Previous TableofContents Next
Preface
Therearetwokindsofcryptographyinthisworld:cryptographythatwillstop
yourkidsisterfromreadingyourfiles,andcryptographythatwillstopmajor
governmentsfromreadingyourfiles.Thisbookisaboutthelatter.
IfItakealetter,lockitinasafe,hidethesafesomewhereinNewYork,thentell
youtoreadtheletter,that’snotsecurity.That’sobscurity.Ontheotherhand,ifI
takealetterandlockitinasafe,andthengiveyouthesafealongwiththe
designspecificationsofthesafeandahundredidenticalsafeswiththeir
combinationssothatyouandtheworld’sbestsafecrackerscanstudythelocking
mechanism—andyoustillcan’topenthesafeandreadtheletter—that’ssecurity.
Formanyyears,thissortofcryptographywastheexclusivedomainofthe
military.TheUnitedStates’NationalSecurityAgency(NSA),andits
counterpartsintheformerSovietUnion,England,France,Israel,andelsewhere,
havespentbillionsofdollarsintheveryseriousgameofsecuringtheirown
communicationswhiletryingtobreakeveryoneelse’s.Privateindividuals,with
farlessexpertiseandbudget,havebeenpowerlesstoprotecttheirownprivacy
againstthesegovernments.
Duringthelast20years,publicacademicresearchincryptographyhas
exploded.Whileclassicalcryptographyhasbeenlongusedbyordinarycitizens,
computercryptographywastheexclusivedomainoftheworld’smilitariessince
WorldWarII.Today,state–of–the–artcomputercryptographyispracticed
outsidethesecuredwallsofthemilitaryagencies.Thelaypersoncannow
employsecuritypracticesthatcanprotectagainstthemostpowerfulof
adversaries—securitythatmayprotectagainstmilitaryagenciesforyearsto
come.
Doaveragepeoplereallyneedthiskindofsecurity?Yes.Theymaybeplanning
apoliticalcampaign,discussingtaxes,orhavinganillicitaffair.Theymaybe
designinganewproduct,discussingamarketingstrategy,orplanningahostile
businesstakeover.Ortheymaybelivinginacountrythatdoesnotrespectthe
rightsofprivacyofitscitizens.Theymaybedoingsomethingthattheyfeel
shouldn’tbeillegal,butis.Forwhateverreason,thedataandcommunications
arepersonal,private,andnooneelse’sbusiness.
Thisbookisbeingpublishedinatumultuoustime.In1994,theClinton
administrationapprovedtheEscrowedEncryptionStandard(includingthe
ClipperchipandFortezzacard)andsignedtheDigitalTelephonybillintolaw.
Bothoftheseinitiativestrytoensurethegovernment’sabilitytoconduct
electronicsurveillance.
SomedangerouslyOrwellianassumptionsareatworkhere:thatthegovernment
hastherighttolistentoprivatecommunications,andthatthereissomething
wrongwithaprivatecitizentryingtokeepasecretfromthegovernment.Law
enforcementhasalwaysbeenabletoconductcourt–authorizedsurveillanceif
possible,butthisisthefirsttimethatthepeoplehavebeenforcedtotakeactive
measurestomakethemselvesavailableforsurveillance.Theseinitiativesarenot
simplygovernmentproposalsinsomeobscurearea;theyarepreemptiveand
unilateralattemptstousurppowersthatpreviouslybelongedtothepeople.
ClipperandDigitalTelephonydonotprotectprivacy;theyforceindividualsto
unconditionallytrustthatthegovernmentwillrespecttheirprivacy.Thesame
lawenforcementauthoritieswhoillegallytappedMartinLutherKingJr.’s
phonescaneasilytapaphoneprotectedwithClipper.Intherecentpast,local
policeauthoritieshaveeitherbeenchargedcriminallyorsuedcivillyin
numerousjurisdictions—Maryland,Connecticut,Vermont,Georgia,Missouri,
andNevada—forconductingillegalwiretaps.It’sapoorideatodeploya
technologythatcouldsomedayfacilitateapolicestate.
Thelessonhereisthatitisinsufficienttoprotectourselveswithlaws;weneedto
protectourselveswithmathematics.Encryptionistooimportanttobeleftsolely
togovernments.
Thisbookgivesyouthetoolsyouneedtoprotectyourownprivacy;
cryptographyproductsmaybedeclaredillegal,buttheinformationwillnever
be.
HowtoReadThisBook
IwroteAppliedCryptographytobebothalivelyintroductiontothefieldof
cryptographyandacomprehensivereference.Ihavetriedtokeepthetext
readablewithoutsacrificingaccuracy.Thisbookisnotintendedtobea
mathematicaltext.AlthoughIhavenotdeliberatelygivenanyfalseinformation,
Idoplayfastandloosewiththeory.Forthoseinterestedinformalism,thereare
copiousreferencestotheacademicliterature.
Chapter1introducescryptography,definesmanyterms,andbrieflydiscusses
precomputercryptography.
Chapters2through6(PartI)describecryptographicprotocols:whatpeoplecan
dowithcryptography.Theprotocolsrangefromthesimple(sendingencrypted
messagesfromonepersontoanother)tothecomplex(flippingacoinoverthe
telephone)totheesoteric(secureandanonymousdigitalmoneyexchange).
Someoftheseprotocolsareobvious;othersarealmostamazing.Cryptography
cansolvealotofproblemsthatmostpeopleneverrealizeditcould.
Chapters7through10(PartII)discusscryptographictechniques.Allfour
chaptersinthissectionareimportantforeventhemostbasicusesof
cryptography.Chapters7and8areaboutkeys:howlongakeyshouldbein
ordertobesecure,howtogeneratekeys,howtostorekeys,howtodisposeof
keys,andsoon.Keymanagementisthehardestpartofcryptographyandoften
theAchilles’heelofanotherwisesecuresystem.Chapter9discussesdifferent
waysofusingcryptographicalgorithms,andChapter10givestheoddsandends
ofalgorithms:howtochoose,implement,andusealgorithms.
Chapters11through23(PartIII)listalgorithms.Chapter11providesthe
mathematicalbackground.Thischapterisonlyrequiredifyouareinterestedin
public–keyalgorithms.IfyoujustwanttoimplementDES(orsomething
similar),youcanskipahead.Chapter12discussesDES:thealgorithm,its
history,itssecurity,andsomevariants.Chapters13,14,and15discussother
blockalgorithms;ifyouwantsomethingmoresecurethanDES,skiptothe
sectiononIDEAandtriple–DES.Ifyouwanttoreadaboutabunchof
algorithms,someofwhichmaybemoresecurethanDES,readthewhole
chapter.Chapters16and17discussstreamalgorithms.Chapter18focuseson
one–wayhashfunctions;MD5andSHAarethemostcommon,althoughI
discussmanymore.Chapter19discussespublic–keyencryptionalgorithms,
Chapter20discussespublic–keydigitalsignaturealgorithms,Chapter21
discussespublic–keyidentificationalgorithms,andChapter22discussespublic–
keykeyexchangealgorithms.TheimportantalgorithmsareRSA,DSA,Fiat–
Shamir,andDiffie–Hellman,respectively.Chapter23hasmoreesotericpublic–
keyalgorithmsandprotocols;themathinthischapterisquitecomplicated,so
wearyourseatbelt.
Chapters24and25(PartIV)turntotherealworldofcryptography.Chapter24
discussessomeofthecurrentimplementationsofthesealgorithmsandprotocols,
whileChapter25touchesonsomeofthepoliticalissuessurrounding
cryptography.Thesechaptersarebynomeansintendedtobecomprehensive.
Alsoincludedaresourcecodelistingsfor10algorithmsdiscussedinPartIII.I
wasunabletoincludeallthecodeIwantedtoduetospacelimitations,and
cryptographicsourcecodecannototherwisebeexported.(Amazinglyenough,
theStateDepartmentallowedexportofthefirsteditionofthisbookwithsource
code,butdeniedexportforacomputerdiskwiththeexactsamesourcecodeon
it.Gofigure.)Anassociatedsourcecodedisksetincludesmuchmoresource
codethanIcouldfitinthisbook;itisprobablythelargestcollectionof
cryptographicsourcecodeoutsideamilitaryinstitution.Icanonlysendsource
codediskstoU.S.andCanadiancitizenslivingintheU.S.andCanada,but
hopefullythatwillchangesomeday.Ifyouareinterestedinimplementingor
playingwiththecryptographicalgorithmsinthisbook,getthedisk.Seethelast
pageofthebookfordetails.
Onecriticismofthisbookisthatitsencyclopedicnaturetakesawayfromits
readability.Thisistrue,butIwantedtoprovideasinglereferenceforthosewho
mightcomeacrossanalgorithmintheacademicliteratureorinaproduct.For
thosewhoaremoreinterestedinatutorial,Iapologize.Alotisbeingdoneinthe
field;thisisthefirsttimesomuchofithasbeengatheredbetweentwocovers.
Evenso,spaceconsiderationsforcedmetoleavemanythingsout.Icovered
topicsthatIfeltwereimportant,practical,orinteresting.IfIcouldn’tcovera
topicindepth,Igavereferencestoarticlesandpapersthatdid.
Ihavedonemybesttohuntdownanderadicateallerrorsinthisbook,butmany
haveassuredmethatitisanimpossibletask.Certainly,thesecondeditionhas
farfewererrorsthanthefirst.Anerratalistingisavailablefrommeandwillbe
periodicallypostedtotheUsenetnewsgroupsci.crypt.Ifanyreaderfindsan
error,pleaseletmeknow.I’llsendthefirstpersontofindeacherrorinthebook
afreecopyofthesourcecodedisk.
Previous TableofContents Next
Previous TableofContents Next
AbouttheAuthor
BRUCESCHNEIERispresidentofCounterpaneSystems,anOakPark,Illinois
consultingfirmspecializingincryptographyandcomputersecurity.Bruceisalso
theauthorofE–MailSecurity(JohnWiley&Sons,1995)andProtectYour
Macintosh(PeachpitPress,1994);andhaswrittendozensofarticleson
cryptographyformajormagazines.HeisacontributingeditortoDr.Dobb’s
Journal,whereheeditsthe“AlgorithmsAlley”column,andacontributing
editortoComputerandCommunicationsSecurityReviews.Bruceservesonthe
boardofdirectorsoftheInternationalAssociationforCryptologicResearch,isa
memberoftheAdvisoryBoardfortheElectronicPrivacyInformationCenter,
andisontheprogramcommitteefortheNewSecurityParadigmsWorkshop.In
addition,hefindstimetogivefrequentlecturesoncryptography,computer
security,andprivacy.
Acknowledgments
Thelistofpeoplewhohadahandinthisbookmayseemunending,butallare
worthyofmention.IwouldliketothankDonAlvarez,RossAnderson,Dave
Balenson,KarlBarrus,SteveBellovin,DanBernstein,EliBiham,JoanBoyar,
KarenCooper,WhitDiffie,JoanFeigenbaum,PhilKarn,NealKoblitz,Xuejia
Lai,TomLeranth,MikeMarkowitz,RalphMerkle,BillPatton,PeterPearson,
CharlesPfleeger,KenPizzini,BartPreneel,MarkRiordan,JoachimSchurman,
andMarcSchwartzforreadingandeditingallorpartsofthefirstedition;Marc
VauclairfortranslatingthefirsteditionintoFrench;AbeAbraham,Ross
Anderson,DaveBanisar,SteveBellovin,EliBiham,MattBishop,MattBlaze,
GaryCarter,JanCamenisch,ClaudeCrŽpeau,JoanDaemen,JorgeDavila,Ed
Dawson,WhitDiffie,CarlEllison,JoanFeigenbaum,NielsFerguson,Matt
Franklin,RosarioGennaro,DieterGollmann,MarkGoresky,RichardGraveman,
StuartHaber,JingmanHe,BobHogue,KennethIversen,MarkusJakobsson,
BurtKaliski,PhilKarn,JohnKelsey,JohnKennedy,LarsKnudsen,Paul
Kocher,JohnLadwig,XuejiaLai,ArjenLenstra,PaulLeyland,Mike
Markowitz,JimMassey,BruceMcNair,WilliamHughMurray,RogerNeedham,
ClifNeuman,KaisaNyberg,LukeO’Connor,PeterPearson,RenŽPeralta,Bart
Preneel,YisraelRadai,MattRobshaw,MichaelRoe,PhilRogaway,AviRubin,
PaulRubin,SelwynRussell,KazueSako,MahmoudSalmasizadeh,Markus
Stadler,DmitryTitov,JimmyUpton,MarcVauclair,SergeVaudenay,Gideon
Yuval,GlenZorn,andseveralanonymousgovernmentemployeesforreading
andeditingallorpartsofthesecondedition;LawrieBrown,LeisaCondie,Joan
Daemen,PeterGutmann,AlanInsley,ChrisJohnston,JohnKelsey,XuejiaLai,
BillLeininger,MikeMarkowitz,RichardOuterbridge,PeterPearson,Ken
Pizzini,ColinPlumb,RSADataSecurity,Inc.,MichaelRoe,MichaelWood,and
PhilZimmermannforprovidingsourcecode;PaulMacNerlandforcreatingthe
figuresforthefirstedition;KarenCooperforcopyeditingthesecondedition;
BethFriedmanforproofreadingthesecondedition;CarolKennedyforindexing
thesecondedition;thereadersofsci.cryptandtheCypherpunksmailinglistfor
commentingonideas,answeringquestions,andfindingerrorsinthefirst
edition;RandySeussforprovidingInternetaccess;JeffDuntemannandJon
Ericksonforhelpingmegetstarted;assortedrandomInsleysfortheimpetus,
encouragement,support,conversations,friendship,anddinners;andAT&T;Bell
Labsforfiringmeandmakingthisallpossible.Allthesepeoplehelpedtocreate
afarbetterbookthanIcouldhavecreatedalone.
BruceSchneier
OakPark,Ill.
Previous TableofContents Next
AppliedCryptography,SecondEdition:Protocols,Algorthms,andSourceCodeinC
(Publisher:JohnWiley&Sons,Inc.)
Author(s):BruceSchneier
ISBN:0471128457
PublicationDate:01/01/96
ForewordbyWhitfieldDiffie
Preface
AbouttheAuthor
Chapter1—Foundations
1.1Terminology
1.2Steganography
1.3SubstitutionCiphersandTranspositionCiphers
1.4SimpleXOR
1.5One-TimePads
1.6ComputerAlgorithms
1.7LargeNumbers
PartI—CryptographicProtocols
Chapter2—ProtocolBuildingBlocks
2.1IntroductiontoProtocols
2.2CommunicationsUsingSymmetricCryptography
2.3One-WayFunctions
2.4One-WayHashFunctions
2.5CommunicationsUsingPublic-KeyCryptography
2.6DigitalSignatures
2.7DigitalSignatureswithEncryption
2.8RandomandPseudo-Random-SequenceGeneration
Chapter3—BasicProtocols
3.1KeyExchange
3.2Authentication
3.3AuthenticationandKeyExchange
3.4FormalAnalysisofAuthenticationandKey-ExchangeProtocols
3.5Multiple-KeyPublic-KeyCryptography
3.6SecretSplitting
3.7SecretSharing
3.8CryptographicProtectionofDatabases
Chapter4—IntermediateProtocols
4.1TimestampingServices
4.2SubliminalChannel
4.3UndeniableDigitalSignatures
4.4DesignatedConfirmerSignatures
4.5ProxySignatures
4.6GroupSignatures
4.7Fail-StopDigitalSignatures
4.8ComputingwithEncryptedData
4.9BitCommitment
4.10FairCoinFlips
4.11MentalPoker
4.12One-WayAccumulators
4.13All-or-NothingDisclosureofSecrets
4.14KeyEscrow
Chapter5—AdvancedProtocols
5.1Zero-KnowledgeProofs
5.2Zero-KnowledgeProofsofIdentity
5.3BlindSignatures
5.4Identity-BasedPublic-KeyCryptography
5.5ObliviousTransfer
5.6ObliviousSignatures
5.7SimultaneousContractSigning
5.8DigitalCertifiedMail
5.9SimultaneousExchangeofSecrets
Chapter6—EsotericProtocols
6.1SecureElections
6.2SecureMultipartyComputation
6.3AnonymousMessageBroadcast
6.4DigitalCash
PartII—CryptographicTechniques
Chapter7—KeyLength
7.1SymmetricKeyLength
7.2Public-KeyKeyLength
7.3ComparingSymmetricandPublic-KeyKeyLength
7.4BirthdayAttacksagainstOne-WayHashFunctions
7.5HowLongShouldaKeyBe?
7.6CaveatEmptor
Chapter8—KeyManagement
8.1GeneratingKeys
8.2NonlinearKeyspaces
8.3TransferringKeys
8.4VerifyingKeys
8.5UsingKeys
8.6UpdatingKeys
8.7StoringKeys
8.8BackupKeys
8.9CompromisedKeys
8.10LifetimeofKeys
8.11DestroyingKeys
8.12Public-KeyKeyManagement
Chapter9—AlgorithmTypesandModes
9.1ElectronicCodebookMode
9.2BlockReplay
9.3CipherBlockChainingMode
9.4StreamCiphers
9.5Self-SynchronizingStreamCiphers
9.6Cipher-FeedbackMode
9.7SynchronousStreamCiphers
9.8Output-FeedbackMode
9.9CounterMode
9.10OtherBlock-CipherModes
9.11ChoosingaCipherMode
9.12Interleaving
9.13BlockCiphersversusStreamCiphers
Chapter10—UsingAlgorithms
10.1ChoosinganAlgorithm
10.2Public-KeyCryptographyversusSymmetricCryptography
10.3EncryptingCommunicationsChannels
10.4EncryptingDataforStorage
10.5HardwareEncryptionversusSoftwareEncryption
10.6Compression,Encoding,andEncryption
10.7DetectingEncryption
10.8HidingCiphertextinCiphertext
10.9DestroyingInformation
PartIII—CryptographicAlgorithms
Chapter11—MathematicalBackground
11.1InformationTheory
11.2ComplexityTheory
11.3NumberTheory
11.4Factoring
11.5PrimeNumberGeneration
11.6DiscreteLogarithmsinaFiniteField
Chapter12—DataEncryptionStandard(DES)
12.1Background
12.2DescriptionofDES
12.3SecurityofDES
12.4DifferentialandLinearCryptanalysis
12.5TheRealDesignCriteria
12.6DESVariants
12.7HowSecureIsDESToday?
Chapter13—OtherBlockCiphers
13.1Lucifer
13.2Madryga
13.3NewDES
13.4FEAL
13.5REDOC
13.6LOKI
13.7KhufuandKhafre
13.8RC2
13.9IDEA
13.10MMB
13.11CA-1.1
13.12Skipjack
Chapter14—StillOtherBlockCiphers
14.1GOST
14.2CAST
14.3Blowfish
14.4SAFER
14.53-Way
14.6Crab
14.7SXAL8/MBAL
14.8RC5
14.9OtherBlockAlgorithms
14.10TheoryofBlockCipherDesign
14.11Usingone-WayHashFunctions
14.12ChoosingaBlockAlgorithm
Chapter15—CombiningBlockCiphers
15.1DoubleEncryption
15.2TripleEncryption
15.3DoublingtheBlockLength
15.4OtherMultipleEncryptionSchemes
15.5CDMFKeyShortening
15.6Whitening
15.7CascadingMultipleBlockAlgorithms
15.8CombiningMultipleBlockAlgorithms
Chapter16—Pseudo-Random-SequenceGeneratorsandStreamCip
16.1LinearCongruentialGenerators
16.2LinearFeedbackShiftRegisters
16.3DesignandAnalysisofStreamCiphers
16.4StreamCiphersUsingLFSRs
16.5A5
16.6HughesXPD/KPD
16.7Nanoteq
16.8Rambutan
16.9AdditiveGenerators
16.10Gifford
16.11AlgorithmM
16.12PKZIP
Chapter17—OtherStreamCiphersandRealRandom-SequenceGe
17.1RC4
17.2SEAL
17.3WAKE
17.4FeedbackwithCarryShiftRegisters
17.5StreamCiphersUsingFCSRs
17.6Nonlinear-FeedbackShiftRegisters
17.7OtherStreamCiphers
17.8System-TheoreticApproachtoStream-CipherDesign
17.9Complexity-TheoreticApproachtoStream-CipherDesign
17.10OtherApproachestoStream-CipherDesign
17.11CascadingMultipleStreamCiphers
17.12ChoosingaStreamCipher
17.13GeneratingMultipleStreamsfromaSinglePseudo-Random-Sequen
17.14RealRandom-SequenceGenerators
Chapter18—One-WayHashFunctions
18.1Background
18.2Snefru
18.3N-Hash
18.4MD4
18.5MD5
18.6MD2
18.7SecureHashAlgorithm(SHA)
18.8RIPE-MD
18.9HAVAL
18.10OtherOne-WayHashFunctions
18.11One-WayHashFunctionsUsingSymmetricBlockAlgorithms
18.12UsingPublic-KeyAlgorithms
18.13ChoosingaOne-WayHashFunction
18.14MessageAuthenticationCodes
Chapter19—Public-KeyAlgorithms
19.1Background
19.2KnapsackAlgorithms
19.3RSA
19.4Pohlig-Hellman
19.5Rabin
19.6ElGamal
19.7McEliece
19.8EllipticCurveCryptosystems
19.9LUC
19.10FiniteAutomatonPublic-KeyCryptosystems
Chapter20—Public-KeyDigitalSignatureAlgorithms
20.1DigitalSignatureAlgorithm(DSA)
20.2DSAVariants
20.3GostDigitalSignatureAlgorithm
20.4DiscreteLogarithmSignatureSchemes
20.5Ong-Schnorr-Shamir
20.6ESIGN
20.7CellularAutomata
20.8OtherPublic-KeyAlgorithms
Chapter21—IdentificationSchemes
21.1Feige-Fiat-Shamir
21.2Guillou-Quisquater
21.3Schnorr
21.4ConvertingIdentificationSchemestoSignatureSchemes
Chapter22—Key-ExchangeAlgorithms
22.1Diffie-Hellman
22.2Station-to-StationProtocol
22.3Shamir’sThree-PassProtocol
22.4COMSET
22.5EncryptedKeyExchange
22.6FortifiedKeyNegotiation
22.7ConferenceKeyDistributionandSecretBroadcasting
Chapter23—SpecialAlgorithmsforProtocols
23.1Multiple-KeyPublic-KeyCryptography
23.2Secret-SharingAlgorithms
23.3SubliminalChannel
23.4UndeniableDigitalSignatures
23.5DesignatedConfirmerSignatures
23.6ComputingwithEncryptedData
23.7FairCoinFlips
23.8One-WayAccumulators
23.9All-or-NothingDisclosureofSecrets
23.10FairandFailsafeCryptosystems
23.11Zero-KnowledgeProofsofKnowledge
23.12BlindSignatures
23.13ObliviousTransfer
23.14SecureMultipartyComputation
23.15ProbabilisticEncryption
23.16QuantumCryptography
PartIV—TheRealWorld
Chapter24—ExampleImplementations
24.1IBMSecret-KeyManagementProtocol
24.2MITRENET
24.3ISDN
24.4STU-III
24.5Kerberos
24.6KryptoKnight
24.7SESAME
24.8IBMCommonCryptographicArchitecture
24.9ISOAuthenticationFramework
24.10Privacy-EnhancedMail(PEM)
24.11MessageSecurityProtocol(MSP)
24.12PrettyGoodPrivacy(PGP)
24.13SmartCards
24.14Public-KeyCryptographyStandards(PKCS)
24.15UniversalElectronicPaymentSystem(UEPS)
24.16Clipper
24.17Capstone
24.18AT&T;Model3600TelephoneSecurityDevice(TSD)
Chapter25—Politics
25.1NationalSecurityAgency(NSA)
25.2NationalComputerSecurityCenter(NCSC)
25.3NationalInstituteofStandardsandTechnology(NIST)
25.4RSADataSecurity,Inc.
25.5PublicKeyPartners
25.6InternationalAssociationforCryptologicResearch(IACR)
25.7RACEIntegrityPrimitivesEvaluation(RIPE)
25.8ConditionalAccessforEurope(CAFE)
25.9ISO/IEC9979
25.10Professional,CivilLiberties,andIndustryGroups
25.11Sci.crypt
25.12Cypherpunks
25.13Patents
25.14U.S.ExportRules
25.15ForeignImportandExportofCryptography
25.16LegalIssues
AfterwordbyMattBlaze
PartV—SourceCode
References
Index
Previous TableofContents Next
ForewordByWhitfieldDiffie
Theliteratureofcryptographyhasacurioushistory.Secrecy,ofcourse,has
alwaysplayedacentralrole,butuntiltheFirstWorldWar,important
developmentsappearedinprintinamoreorlesstimelyfashionandthefield
movedforwardinmuchthesamewayasotherspecializeddisciplines.Aslateas
1918,oneofthemostinfluentialcryptanalyticpapersofthetwentiethcentury,
WilliamF.Friedman’smonographTheIndexofCoincidenceandIts
ApplicationsinCryptography,appearedasaresearchreportoftheprivate
RiverbankLaboratories[577].Andthis,despitethefactthattheworkhadbeen
doneaspartofthewareffort.InthesameyearEdwardH.HebernofOakland,
Californiafiledthefirstpatentforarotormachine[710],thedevicedestinedto
beamainstayofmilitarycryptographyfornearly50years.
AftertheFirstWorldWar,however,thingsbegantochange.U.S.Armyand
Navyorganizations,workingentirelyinsecret,begantomakefundamental
advancesincryptography.Duringthethirtiesandfortiesafewbasicpapersdid
appearintheopenliteratureandseveraltreatisesonthesubjectwerepublished,
butthelatterwerefartherandfartherbehindthestateoftheart.Bytheendof
thewarthetransitionwascomplete.Withonenotableexception,thepublic
literaturehaddied.ThatexceptionwasClaudeShannon’spaper“The
CommunicationTheoryofSecrecySystems,”whichappearedintheBellSystem
TechnicalJournalin1949[1432].ItwassimilartoFriedman’s1918paper,in
thatitgrewoutofwartimeworkofShannon’s.AftertheSecondWorldWar
endeditwasdeclassified,possiblybymistake.
From1949until1967thecryptographicliteraturewasbarren.Inthatyeara
differentsortofcontributionappeared:DavidKahn’shistory,TheCodebreakers
[794].Itdidn’tcontainanynewtechnicalideas,butitdidcontainaremarkably
completehistoryofwhathadgonebefore,includingmentionofsomethingsthat
thegovernmentstillconsideredsecret.ThesignificanceofTheCodebreakerslay
notjustinitsremarkablescope,butalsointhefactthatitenjoyedgoodsalesand
madetensofthousandsofpeople,whohadnevergiventhematteramoment’s
thought,awareofcryptography.Atrickleofnewcryptographicpapersbeganto
bewritten.
Ataboutthesametime,HorstFeistel,whohadearlierworkedonidentification
friendorfoedevicesfortheAirForce,tookhislifelongpassionfor
cryptographytotheIBMWatsonLaboratoryinYorktownHeights,NewYork.
There,hebegandevelopmentofwhatwastobecometheU.S.DataEncryption
Standard;bytheearly1970sseveraltechnicalreportsonthissubjectbyFeistel
andhiscolleagueshadbeenmadepublicbyIBM[1482,1484,552].
ThiswasthesituationwhenIenteredthefieldinlate1972.Thecryptographic
literaturewasn’tabundant,butwhattherewasincludedsomeveryshiny
nuggets.
Cryptologypresentsadifficultynotfoundinnormalacademicdisciplines:the
needfortheproperinteractionofcryptographyandcryptanalysis.Thisarisesout
ofthefactthatintheabsenceofrealcommunicationsrequirements,itiseasyto
proposeasystemthatappearsunbreakable.Manyacademicdesignsareso
complexthatthewould–becryptanalystdoesn’tknowwheretostart;exposing
flawsinthesedesignsisfarharderthandesigningtheminthefirstplace.The
resultisthatthecompetitiveprocess,whichisonestrongmotivationin
academicresearch,cannottakehold.
WhenMartinHellmanandIproposedpublic–keycryptographyin1975[496],
oneoftheindirectaspectsofourcontributionwastointroduceaproblemthat
doesnotevenappeareasytosolve.Nowanaspiringcryptosystemdesigner
couldproducesomethingthatwouldberecognizedasclever—somethingthat
didmorethanjustturnmeaningfultextintononsense.Theresulthasbeena
spectacularincreaseinthenumberofpeopleworkingincryptography,the
numberofmeetingsheld,andthenumberofbooksandpaperspublished.
InmyacceptancespeechfortheDonaldE.Finkaward—givenforthebest
expositorypapertoappearinanIEEEjournal—whichIreceivedjointlywith
Hellmanin1980,Itoldtheaudiencethatinwriting“Privacyand
Authentication,”IhadanexperiencethatIsuspectedwasrareevenamongthe
prominentscholarswhopopulatetheIEEEawardsceremony:Ihadwrittenthe
paperIhadwantedtostudy,butcouldnotfind,whenIfirstbecameseriously
interestedincryptography.HadIbeenabletogototheStanfordbookstoreand
pickupamoderncryptographytext,Iwouldprobablyhavelearnedaboutthe
fieldyearsearlier.Buttheonlythingsavailableinthefallof1972wereafew
classicpapersandsomeobscuretechnicalreports.
Thecontemporaryresearcherhasnosuchproblem.Theproblemnowis
choosingwheretostartamongthethousandsofpapersanddozensofbooks.The
contemporaryresearcher,yes,butwhataboutthecontemporaryprogrammeror
engineerwhomerelywantstousecryptography?Wheredoesthatpersonturn?
Untilnow,ithasbeennecessarytospendlonghourshuntingoutandthen
studyingtheresearchliteraturebeforebeingabletodesignthesortof
cryptographicutilitiesgliblydescribedinpopulararticles.
ThisisthegapthatBruceSchneier’sAppliedCryptographyhascometofill.
Beginningwiththeobjectivesofcommunicationsecurityandelementary
examplesofprogramsusedtoachievetheseobjectives,Schneiergivesusa
panoramicviewofthefruitsof20yearsofpublicresearch.Thetitlesaysitall;
fromthemundaneobjectiveofhavingasecureconversationtheveryfirsttime
youcallsomeonetothepossibilitiesofdigitalmoneyandcryptographically
secureelections,thisiswhereyou’llfindit.
Notsatisfiedthatthebookwasabouttherealworldmerelybecauseitwentall
thewaydowntothecode,Schneierhasincludedanaccountoftheworldin
whichcryptographyisdevelopedandapplied,anddiscussesentitiesranging
fromtheInternationalAssociationforCryptologicResearchtotheNSA.
Whenpublicinterestincryptographywasjustemerginginthelateseventiesand
earlyeighties,theNationalSecurityAgency(NSA),America’sofficial
cryptographicorgan,madeseveralattemptstoquashit.Thefirstwasaletter
fromalong–timeNSAemployeeallegedly,avowedly,andapparentlyactingon
hisown.TheletterwassenttotheIEEEandwarnedthatthepublicationof
cryptographicmaterialwasaviolationoftheInternationalTrafficinArms
Regulations(ITAR).Thisviewpointturnedoutnoteventobesupportedbythe
regulationsthemselves—whichcontainedanexplicitexemptionforpublished
material—butgaveboththepublicpracticeofcryptographyandthe1977
InformationTheoryWorkshoplotsofunexpectedpublicity.
Amoreseriousattemptoccurredin1980,whentheNSAfundedtheAmerican
CouncilonEducationtoexaminetheissuewithaviewtopersuadingCongress
togiveitlegalcontrolofpublicationsinthefieldofcryptography.Theresults
fellfarshortofNSA’sambitionsandresultedinaprogramofvoluntaryreview
ofcryptographicpapers;researcherswererequestedtoasktheNSA’sopinionon
whetherdisclosureofresultswouldadverselyaffectthenationalinterestbefore
publication.
Astheeightiesprogressed,pressurefocusedmoreonthepracticethanthestudy
ofcryptography.ExistinglawsgavetheNSAthepower,throughtheDepartment
ofState,toregulatetheexportofcryptographicequipment.Asbusinessbecame
moreandmoreinternationalandtheAmericanfractionoftheworldmarket
declined,thepressuretohaveasingleproductinbothdomesticandoffshore
marketsincreased.Suchsingleproductsweresubjecttoexportcontrolandthus
theNSAacquiredsubstantialinfluencenotonlyoverwhatwasexported,but
alsooverwhatwassoldintheUnitedStates.
Asthisiswritten,anewchallengeconfrontsthepublicpracticeofcryptography.
ThegovernmenthasaugmentedthewidelypublishedandavailableData
EncryptionStandard,withasecretalgorithmimplementedintamper–resistant
chips.Thesechipswillincorporateacodifiedmechanismofgovernment
monitoring.Thenegativeaspectsofthis“key–escrow”programrangefroma
potentiallydisastrousimpactonpersonalprivacytothehighcostofhavingto
addhardwaretoproductsthathadpreviouslyencryptedinsoftware.Sofarkey
escrowproductsareenjoyinglessthanstellarsalesandtheschemehasattracted
widespreadnegativecomment,especiallyfromtheindependentcryptographers.
Somepeople,however,seemorefutureinprogrammingthanpolitickingand
haveredoubledtheireffortstoprovidetheworldwithstrongcryptographythatis
accessibletopublicscrutiny.
Asharpstepbackfromthenotionthatexportcontrollawcouldsupersedethe
FirstAmendmentseemedtohavebeentakenin1980whentheFederalRegister
announcementofarevisiontoITARincludedthestatement:“...provisionhas
beenaddedtomakeitclearthattheregulationoftheexportoftechnicaldata
doesnotpurporttointerferewiththeFirstAmendmentrightsofindividuals.”
ButthefactthattensionbetweentheFirstAmendmentandtheexportcontrol
lawshasnotgoneawayshouldbeevidentfromstatementsataconferenceheld
byRSADataSecurity.NSA’srepresentativefromtheexportcontroloffice
expressedtheopinionthatpeoplewhopublishedcryptographicprogramswere
“inagreyarea”withrespecttothelaw.Ifthatisso,itisagreyareaonwhich
thefirsteditionofthisbookhasshedsomelight.Exportapplicationsforthe
bookitselfhavebeengranted,withacknowledgementthatpublishedmateriallay
beyondtheauthorityoftheMunitionsControlBoard.Applicationstoexportthe
enclosedprogramsondisk,however,havebeendenied.
TheshiftintheNSA’sstrategy,fromattemptingtocontrolcryptographic
researchtotighteningitsgriponthedevelopmentanddeploymentof
cryptographicproducts,ispresumablyduetoitsrealizationthatallthegreat
cryptographicpapersintheworlddonotprotectasinglebitoftraffic.Sittingon
theshelf,thisvolumemaybeabletodonobetterthanthebooksandpapersthat
precededit,butsittingnexttoaworkstation,whereaprogrammeriswriting
cryptographiccode,itjustmay.
WhitfieldDiffie
MountainView,
CA
Previous TableofContents Next
Previous TableofContents Next
Chapter1
Foundations
1.1Terminology
SenderandReceiver
Supposeasenderwantstosendamessagetoareceiver.Moreover,thissender
wantstosendthemessagesecurely:Shewantstomakesureaneavesdropper
cannotreadthemessage.
MessagesandEncryption
Amessageisplaintext(sometimescalledcleartext).Theprocessofdisguisinga
messageinsuchawayastohideitssubstanceisencryption.Anencrypted
messageisciphertext.Theprocessofturningciphertextbackintoplaintextis
decryption.ThisisallshowninFigure1.1.
(IfyouwanttofollowtheISO7498-2standard,usetheterms“encipher”and
“decipher.”Itseemsthatsomeculturesfindtheterms“encrypt”and“decrypt”
offensive,astheyrefertodeadbodies.)
Theartandscienceofkeepingmessagessecureiscryptography,anditis
practicedbycryptographers.Cryptanalystsarepractitionersofcryptanalysis,
theartandscienceofbreakingciphertext;thatis,seeingthroughthedisguise.
Thebranchofmathematicsencompassingbothcryptographyandcryptanalysis
iscryptologyanditspractitionersarecryptologists.Moderncryptologistsare
generallytrainedintheoreticalmathematics—theyhavetobe.
Figure1.1EncryptionandDecryption.
PlaintextisdenotedbyM,formessage,orP,forplaintext.Itcanbeastreamof
bits,atextfile,abitmap,astreamofdigitizedvoice,adigitalvideo
image...whatever.Asfarasacomputerisconcerned,Missimplybinarydata.
(Afterthischapter,thisbookconcernsitselfwithbinarydataandcomputer
cryptography.)Theplaintextcanbeintendedforeithertransmissionorstorage.
Inanycase,Misthemessagetobeencrypted.
CiphertextisdenotedbyC.Itisalsobinarydata:sometimesthesamesizeasM,
sometimeslarger.(Bycombiningencryptionwithcompression,Cmaybe
smallerthanM.However,encryptiondoesnotaccomplishthis.)Theencryption
functionE,operatesonMtoproduceC.Or,inmathematicalnotation:
E(M)=C
Inthereverseprocess,thedecryptionfunctionDoperatesonCtoproduceM:
D(C)=M
Sincethewholepointofencryptingandthendecryptingamessageistorecover
theoriginalplaintext,thefollowingidentitymustholdtrue:
D(E(M))=M
Authentication,Integrity,andNonrepudiation
Inadditiontoprovidingconfidentiality,cryptographyisoftenaskedtodoother
jobs:
—Authentication.Itshouldbepossibleforthereceiverofamessageto
ascertainitsorigin;anintrudershouldnotbeabletomasqueradeas
someoneelse.
—Integrity.Itshouldbepossibleforthereceiverofamessagetoverify
thatithasnotbeenmodifiedintransit;anintrudershouldnotbeableto
substituteafalsemessageforalegitimateone.
—Nonrepudiation.Asendershouldnotbeabletofalselydenylaterthat
hesentamessage.
Thesearevitalrequirementsforsocialinteractiononcomputers,andare
analogoustoface-to-faceinteractions.Thatsomeoneiswhohesaysheis...that
someone’scredentials—whetheradriver’slicense,amedicaldegree,ora
passport—arevalid...thatadocumentpurportingtocomefromapersonactually
camefromthatperson....Thesearethethingsthatauthentication,integrity,and
nonrepudiationprovide.
AlgorithmsandKeys
Acryptographicalgorithm,alsocalledacipher,isthemathematicalfunction
usedforencryptionanddecryption.(Generally,therearetworelatedfunctions:
oneforencryptionandtheotherfordecryption.)
Ifthesecurityofanalgorithmisbasedonkeepingthewaythatalgorithmworks
asecret,itisarestrictedalgorithm.Restrictedalgorithmshavehistorical
interest,butarewoefullyinadequatebytoday’sstandards.Alargeorchanging
groupofuserscannotusethem,becauseeverytimeauserleavesthegroup
everyoneelsemustswitchtoadifferentalgorithm.Ifsomeoneaccidentally
revealsthesecret,everyonemustchangetheiralgorithm.
Evenmoredamning,restrictedalgorithmsallownoqualitycontrolor
standardization.Everygroupofusersmusthavetheirownuniquealgorithm.
Suchagroupcan’tuseoff-the-shelfhardwareorsoftwareproducts;an
eavesdroppercanbuythesameproductandlearnthealgorithm.Theyhaveto
writetheirownalgorithmsandimplementations.Ifnooneinthegroupisagood
cryptographer,thentheywon’tknowiftheyhaveasecurealgorithm.
Despitethesemajordrawbacks,restrictedalgorithmsareenormouslypopularfor
low-securityapplications.Userseitherdon’trealizeordon’tcareaboutthe
securityproblemsinherentintheirsystem.
Moderncryptographysolvesthisproblemwithakey,denotedbyK.Thiskey
mightbeanyoneofalargenumberofvalues.Therangeofpossiblevaluesof
thekeyiscalledthekeyspace.Boththeencryptionanddecryptionoperations
usethiskey(i.e.,theyaredependentonthekeyandthisfactisdenotedbythek
subscript),sothefunctionsnowbecome:
EK(M)=C
DK(C)=M
Thosefunctionshavethepropertythat(seeFigure1.2):
DK(EK(M))=M
Somealgorithmsuseadifferentencryptionkeyanddecryptionkey(seeFigure
1.3).Thatis,theencryptionkey,K1,isdifferentfromthecorresponding
decryptionkey,K2.Inthiscase:
EK1(M)=C
DK2(C)=M
DK2(EK1(M))=M
Allofthesecurityinthesealgorithmsisbasedinthekey(orkeys);noneisbased
inthedetailsofthealgorithm.Thismeansthatthealgorithmcanbepublished
andanalyzed.Productsusingthealgorithmcanbemass-produced.Itdoesn’t
matterifaneavesdropperknowsyouralgorithm;ifshedoesn’tknowyour
particularkey,shecan’treadyourmessages.
Figure1.2Encryptionanddecryptionwithakey.
Figure1.3Encryptionanddecryptionwithtwodifferentkeys.
Acryptosystemisanalgorithm,plusallpossibleplaintexts,ciphertexts,and
keys.
SymmetricAlgorithms
Therearetwogeneraltypesofkey-basedalgorithms:symmetricandpublic-key.
Symmetricalgorithms,sometimescalledconventionalalgorithms,are
algorithmswheretheencryptionkeycanbecalculatedfromthedecryptionkey
andviceversa.Inmostsymmetricalgorithms,theencryptionkeyandthe
decryptionkeyarethesame.Thesealgorithms,alsocalledsecret-key
algorithms,single-keyalgorithms,orone-keyalgorithms,requirethatthesender
andreceiveragreeonakeybeforetheycancommunicatesecurely.Thesecurity
ofasymmetricalgorithmrestsinthekey;divulgingthekeymeansthatanyone
couldencryptanddecryptmessages.Aslongasthecommunicationneedsto
remainsecret,thekeymustremainsecret.
Encryptionanddecryptionwithasymmetricalgorithmaredenotedby:
EK(M)=C
DK(C)=M