g are fixed and public; p and q are secret. Let x be an input to be hashed, interpreted as a non-negative integer. (Of arbitrary length; this may be considerably larger than n.) Define hash(x) = g^x (mod n). Then this hash function is provably collision-resistant, since the ability to find a collision means that you have an x and an x' such that hash(x) = hash(x') which implies that x - x' = k * lambda(n) for some k. That is a collision implies that you can find a multiple of lambda(n). Being able to find a multiple of lambda(n) means that you can factor n. I would suggest this meets the specs of your query above. Cheers, Ron Rivest Ronald L. Rivest Room 324, 200 Technology Square, Cambridge MA 02139 Tel 617-253-5880, Fax 617-258-9738, Email <rivest@mit.edu> There are a number of issues to be addressed, especially when the SDLH is used together with the RSA signature scheme and a full analysis of the SDLH's security can be found in the paper "A Discrete Logarithm Hash Function for RSA Signatures". The analysis shows, that SDLH can safely be used together with RSA once certain conditions are met with regard to the selection of the user's key material. For details I like to refer to the paper about SDLH.

Looking at the Source Code: SDLH

################################################################ def SDLH(Message) : # # Calculates hash(x) = Generator^x mod HashModulus # # precomputing table for step (1) table = [] table.append(1L) index = 1 Number = 1L while index < 256 : Number = (Number * Generator) % HashModulus table.append(Number) index = index + 1 # process the message character by character Hash = 1 for Character in Message: A = table[ord(Character)] # step (1) B = Hash # step (2) index = 8 while index > 0 : B = (B * B) % HashModulus index = index - 1 Hash = (A * B) % HashModulus # step (3) return Hash ################################################################ def SDLH256(Message) : Hash256 = 0L X = SDLH(Message) Size = pow(2,256L) while X > 0 : Section = X % Size X = X / Size Hash256 = Hash256 ^ Section return Hash256

Although calculating a hash value would require a single call to the function ModExp() only the message has to be converted into a long integer first. This would slow down the hashing even more because every character will be processed twice, first during convertation and second during exponentiation. As the hash is already the slowest part of PCP the above code performs convertation and exponentiation simultaneously while the characters are being fed into the loop. A message M = c1 c2 c3 ... cn will be converted into a number by consecutive multiplications m = (...((( 0 + c1 ) * 256 + c2 ) * 256 + c3 ) * 256 + ... + cn) a modular exponentiation using this number as the exponent can be performed in a similar way g m = (...((( 1 * g c1 ) 256 * g c2 ) 256 * g c3 ) 256 * ... * g cn) cancelling out any multiples of the hash modulus as soon as they appear in the intermediate results. The process can be speeded up further by precalculating the 256 powers of g stored in a look-up table used inside the loop. Anyway one ModExp() operation per character makes hashing expensive but that is the price to be paid for a 1024 bit hash function which is collision-resistant and is based on an intuitive, clear and understandable concept. (If you don't believe me, look at the 400 lines of C code for SHA-1) Finally a 256 bit version is created by xoring all 256 bit pieces of the hash value beginning with the least significant bit.

For the creation of signatures the most important property of a hashfunction is its "collision-resistance", it must be practically impossible to create a different document deliberately that hashes to the same value, otherwise the hashfunction is compromised and can no longer be used for digital signatures. Please keep in mind that always there will be collisions for every hashfunction because the number of possible documents which can be an input of a hashfunction are digested into a fixed number of hash values, but those collisions which are inevitable cannot be created at will and therefore it is extremely unlikely but nevertheless possible that collisions can be found accidentially. Producing collisions is not a problem as long as it is an extremely unlikely event and it is unpredictable. But any chance to create a collision using a certain method would certainly be the death of the hashfunction. As we saw SDLH is provably collision-resistant but an adversary who is able to factor the hash modulus can compute phi(n) and can create collisions. These collisions will certainly not make much sense but to protect signatures made by PCP it is essential that factoring of the hash modulus must be infeasible for the lifetime of the signature.

But the same method suitable to protect your secret key cannot be used to encrypt a message that is meant to be sent to another person for practical reasons which are generally known and accepted. So the intuitive and secure one-time-pad method can be used locally only without the need to transfer the pad to another party.

Let me first describe in detail how the secret decryption value d is protected on your local computer system before I will discuss the reasons against the plan to engage this method as a general symmetric substitution for the RSA-encryption of plaintext.

The following two functions are used to prepare the secret key stored encrypted in the local filesystem for use by PCP:

Looking at the Source Code: Secret Key Decryption

def load_secretkey(): import os, sys global Decryption # makes secretkey available in Decryption if protected == "otp" : print EOL + "Your secret key is protected." +EOL print "Please enter your passphrase to unlock it." Flags = Mode = 0 try: CONSOLE = os.open(Console, Flags, Mode) PASS = "" if OS == "unix" : os.system("stty -F " + Console + " -echo") CHAR = os.read(CONSOLE, 1) while CHAR != EOL : PASS = PASS + CHAR CHAR = os.read(CONSOLE, 1) if OS == "unix" : os.system("stty -F " + Console + " echo") except: print "Cannot open console for reading." print "Your secretkey is unavailable!" sys.exit(3) Hash = hash256(PASS) print EOL + "Unlocking your secret key." Decryption = unlock_secretkey(Hash) # Burn sensitive information PASS = str(Modulus) Hash = Modulus else: print EOL + "Your secret key is not protected !" + EOL # check if secretkey works well with a challenge Number = 1893947706487L EncryptedNumber = 0L EncryptedNumber = ModExp(Number, Encryption, Modulus) Challenge = 0L Challenge = ModExp(EncryptedNumber, Decryption, Modulus) if Challenge == Number : print "Secret key is good." else : print "Error : Your secret key is unavailable." sys.exit(4)

def unlock_secretkey(H): import os, sys try : File = open(Home + "entropy", "r") Entropy = File.read()[:-1] File.close() # check if entropyfile is long enough if len(Entropy) < 1099999 : print "FATAL ERROR: There is not enough entropy", print " available!" print len(Entropy) sys.exit(4) except: print EOL + "Your entropy file is unavailable !" + EOL sys.exit(4) X = H IndexList = [] while X > 0 : Remainder = X % 1000000 X = X / 1000000 IndexList.append(Remainder) OTP = Modulus # Initial value of PAD for index in IndexList : PadString = Entropy[int(index) : int(index) + int(Block+1)] NewPad = StringToLong(PadString) print "*", OTP = OTP ^ NewPad print return Decryption ^ OTP # otp-method

If the secret key is protected as it usually should be, the user's passphrase string is read in from the console and then hashed into a 256 bit number using the secret key's modulus for hashing. To unlock the secret key the resulting number of 78 decimal digits is then split into 13 pieces consisting of 6 decimal digits each, providing 13 pointers into a file which consists of at least 1100000 bytes of truly random data. Each pointer provides a different sequence of random data with the length of the secret key's modulus. All 13 random sequences are then xored producing the one-time-pad that had originally been used to encrypt the secret decryption value which is finally xored with the protected decryption value to recover the secret key. But before the secret key is actually used it is checked if some challenge can be decrypted correctly after having been encrypted with the corresponding public key,

The sequence of random data is clearly used as a one-time-pad because it will never be reused to encrypt anything else but the secret key and if the hash function does not cluster, every possible pointer is equally likely, depending only on the passphrase used, which must contain as much entropy as the pointers.

Entropy measures the amount of uncertainty being included in a passphrase. The amount of entropy can be reduced drastically if you can be certain that the passphrase is taken from a dictionary comprising no more than say 130 000 different words. Even if the passphrase is hashed the entropy is not 2²⁵⁶ but merely 2¹⁷ due to the fact that only a few of all possible combinations of characters are being used as a passphrase. But once the user has selected a passphrase with enough entropy to recover the pad one has to recover all 13 pointers used, i.e. one has to guess the passphrase, if the hash is a one-way function.

A brute force attack on the secret key encryption would roughly require to check all possible combinations of 13 sequences out of a million, which is roughly proportional to enumerating all 256 bit hash values. Usually it seems much more rewarding to make assumptions on the passphrase and to try dictionary attacks instead of mounting a fully fledged brute force attack, hoping that the user has a weak passphrase. But if the passphrase has enough entropy the strength of this encryption scheme is almost 256 bit, provided that the entropy file is made out of truly random data, which is not an easy job to do.

I would like to stress that the quality of the entropy file is of utmost importance for the security of the secret key so that it is prudent to spend as much care as possible to select the 1100000 Bytes of the random pool using a truly random source of entropy and to protect this file along with the secret keyfile using the operation system's protection mechanisms carefully. It can even work out to be a wise decision to store these sensible data on a removable storage medium to be locked away while not in use.

  Practical Attacks on PCP

Security-relevant Actions

Fortunately most of the everyday tasks can be carried out without any difficulties, because only public keys are used. Checking the signatures on your emails you have received will require the use of the sender's public key only and even if you send confidential information to other people, you have to encrypt them using the recipient's public key.

But adding a new public key of an unknown person to your pool of trusted keys, is definitely a security-relevant action, because by making the new public key a valid key for use by PCP you definitely recognize that the available public key you often have received from non-reliable sources (i.e. key-servers) is actually identical with the public key as it was initially generated by that person itself. This could be a problem if you do not know that person or if you can only communicate with him or her using an unreliable channel like the internet which frequently happens.

How can you assess the reliability of an unknown public key? There are two different ways to solve this problem.

The first one relies on some first-hand knowledge about the new public key. You may be able to obtain the public key's digital fingerprint through a direct and reliable contact with that person comparing this first-hand information with the public key's fingerprint you have received from unreliable sources. Having confirmed the public key's authenticity you can certify this key yourself signing the new key with your secret signing key and adding it to your pool of trusted keys.

As PCP can use public keys being stored in different key formats, including RSA keys in PGP-version-2, PGP-version-3, SSH and X509 formats at the moment, checking the new public key's fingerprint will also depend on the reliability of the corresponding software as well. But once you have established trust in the authenticity of a new key you can use PCP's extraction tools to extract the public key's modulus and encryption values in decimal digits together with the user's identification string from the binary or armored key file. These three lines build the foundation of a new PCP key file which has to be supplemented with a hash key (hash modulus and generator) the key owner is currently using. Of course you will need first-hand knowledge about the hash key too, to be able to complete the key file which will eventually look like this:

Looking behind the scenes: Public Key Structure

Modulus = 60543512488910112606602583998 ... 671880494444421949488339311 Encryption = 65537 HashModulus = 9839391050497052426120625 ... 899354547842152832236191997 Generator = 115277462192246252358083703 ... 011718422799012403067626981 Ralf Senderek, Wassenberg PCP signingkey 2003 <ralf@senderek.com> Securityhash = 494660087634075087624428 ... 086648493733366295231438448

Looking behind the scenes: Public Key Certificates

-----BEGIN PURE-CRYPTO SIGNED MESSAGE----- Modulus = 60543512488910112606602583998 ... 671880494444421949488339311 Encryption = 65537 HashModulus = 9839391050497052426120625 ... 899354547842152832236191997 Generator = 115277462192246252358083703 ... 011718422799012403067626981 Ralf Senderek, Wassenberg PCP signingkey 2003 <ralf@senderek.com> Securityhash = 494660087634075087624428 ... 086648493733366295231438448 -----BEGIN PURE-CRYPTO SIGNATURE----- Hash: SDLH *** based on modular exponentiation and RSA alone *** Ralf Senderek, Wassenberg PCP signingkey 2003 <ralf@senderek.com> 196776708728465316800282963884340869037 ... 143076856763231124797789521 -----END PURE-CRYPTO SIGNATURE-----

Note, that there is a single end-of-line character in line 8 following the message body in order to allow the signing of files that do not end with an EOL character.

Securityhash

You may have noticed line 6 which is the place designed to store the public key's security hash being a hash of the decimal values stored in line 1 to 4 with the user's identity string concatenated. The security hash will detect any manipulation of the key material reliably and of course - learning from the ADK problem - nothing else but these 6 lines will be an acceptable public key body, becoming valid only if it bears a signature made with your signing key. To ensure that your signature can be validated reliably PCP will always check the security hash of your signing key before anything else is done. Although this step will take time while using PCP it provides the necessary information confirming, that your signing key has not been tampered with during storage in the local filesystem.

Despite the clear advantages of the discrete logarithm hash function, which is used to compute the security hashes, there has not been much practical experience collected by now, a fact which raised concerns by some people that nothing new should be used but the standard hash functions like SHA-1 which are supposed to have been subject to intense scrutiny and review. Consequently PCP is designed to run in two different modes. The "conservative mode", being the default mode, which addresses the concerns of those who will only trust standard algorithms uses SHA-1 as the hash algorithm under all circumstances. Clearly this is a compromise solution because at this point the program relies on a precompiled module implementing SHA-1 breaking with the idea of pure crypto which should entirely be understandable by the user.

But the "pure mode", which can be selected on the command line or set permanently in a config file, will use the discrete logarithm hash function SDLH, which being used with moduli longer than 1024 bit, will produce hash values used in signatures of at least that length. With more scrutiny and experience I am convinced that sooner or later SDLH can be the default mode of PCP, making the "SHA-1 concession code" obsolete in the near future.

Meanwhile the public key files of users who prefer the conservative mode can contain the number 1 for the hash modulus and the generator indicating that the user has no hash key. Using such a key in PURE mode to verify a signature will cause PCP to switch to conservative hashing while everything else will be done with the discrete logarithm hash function.

The second way to establish trust in a public key is to receive a signed key body, usually called a certificate, which can be verified using an already trusted key. It will depend on your assessment of the person's ability to check the authenticity of the signed key material with care whether you will decide to replace your trusted introducer's signature with your own to enable the key's use within PCP or not. Accordingly you can simply remove your signature on a key to revoke the key, rendering it useless for PCP, if you have reasons to mistrust an already signed key.

Key Spoofing Attacks

• Don't ever write your passphrase down (in plain text)! Don't even think about doing so.

• Don't use your passphrase for something else (i.e as login-password). Even similarities would make drawing conclusions much easier, if you just weren't cautious some time.

• Don't communicate your passphrase to other people, come hell or high water! You would destroy the link between your pair of keys and a single individual, that is you. Nobody, except you, has the right to use your secret key, so you have to resist any attempt to "squeeze the passphrase out of you" (maybe except some tough rubber-hose-cryptanalysis). You should not consider attempts of somebody to obtain the passphrase of other people as a peccadillo but as a perfidious attack on privacy in computer networks. Such attempts of "social engineering" destroy trust in the reliability of cryptographic methods and have to be seen as social-harmful behaviour, especially as the right of an individual to use a private key is threatened by the exploitation of relationships of dependancy (i.e in a company). Privacy is a right, not a generous concession.

• Take care that you are not observed when entering your passphrase. Everyone who is aware of the value of cryptography will avoid "peeping at your fingers". You can easily recognize people without any awareness of the problem or with suspicious intention by their behaviour in those situations. You do not have to defend your right "to enter your passphrase unobserved", claim it as a matter of course.

• Don't ever forget your passphrase. If you don't remember your passphrase you will be in exactly the same situation as someone who has his eyes on your passphrase but in contrast to him you cannot catch yourself entering your passphrase. This situation is desperate and without any help. But it is rather unlikely that you will forget your passphrase if you use PCP regularly.

• Please make a backup of your secret keyring and lock it away in a safe place.

Attacks on Your Passphrase

Vulnerabilities of the Operating System

How Long Should a Passphrase Be ?

Because of the fact that you should never forget your passphrase, otherwise your secret key is useless and the protected data is lost, solutions have to be found that will work safely. At this point two different strategies can be offered to guarantee the memorability ot the passphrase, both leading to a loss of security.

• You can reduce the number of characters until you can remember the passphrase
• or instead of using random characters you can try to introduce "meaning" into your passphrase.

 Long Live the Signing Key !

A key used to create signatures usually has a very long lifetime, because trusted key distribution is an awful expensive procedure and in case of a compromise of your secret key the secure revocation of your signing key takes equal pain. Moreover you would probably use your signing key more frequently so that spending an extra effort to protect your secret key would be only prudent. On the other hand keys which protect confidential communication should have a short lifetime to minimize the damage caused by a key compromise. The change of even revocation of a shortlife encryption key would be a pretty normal thing whereas you would probably go through much trouble to avoid the revocation of your longlife signing key. Governments have often toyed with the idea of demanding the disclosure of private encryption keys used to protect confidential communication but have confined themselves to include private signing keys in this demand up to now. Using two different keys for signing and encryption is terribly advisable in the light of those intentions of governments to establish the seizure of private keys as a natural means of law enforcement which are currently developing in different countries all around the globe and especially in the European Union.

Well, to be honest, I do not really know. I have not (yet) included a key generator in PCP because there are several different software packages which generate RSA keys and it is a matter of trust which one you will employ to create your keys. All I can tell is, that as far as I know, it is important to get as much randomness as possible into the process of key generation and with respect to low public encryption exponent attacks it may be advisable not to select the lowest value for the encryption exponent, which is usually 17 to gain speed. As the openssl software uses both a large file containing random data to seed the random number generator and a longer encryption value I have created my signing key with openssl but, as I said, your milage may vary. Anyway, generating keys is still a little bit like counting on the egg in the hen's arse.

With respect to the hash key the choice is much easier, because you simply have to select two strong prime numbers to build the hash modulus and to select another prime of highest order, i.e. a few bits shorter than the hash modulus, to be used as the generator. Here again you will rely on the software of your choice to produce primes but you can use a tool that finds strong primes which comes with the PCP distribution.