Ch3b Encryption

2/11/01 CSC309 Miller 1

Ch3b Encryption

2/11/01 CSC309 Miller 2

Uses of EncryptionElectronic Funds transfer trillion dollars a day.

Automated teller machine passwords Pin's.

Credit card numbers on the internet.

Bank records.

Your password.

Cable TV signals.

Cellular phone calls.

2/11/01 CSC309 Miller 3

EncryptionEncryption usually include a coding scheme (a cryptographic algorithm) and a sequence of characters (a key) which is used to turn plain text into a coded message (cipher text). The cipher text is decoded (decrypted) to produce the original plain text.

Encryption scheme used by Julius Caesar was to replace each letter with the one three places ahead of it in the alphabet. (CaesarFdhwdu)

9/14/01 CSC309 Miller 4

Symmetric KeyThe key that is used to encrypt a message is also the key that is used to decrypt it. This is also referred to as symmetric private key.

The major problem is that you have to protect the key.

A related problem is that in some cases it is going to be extremely difficult to deliver the key to someone who will use it without exposing the key.

9/14/01 CSC309 Miller 5

National Security AgencyNSA created in 1952 by President Truman’s top-secret order.

Monitors all communication between U.S. and world. That is interpreted to mean all foreign phone calls, radio transmissions, and more recently, all Internet traffic.

9/14/01 CSC309 Miller 6

National Security Agency

Interested in designing schemes no other country can break and to break everybody else's methods.

Considered itself the repository of all cryptography information for the country.

9/14/01 CSC309 Miller 7

DESThe Data Encryption Standard was originally developed by IBM in the 1960’s but was modified by the National Security Agency prior to its adoption as a government standard in 1977. (NSA involvement was the major reason it was never fully accepted by the public.)

DES is a symmetric private key cryptographysystem.

9/14/01 CSC309 Miller 8

Diffie-HellmanIn May of 1975, Diffie came up with the thought of splitting the key. One part (the public part) would be used for encryption while the other (the private part) would be used to decrypt the message.

When the private part was used to encrypt and the public to decrypt then a digital signature had been generated. They presented a paper “New Directions in Cryptography”.

9/15/01 CSC309 Miller 9

Public Key Examplefrom CSC300

901 568 803 39 450 645 1173

0 1 0 1 0 1 0

= 1252

1252*1171=100(mod1234)

0 1 0 1 0 1 0

1 2 5 11 32 87 141= 100

901 568 803 39 450 645 1173= 3522

1 2 5 11 32 87 141= 234

3522*1171=???(mod1234)

9/14/01 CSC309 Miller 10

RSARSA (a public key encryption scheme) is named for the three individuals from MIT, Rivest-Shamir-Adelman who developed it. They also built a company to commercializetheir product and licensed the technology to companies such as Microsoft.

The government kept strong encryption out of products (in companies such as Microsoft)by its export regulations.

9/14/01 CSC309 Miller 11

Export Restrictions

Because of military applications, coding machines and encryption software are treated as "munitions” and covered by ITAR(International Traffic in Arms Regulation).

Government noticed that all of the strong encryption software that was available overseas could not be regulated so they threatened prosecution on export software designed to work with someone’s encryption routines.

9/14/01 CSC309 Miller 12

Going PublicSpring of 1992 the head of NSA was told that cryptography was going public, that RSA was selling it, and that the Internet had provided a way around the export laws. The head of NSA requested a solution and shortly thereafter key escrow appeared.

Simply store a copy of the key in a secure areaand then make law enforcement get a searchwarrant to get a copy that would let them decrypt a message. But then there was AT&T.

9/14/01 CSC309 Miller 13

AT&TAT&T had been selling a secure phone to the government but in 92 decided to sell a version(TSD3600) to the public.

The FBI saw their ability to do wiretaps slippingaway and proposed adding a chip to TSD3600which would allow them to set up an escrow system but no one could figure out why this wasgood for them.

10/20/08 CSC309 Miller 14

Clipper Chip is BornPolitically the security advocates thought they were in serious trouble because escrow becamea privacy issue.

Presentations by the FBI gained the support of the executive branch of government and AT&T was offered a deal it couldn’t turn down. Thepromise of the purchase of lots of these devicesand no hassle on exports allowed the process to move forward. The modified A&T device became known as the Clipper Chip.

9/14/01 CSC309 Miller 15

Clipper ChipSort of complicated. When two people exchanged information in a phone call a packet of information was exchanged which included the chip’s serial numbers and a special session key. The FBI could decode chip serial numbers but not the session key which was stored in pieces in two different government agencies and available to the FBI only after a legal wiretap was approved.

2/11/01 CSC309 Miller 16

Clipper Chip (Cont.)There were problems. Clipper was based on a secret algorithm and was to be implemented in hardware (cost and up-grade considerations),Clipper phones only worked with Clipper phones,and there was the problem of escrowed keys.In 1994 NSA let a few Clipper chips out for inspection. Matt Blase of Bell labs quickly broke the code, wrote his findings to NAS, and got a technical publication out.

His results made it to the front page of the New York Times and Clipper was dead.

10/15/01 CSC309 Miller 17

Key Escrow Won’t WorkExperts and lawmakers opposed legislation that would require people using encryption to put their encryption keys in escrow with a thirdparty, as the keys would become targets for terrorists. Responding to claims that a key escrow system could allow law enforcement officials to decode communication between terrorists and other criminals, Rep. Bob Goodlatte (R-Va) remarked that such persons are not likely to place their encryption keys in escrow anyhow.http://www.fcw.com/fcw/articles/2001/1001/web-keys-10-03-01.asp

10/23/01 CSC309 Miller 18

Key Escrow Plan Abandoned“ ... the temptation to abuse key escrow or create a mass repository of stored keys would pose a single point of security risk unlike ever before. Furthermore, he says fear of its abuse could have a chilling effect on people's sense of privacy and security, forcing users to shy away from the very technology created to safeguard their transmitted messages.”

The key escrow debate mirrors a dropped effort on the part of the government toinstitute a "Clipper chip"http://www.infoworld.com/articles/hn/xml/01/10/18/011018hnencryption.xml

9/15/01 CSC309 Miller 19

EscrowLots of situations where escrow needs to be used.

1/30/05 CSC309 Miller 20

Researchers Claim to Crack Car Alarm Code

Computer science faculty at John Hopkins have found a way to crack the code used in the keys of more than 150 million new Fords, Toyotas and Nissans involves a transponder chip embedded in the key and a reader inside the car. They also cracked the code for new gasoline purchase system in which a reader inside the gas pump is able to recognize a small key-chain tag when the tag is waved in front of it. Texas Instruments, said the hardware used to crack the codes is cumbersome, expensive and not practical for common thieves.

9/14/01 CSC309 Miller 21

Pretty Good ProtectionPhillip Zimmerman, a programmer concerned about the governments plans to limit the use of strong encryption, in 1991 developed a program using public key cryptography for e-mail.

Zimmerman gave his “PGP” softwareto a friend who uploaded it to as many bulletin boards as he could find. It quickly became the most popular encryption scheme for e-mail.

9/15/01 CSC309 Miller 22

Pretty Good Protection (Cont.)In February of 1993, Zimmerman was notified that he was being investigated to see if he had violated the International Traffic In Arms Regs. The investigation was dropped three years later.

This slowed down distribution as did the fact that it used patented technology and was at that time in competition with the government’s Clipper chip.

2/11/01 CSC309 Miller 23

PGPZimmerman defended his actions by arguing that if ordinary people didn’t have access to“military grade” public key encryption then only the organizations with big money such as governments, giant corporations, drug cartels,etc. would have privacy.

9/24/01 CSC309 Miller 24

Ten Years LaterPhil Zimmermann, has been crying every day since last week's terrorist attacks. He hasbeen overwhelmed with feelings of guilt. In a telephone interview from his home, he said he doesn't regret posting the encryption program on the Internet. Yet he has trouble dealing with the reality that his software was likely used for evil. "The intellectual side of me is satisfied with the decision, but the pain that we all feel because of all the deaths mixes with this," he said. "It has been a horrific few days." (Washington Post 9/21/01)

10/10/01 CSC309 Miller 25

Three Days LaterPhil Zimmermann did not find the Washington Post article “entirely accurate”. Concerning the“overwhelmed with feelings of guilt” comment,“I never implied that in the interview, and specifically went out of my way to emphasize to her that that was not the case, and made her repeat back to me the point so that she could not get it wrong in the article.”

“...strong cryptography does more for a demo-cratic society than harm, even if it can be used by terrorists.” No regrets.

3/29/02 CSC309 Miller 26

SteganographyThe word steganography comes from the Greek steganos (covered or secret) and -graphy (writing or drawing) and thus means, literally, covered writing. Steganography is usually given as a synonym for cryptography but it is not normally used in that way. Through recent usage, steganography has come to mean hidden writing, i.e., writing that is not readily discernible to the casual observer. For example, the childhood practice of writing messages in 'invisible ink' would qualify as steganography since the writing is hidden in the sense that it is not obvious that it is there unless you know to look for it.

1/30/09 CSC309 Miller 27

Steganography

Steganography, is the practice of embedding secret messages in other messages -- in a way that prevents an observer from learning that anything unusual is taking place.

http://www.cl.cam.ac.uk/~fapp2/steganography/image_downgrading/

A really good site that we have been watching for years (last update Jan/09). Gives the best explanation I’ve found.

1/30/09 CSC309 Miller 28

Steganography

You used steganography to find the CSC309downloads. The first line reads:

“9/11/08 I've started updating this CSC309 site and have made first contact with textbook folks.”

Click on the period at the end of the line(it does have a little line under it) for a another article on steganography.

1/27/02 CSC309 Miller 29

Modern SteganographyModern steganographers use software like White Noise Storm and S-Tools allow a paranoid sender to embed messages in digitized information, typically audio, video or still image files, that are sent to a recipient.  The software usually works by storing infor-mation in the least significant bits of a digitized file -- those bits can be changed without in ways that aren't dramatic enough for a human eye or ear to detect.

2/2/05 CSC309 Miller 30

ABC Presentation on Steganography

•    

• ABC gave a presentation on Steganography in 2001 where they claimed the top picture contained a picture of a B-52. The actual content is a B-52 graveyard.

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

2/15/09 CSC309 Miller 31

56-bit DES crackedIn 1997, a series of contests were initiated, offering a $10,000 prize to any one that could break a message encrypted with 56-bit DES. With the best plan of attack known at that time (sort of brute force) requiring an estimated 2,285 years of computer time on a dedicated 200 mhz computer no winners were anticipated.

2/11/01 CSC309 Miller 32

56-bit DES crackedThe first contest was won by a team of computer scientist who got on the Internet with a request to use idle cycles on computers attached to the Internet with anoffer to pay $4,000 if your machine was the one that came up with the answer. Code cracked in 96 days. 78,000 computers had participated in the search.

2/15/09 CSC309 Miller 33

56-bit DES crackedEFF, a free speech advocacy group, in July of 1998, cracked the 56-bit DES encryption in 56 hours on a $250,000 custom built computer named “Deep Crack”.

In January 1999, the third contest saw a joint effort between distributed.net and Deep Crack find the key in 22 hours 15 minutes.

2/15/09 CSC309 Miller 34

AES Replaces DESThe Advanced Encryption Standard (AES)was adopted by the U.S. government after a 5-year standardization process in which fifteen competing designs were evaluated. It became effective as a standard May 26, 2002. AES is the first publicly accessible and open cipherapproved by the NSA for top secretinformation.

2/11/01 CSC309 Miller 35

White House ReversesCrypto Policy 09/17/99

Reversing two decades of U.S. encryption policy, the White House has proposed allowing the export of software or hardware using any encryption key length without license. Companies can't sell to designated terrorist countries and must report all exports in excessof 64 bits.

Exporting up to 40 bit keys had always been legal.

2/11/01 CSC309 Miller 36

White House ReversesCrypto Policy 09/17/99

The announcement also included a final version of The Cyberspace Electronic SecurityAct of 1999 (CESA). This act would provide"federal statutory protections for the privacy of decryption keys" and protect law enforcement from having to disclose how they obtained information.

9/15/01 CSC309 Miller 37

Encryption Smuggling Arrests08/29/01

The Customs Service has reported that two men have been arrested and accused of scheming to smuggle military encryption technology to China.  The technology, two devices known as KIV-7HS units, are used to encode classified government communications and are protected under ITAR.

2/8/04 CSC309 Miller 38

Quantum Encryption Product

11/17/03 MagiQ Technologies has begun selling Navajo systems, reputedly unbreakable encryption technology that employs the laws of quantum physics. Navajo systems use photons to transmit encryption keys over fiber-optic lines; photons are so sensitive that their behavior changes if they are examined. MagiQ is requesting governmental permission to sell Navajo abroad. http://www.informationweek.com/story/showArticle.jhtml?articleID=16100877

9/18/03 CSC309 Miller 39

InterestingAoccdrnig to a rscheearch at Cmabrigde Uinervtisy,it deosn't mttaer in waht oredr the ltteers in awrod are, the olny iprmoetnt tihng is taht the fristand lsat ltteer be at the rghit pclae. The rset canbe a total mses and you can sitll raed it wouthit aporbelm. Tihs is bcuseae the huamn mnid deos notraed ervey lteter by istlef, but the wrod as a wlohe.

Amzanig huh???

2/15/09 CSC309 Miller 40

History Snapshot (What does this have to do with encryption/privacy?)

David Gelernter took a bachelor's degree in religious studies and a master's in Hebrew literature from Yale. He went on to collect a PhD in computer science from the State University of New York at Stony Brook, but joined Yale as faculty in 1982. He made a name for himself by developing a computer language named "Linda”.