SINGLE-KEY CRYPTOSYSTEMS

There are two types of cryptosystems: single key and public key. In a single-key cryptosystem, the encryption and decryption keys are the same (or readily derived from each other) and are kept secret. Single-key systems are also called secret-key systems and symmetric systems. Because all publicly known cryptosystems before the late 70s were single-key systems, they are also called traditional or conventional cryptosystems. Exhibit 2 illustrates single-key cryptosystems.

Exhibit 2.  A Single-Key Cryptosystem

In addition to secrecy, requirements for secure communications often include integrity and authenticity — protection against message tampering and against injection of bogus messages by a third party. Single-key cryptosystems provide authenticity because the secret key is needed to modify or create ciphertext that decrypts into meaningful plaintext. If meaningful plaintext is not automatically recognizable, a message authentication code (MAC) can be computed and appended to the message. The computation is a function of the entire message and a secret key; it is practically impossible to find another message with the same authenticator. The receiver checks the authenticity of the message by computing the MAC using the same secret key and then verifying that the computed value is the same as the one transmitted with the message. A MAC can be used to provide authenticity for unencrypted messages as well as for encrypted ones. The National Institute of Standards and Technology (NIST) has adopted a standard for computing a MAC. (It is found in Computer Data Authentication, Federal Information Processing Standards Publication (FIPS PUB) 113.)

Single-key systems are often used during the process of authenticating users to a system. Systems that use passwords usually store those passwords in encrypted form, using the password as the key so that the ciphertext passwords cannot be decrypted. When encryption is used this way, it effectively implements a one-way function of the secret information that cannot be reversed. (If a user forgets the password between login sessions, the password must be replaced with a new one because not even the system administrator can determine the plaintext password from the ciphertext password.) Stronger forms of user authentication are possible using access tokens and smart cards that have cryptographic capabilities.

The Data Encryption Standard

The Data Encryption Standard (DES) developed by IBM Corp. and adopted by NIST as a government standard in 1977 (FIPS PUB 46-1) is a single-key system that encrypts 64-bit blocks with a 56-bit key. After an initial permutation of the bits, a plaintext block goes through 16 iterations of a complex function and then passes through a final permutation that yields the ciphertext block. During each round, the bits undergo further permutations and are transformed by S-boxes, which define bit substitutions. The security of the algorithm depends on the S-boxes, the number of iterations, and the key length (56 bits generates about 72,058 trillion possibilities). The algorithm is public knowledge, though the design of the S-boxes is classified. Complementary metal-oxide semiconductor implementations of DES run at about 200 Mb/s.

DES can be used in four different operating modes:

1.  Electronic codebook, which encrypts 64-bit blocks as independent units.

2.  Output feedback, which uses DES to generate a key stream that is XORed with the message stream to simulate a one-time pad. The key stream is generated by encrypting a 64-bit initialization vector with DES under a secret key to produce a segment of key bits and then repeatedly feeding those DES output bits back into DES as input to generate another segment of key bits.

3.  Cipher feedback, which is also a stream cipher, except that the ciphertext is fed back into the DES key generator so that each encryption depends on previous ciphertext.

4.  Cipher block chaining, which encrypts 64-bit blocks but chains them together by XORing each ciphertext block with the next plaintext block before encrypting the plaintext block.

When DES was first introduced in 1975, some critics argued that 56-bit keys were too short and that the S-boxes, which are a critical part of the algorithm, were suspect because of involvement by the National Security Administration (NSA) and because the design documents had been classified. However, 18 years of public scrutiny has shown the algorithm and its S-boxes to be well designed. Although the DES will eventually have to be replaced as exhaustive search attacks become a practical threat, it is likely to be recertified as a government standard for another five years.

DES was adopted as a government standard to protect sensitive but unclassified information. It has also been adopted as a standard outside the government, particularly in the banking industry. The American National Standards Institute (ANSI) has adopted standards for encryption, access control, and key management that use DES. Privacy Enhanced Mail, the Internet standard for protecting E-mail, also uses DES.