Menu
Is free
check in
home  /  Multimedia / What does it mean the length of the encryption key. Cryptographic keys

What does the length of the encryption key mean. Cryptographic keys

The main purpose of using SSL certificates is to encrypt the data transmitted to the server from the client and the client from the server. To ensure the safety of such a compound, modern browsers use the TLS algorithm based on X.509 certificates. This algorithm applies asymmetric encryption to create a session key for simmerist encryption. The latter is used directly to transfer data after establishing a secure connection.

What is the key in cryptography?

The key in cryptography is a secret information that is used in cryptography for encrypting and decoding messages, to push the digital signature and verification, to calculate the codes of the message authenticity and so on. As far as the key is reliable, the so-called key length is determined, which is measured in bits. Standard key length for SSL certificates is considered 128 or 256 bits. Certificate Certificate Certificate Certificate Length (Root Certificate) should not be below 4096 bits. All certification centers with which we cooperate will provide SSL certificates with key fully relevant to modern standards:

Open and closed key in asymmetric encryption

In asymmetric encryption applies a pair of keys: open (Public Key) and closedAlso called secret (Private Key.). Open and closed keys in this case allow the cryptographic algorithm to encrypt and decrypt the message. In this case, messages encrypted by the open key can be decrypted only with closed key. The public key is published in the owner's certificate and is accessible to the connected client, and the closed is stored at the certificate holder. The open and private key of each other are related to mathematical dependencies, so it is impossible to choose an open or private key in a short time (certificate validity period). That is why the maximum validity of the SSL certificates of higher protection is always lower. So, you can order a maximum for 2 years. At the same time, ordering a new SSL certificate or prolonged old, it is important to generate a new CSR query, since your private key is attached to it and when the new SSL is released, it is better to update it. The client's interaction with the server occurs as follows:
  1. the open key based browser encrypts the request and sends it to the server;
  2. server using a closed key, decrypts the received message;
  3. the server encrypts its digital identifier with a closed key and transmits it to the client;
  4. the client checks the server identifier and transmits its;
  5. after mutual authentication, the client encrypts the open key key of the future session and transmits it to the server;
  6. all subsequent messages that are transmitted between the client and the server are signed by the session key and encrypt using an open and closed key.
Thus, several security items are provided:
  • the possibility of information leakage is eliminated - when it is interception, it cannot be decrypted;
  • the server confirms its address and identifier, the ability to redirect to another site (phishing);
  • the client is assigned an individual session, which allows you to distinguish it from other customers more reliably;
  • after installing the secure session, all messages are encrypted using the client ID, and cannot be imperceptibly intercepted or changed.

In the general case, the encryption is open and private key can be viewed as a case for which two keys are used: one can only close, other - open. If the case was closed by the first key, only the second can open it if the second was closed to open - the first will need. It can be clearly seen in the scheme above.

The amount of information in the key is usually measured in bits.

For modern symmetric algorithms (AES, CAST5, Idea, Blowfish, Twofish), the main characteristic of the cryptic resistance is the key length. Encryption with keys 128 bits long and above is considered strong, since to decrypt information without key, the years of operation of powerful supercomputers are required. For asymmetric algorithms based on the theory of numbers (factorization problem - RSA, the problem of discrete logarithm is elgamal) due to their features, the minimum reliable key length is currently 1024 bits. For asymmetric algorithms based on the use of the theory of elliptic curves (ECDSA, GOST R 34.10-2001, DSTU 4145-2002), 163 bits are considered the minimum reliable length of the key, but the lengths from 191 bits and above are recommended.

In this methodology and for encryption, the same key is applied to the sender and the recipient to the sender, the use of which they agreed before the start of interaction. If the key has not been compromised, then the sender authentication is automatically executed when the sender is automatically executed, since only the sender has a key with which you can encrypt information, and only the recipient has a key with which you can decrypt information. Since the sender and recipient are the only people who know this symmetric key, when compromising the key, only the interaction of these two users will be compromised. A problem that will be relevant for other cryptosystems is the question of how to safely distribute symmetric (secret) keys.

Symmetric encryption algorithms use keys not very long and can quickly encrypt large amounts of data.

The procedure for using symmetric keys:

Safely created, the symmetrical secret key is propagated and saved.

The sender creates an electronic signature by calculating the hash function for text and the attachment of the resulting string to the text

The sender uses a quick symmetric encryption-decryption algorithm along with the secret symmetrical key to the received package (text along with an attached electronic signature) to receive encrypted text. It is implicitly an authentication, since only the sender knows a symmetrical secret key and can encrypt this package. Only the recipient knows the symmetric secret key and can decipher this package.

The sender transmits encrypted text. The symmetric secret key is never transmitted by unprotected communication channels.

The recipient uses the same symmetrical encryption-decryption algorithm along with the same symmetrical key (which is already available at the recipient) to the encrypted text to restore the source text and electronic signature. Its successful recovery authenticates someone who knows the secret key.

The recipient separates the e-signature from the text.

The recipient creates another electronic signature by calculating the hash function for the resulting text.

The recipient compares the two of these electronic signatures to check the integrity of the message (lack of its distortion)

Available today by means of using a symmetrical methodology, are:

Kerberos, which was designed to authenticate access to network resources, and not to verify data. It uses a central database in which copies of the secret keys of all users are stored.

ATM BankingNetworks. These systems are the original developments of the owners of banks and are not sold. They also use symmetric methodologies.

Comparison with asymmetric cryptosystems

Dignity

speed \u200b\u200b(according to appliedcryptography - 3 orders of magnitude higher)

easy to implement (at the expense of simpler operations)

less required key length for comparable resistance

study (at the expense of more age)

disadvantages

the complexity of key management in large network. Means the quadratic increase in the number of pair of keys, which must be generated, transmit, store and destroy on the network. For the network, 10 subscribers are required 45 keys, for 100 already 4950, for 1000 - 499500, etc.

the complexity of sharing keys. To use, it is necessary to solve the problem of reliable key transfer to each subscriber, as you need a secret channel to transfer each key to both sides.

To compensate for deficiencies of symmetric encryption, a combined (hybrid cryptographic scheme) is currently widely used, where, using asymmetric encryption, a session key used by the parties to exchange data using symmetric encryption is transmitted.

An important property of symmetric ciphers is the impossibility of their use to confirm the authorship, as the key is known to each side.

In this methodology, the keys for encryption and decryption are different, although they are created together. One key is made known to everyone, and the other holds secret. Although you can encrypt and decrypt by both keys, data encrypted with one key can only be decrypted by another key.

All asymmetric cryptosystems are an object of attacks by direct searching keys, and therefore there should be much longer keys in them than those used in symmetric cryptosystems to ensure an equivalent level of protection. This immediately affects the computational resources required for encryption, although the encryption algorithms on elliptic curves can soften this problem. Bruce Schnayer in the book "Applied Cryptography: Protocols, algorithms and source text on C" gives the following data on the equivalent key lengths.

In order to avoid the low speed of asymmetric encryption algorithms, a temporary symmetrical key is generated for each message and only it is encrypted asymmetrical algorithms. The message itself is encrypted using this temporary session key and encryption / decryption algorithm. Then this session key is encrypted using an open asymmetric recipient key and an asymmetric encryption algorithm. After that, this encrypted session key along with an encrypted message is transmitted to the recipient. The recipient uses the same asymmetric encryption algorithm and its secret key to decrypt the session key, and the resulting session key is used to decrypt the message itself.

In asymmetric cryptosystems, it is important that session and asymmetric keys are comparable to the level of security that they provide. If a short session key is used (for example, 40-bit DES), it does not matter how large asymmetric keys is. Hackers will not attack them, but session keys. Asymmetric open keys are vulnerable to attacks direct bust in part due to the fact that they are hard to replace them. If the attacker learns the secret asymmetric key, it will not only be compromised, but all subsequent interactions between the sender and the recipient will be compromised.

The procedure for using systems with asymmetric keys:

Asymmetric open and secret keys are created safely and distributed. The secret asymmetric key is passed to its owner. An open asymmetric key is stored in the X.500 database and administered by the certificate issuance center (in English - CertificationAuthority or CA). It is understood that users need to believe that in such a system, a secure creation, distribution and administration of keys is made. Moreover, if the creator of keys and a person or system, administering them, not the same thing, then the end user must believe that the creator of keys actually destroyed them.

An electronic signature of the text is created by calculating its hash function. The resulting value is encrypted using the asymmetric sender's secret key, and then the resulting string of characters is added to the transmitted text (only the sender can create an electronic signature).

A secret symmetric key is created, which will be used to encrypt only this message or session of the interaction (session key), then using a symmetric encryption / decryption algorithm and this key is encrypted with source text along with an electronic signature added to it - the encrypted text is obtained (cipher text).

Now you need to solve the problem with the transmission of a session key to the recipient of the message.

The sender must have an asymmetrical outdoor certificate issuing center (CA). Interception of unencrypted queries for this open key is a common attack form. There may be a whole certificate system confirming the authenticity of the open key CA. The X.509 standard describes a number of methods to receive CA open key users, but none of them can be completely protected from the Ca public key substitution, which clearly proves that there is no such system in which the authenticity of the open key CA can be guaranteed.

The sender requests from CA asymmetrical output key recipient. This process is vulnerable to the attack during which the attacker interferes with the interaction between the sender and the recipient and can modify traffic transmitted between them. Therefore, the open asymmetric key of the recipient "subscribes" CA. This means that CA used its asymmetric secret key to encrypt the asymmetric open key of the recipient. Only CA knows the asymmetrical secret key of the CA, so there is a guarantee that the open asymmetric key of the recipient was obtained from CA.

After obtaining the asymmetrical public key, the recipient is decrypted using the asymmetrical open key Ca and the algorithm of asymmetric encryption / decryption. Naturally, it is assumed that CA was not compromised. If it turns out to be compromised, it displays the entire network of its users. Therefore, you can also encrypt the open keys of other users, but where is the confidence that they are not compromised?

The session key is now encrypted using an asymmetric encryption-decoding algorithm and an asymmetrical recipient key (obtained from Ca and decrypted).

The encrypted session key is attached to the encrypted text (which also includes an electronic signature added previously added).

The entire data package received (encrypted text, which includes in addition to the source text, its electronic signature, and the encrypted session key) is transmitted to the recipient. Since the encrypted session key is transmitted over an unprotected network, it is an obvious object of various attacks.

The recipient highlights an encrypted session key from the received packet.

Now the recipient needs to solve the problem with decoding a session key.

The recipient must have an asymmetrical public key of the certificate issuance (CA).

Using your secret asymmetric key and the same asymmetric encryption algorithm, the recipient decrypts the session key.

The recipient applies the same symmetrical encryption-decryption algorithm and a decrypted symmetric (session) key to the encrypted text and receives the source text together with the electronic signature.

The recipient separates the electronic signature from the source text.

The recipient requests the asymmetrical public key of the sender.

Once this key is obtained, the recipient decrypts it using the open key Ca and the corresponding asymmetric encryption-decryption algorithm.

Then the text hash function is decrypted using the open key of the sender and the asymmetric encryption-decryption algorithm.

The hash function of the resulting source text is re-calculated.

Two these hash functions are compared to verify that the text has not been changed.

System Features

Application

Open key cryptosystem algorithms can be used

As independent means to protect the transmitted and stored information

As keys distribution tools. Usually, using open-key cryptosystem algorithms, the keys are small in volume. And the transmission of big information flows They are carried out using other algorithms.

Like user authentication tools.

Advantages: The advantage of asymmetric ciphers before symmetric ciphers is the absence of the need to pre-transfer the secret key along the reliable channel.

In a symmetric cryptography, the key is kept secret to both sides, and in the asymmetric cryptosystem only one secret.

With symmetrical encryption, it is necessary to update the key after each transmission fact, while in asymmetric cryptosystems pair (E, D) you can not change considerable time.

AT large networks The number of keys in the asymmetric cryptosystem is significantly less than in symmetric.

Disadvantages: The advantage of symmetric encryption algorithm over asymmetrical is that the first is relatively easy to make changes.

Although messages are firmly encrypted, but the recipient and the sender for sending an encrypted message to the factory.

Asymmetrical algorithms use longer keys than symmetrical. Below is a table that compares the length of the symmetric algorithm key with a key length of the asymmetric algorithm with similar cryptoscope:

The process of encryption-decryption using a pair of keys takes two to three orders of magnitude slower than encryption-decryption of the same text with a symmetric algorithm.

AT pure form Asymmetric cryptosystems require substantially large computing resources, therefore in practice are used in conjunction with other algorithms.

For the EDS, the message is previously subjected to hashing, and using an asymmetric key, only a relatively small result of the hash function is signed.

For encryption, they are used in the form of hybrid cryptosystems, where large data volumes are encrypted with a symmetrical cipher on a session key, and using an asymmetric cipher only the session key itself is transmitted.

In cryptography, linear cryptanalysis is a cryptanalytic autopsy method using linear approximations to describe the work of the cipher.

Linear cryptoanalysis was invented by the Japanese cryptologist Mitsurumatsui (Mitsurumatsui). The algorithm proposed in 1993 (on EUROPT-93) was initially aimed at opening DES and FEAL. Subsequently, linear cryptoanalysis was distributed to other algorithms. To date, along with differential cryptanalysis, one of the most common methods of opening block ciphers. Developed embodimed and streaming ciphers.

The opening of linear cryptoanalysis was the impetus for the construction of new cryptographic schemes.

Principle of operation

Cryptanalysis occurs in two steps. The first is to build relations between open text, ciphertext and key, which are highly likely. The second is the use of these relationships along with known pairs Open text - ciphertext for receiving key bits.

Protection against linear cryptanalysis

For attack on a block cipher with linear cryptoanalysis, it is sufficient, as described above, to obtain a linear ratio substantially displaced probability from 1/2. Accordingly, the first goal in designing a cipher, persistent to the attack, to minimize probabilistic displacements, make sure that this ratio will not exist. In other words, it is necessary to make it so that with any change of text or key in the resulting ciphertext, exactly half of the bit changed its value to the opposite, and each bit varied with a probability of 1/2. This is usually achieved by choosing highly nonlinear S-boxes and impairing diffusion.

This approach provides a good substantiation of cipher durability, but in order to strictly prove the protectedness from linear cryptanalysis, developers of ciphers need to take into account a more complex phenomenon - the effect of linear shells (LineArmulleffect).

A slightly more general theory of proof of security of attacks based on linear cryptanalysis is based on the concept of decorrelation. The theory suggests that the device is the so-called decorrelation module that is effectively blocking the distribution of traditional linear and differential characteristics. It should be noted that ciphers that are optimal against some narrow class attacks are usually weak against other types of attacks.

Key management (CC) is so important and developed area of \u200b\u200bcryptography, which requires separate and detailed consideration. A huge set of different functions is assigned to the UK system, providing a variety of basic and newly acquired properties of cryptosystems that are staffed. Such schemes can be stored, shipping, encryption (that is, providing privacy), authentication, "Storage" (depositing) and key separation. The only one common property The UK systems are that as a result of a variety of transformations, they must provide a cryptosystem key (symmetric or asymmetric), on which the main process encryption will be produced. Technical implementation of open keys management systems (English PKI - PublicKeyInfrastructure)

Depending on which type of key generates in the end the system of the Criminal Code, they are divided into control systems, symmetric keys and asymmetric keys management systems. Symmetrical keys control systems are divided into systems with the presence of initial master keys and a system with zero initial information. As a separate material, the key deposit systems and the secret division system are considered. Unfortunately, this section cannot even cover half of various CC schemes and cryptographic protocols based on them - today researchers have developed more than a hundred different schemes. Increasingly, the introduction of the third subject of cryptooperatives - trusted persons with various functions and powers now, has generated a whole wave of protocols, providing new properties of cryptosystems (appeal, confirmation of the date / time of signing, deposit keys, etc.).

With preliminary partial installation

All symmetric keys control systems regardless of how many participants are involved in the process, are classified primarily on systems in which protective channels have already been installed between the subjects (that is, there is a secret master keys), and there are no systems in which this channel is not. In the first case, the main goal of the key management system is either generating sessions keys, or updating key information, or, which is most often required, the exchange of the secret key between the two subscribers, which before that directly the key did not have, although the trusted relationship chain (for example, through The general acquaintance) already existed. In the second case, when two users do not have any common secret information, they need to install the key, and so that the attacker may not be able to create its "third" copy of the key.

The case when two subscribers can already communicate with each other by a protected channel, and at the same time wish to exchange "fresh" key information in fact does not contain almost no subtleties. It is only necessary to pay attention to the impossibility of moving the attacker of the previously intercepted package with the same information. To do this, the system includes auto-closet meters and / or dates / time stamps.

Some more interest are systems with three subjects: two subscribers and a trusted key server. In this case, the server is believed that the server serves a large number of equal clients, with each of them the server has a protected communication channel, i.e., the key exchange occurred. Now at a certain stage of the functioning of the system in two clients of the server, never before that did not communicate, there was a desire to exchange some private information.

In such a situation, the classic session key setup protocol looks an approximately as follows - the subscriber is indicated and the called subscriber - the trusted server - S, the key to which a priori exchanged A and S - "AS", the key between the subscriber in and s - "BS".

Keys without prior set

The task of the protocols of this class is to create on the basis of messages transmitted via open communication channels, in two subscribers identical key information, and to do it so that any third party, which has been overwhelmed by all past negotiations, cannot receive this key. At first glance, the task seems completely intractable, but the methods of achieving this goal exist and at the same time are very reliable. The basis for such protocols are schemes, very resembling asymmetric encryption.

Initially, all parties participating in the exchange of keys agree on a large simple number of P (not being secret). Any two subscribers (A and B), who want to create a secret, session key:

Create, respectively, two large random numbers (A and B), as well as their inversion of module P (A-1 mods of B-1 mod P) and hold them on their systems in the secret.

The caller generates the session key K (k< р-2) и возводит его в степень а по модулю р, после чего отправляет полученное выражение вызываемому абоненту: M1=ka mod p.

The called side undertakes the received message to the degree B and sends back: m2 \u003d (M1B mod p) \u003d (KAB MOD P).

The causing side decrypts the resulting number of the invert number A and sends back: MZ \u003d (M2-B mod p) \u003d (KB MOD P).

Finally, the subscriber in decrypts the last message inversion of the number B and receives the desired session key: k \u003d (MH-B mod p) \u003d (k mod p).

Asymmetric cryptography, which, it would seem, decided the problem of confidentiality of messages without the prior transmission of a secret key on a protected channel, it turns out that only suffered this problem into a slightly different area. With a superficial look at the asymmetric system, it seems - "looking for an open key of the recipient encrypts them a message and - confidentiality achieved." But here the mediator attacker appears here - he could have been hypothetically positioned on a variety of servers on the network its public key under the name of the recipient's subscriber and his mailing address. In the future, when receiving any letter, he decides him with his closed key, reads and forwards the true recipient by encrypting already on the present open keywhich he really knows. The EDS schemes are not saved if the attacker replaced the open keys as the sender and the recipient. These considerations lead to the fact that the preliminary protected channel is still necessary - to send a public key and a postal address or at least a confirmation block of the data block (for example, an open key hash).

However, asymmetrical technologies made a much greater breakthrough in key distribution schemes than symmetrical - certificates were invented. A certificate is called a block of information containing data uniquely identifying the subscriber, its public key and transport address, and this information block is signed with the help of the EDS of another person. The subscriber in question in the certificate is called the owner of the key, the subject of the network, who set the signature under the certificate - a certificate (in the Law of the Russian Federation "On Electronic Digital Signature" is a certifying center). Suppose a subscriber and never communicated with the Subscriber with and cannot verify the authenticity of its open key, but also from communicating with a certain subscriber in - then in can come up with a certificate and sign a certificate on the owner of the key S. Then subscriber A, receiving Certificate and checking the signature in, in whose open key he is sure, can from now on to rely on the public key of the subscriber S.

What is the same "breakthrough" in the key distribution scheme? The most remarkable property of certificates is that their use can be combined into a chain. Indeed, suppose two people who wish to talk to subscribers a and d could not find a common acquaintance, but it turned out that it knows a certain in, and a D knows some of them who are familiar with each other. So, in can send a certificate about the key C, and with can send a certificate about the key D. In the end, and it is confident that the public key D, which is in his hands, is true. Thus, a trust chain was built, which in its essence represents the very preliminary protected channel between A and D (sender and recipient), but this channel was assembled (and with a very simple and reliable scheme) from several already existing purified channels. The possibility of such a construction of a protected channel "on demand" from several short, already existed, and there is an advantage of open cryptography.

Currently, the development of the described scheme worldwide is very intense. There are the following main trends. First, subjects began to appear, whose only function is to store and certify keys - certification centers (English. CertificationAuthority --s). Secondly, in the process of creating chains of confidence, major software manufacturers have become actively activated. Indeed, if the user of the computer acquires a licensed voy of a corporate sealed box with a hologram and other physical degrees of protection, the task of fake-key fake, which is on this disk, becomes an order of magnitude more complex. And having several reliable open keys of large software manufacturers, the user is already able to build many chains of confidence in millions of subscribers. And the manufacturers themselves receive as dividends the ability to authentic to send updates to network programs on the network signed by the same keys whose open halves were placed on the initial CD.

Standards for cryptographic algorithms

Cryptographic algorithms exist standards. Reliability of algorithms corresponding to standards is carefully analyzed by specialists. When working with official documentation, it is allowed to use only algorithms corresponding to the standards.

In different countries there are various standards for algorithms. AT software Algorithms corresponding to American standards are widely used, most often it is an RSA algorithm.

In Russia, there are our own state standards for algorithms for encryption and generating / checking electronic signatures: GOST 28147-89, GOST R 34.10-94, GOST R 34.10-2001.

To generate and verify the electronic signature, as well as encryption and decryption of documents, certain sequences of actions are used, called cryptographic algorithms.

The cryptographic algorithm is a serious development that requires considerable labor of specialists and meets certain requirements . The same algorithm can use a large number of users to protect information, because Algorithms are not secret information.

Cryptographic algorithms exist standards, i.e. Officially executed set of requirements that these algorithms must respond. These standards are different in different countries and change over time. Popular American algorithms - RSA., DSA. etc. - which are often used in common software products, meet American standards.

Russia also adopted state standards for cryptographic algorithms. Russian manufacturers, including Kryptok Ltd., use algorithms in their software products that meet Russian standards.

Cryptographic keys are used as secret information.

The cryptographic key is a sequence of symbols developed by certain rules. This sequence is used in cryptographic text transformations. For each cryptographic algorithm there are their requirements, according to which the keys are created. Each key is created for a specific algorithm.

In order to ensure non-reproducibility of electronic signature and the impossibility of reading encrypted texts with foreign people, cryptographic keys are used in cryptography.

The modern cryptographic key is a sequence of numbers of a certain length, created according to certain rules based on the sequence of random numbers. For each key, the sequence of random numbers is prohibited, no sequence is used more than once. For generating sequences of random numbers, special software objects or devices are used, called random numbers sensors.



Each algorithm places its own requirements for keys, so any cryptographic key is created for a specific algorithm and is used only with this algorithm.

If the generation of electronic signature and its check, or encryption and decrypt text are performed using the same key, this approach is called symmetric cryptography (respectively symmetric algorithms and symmetric keys). Operations of symmetric cryptography are performed quickly and relatively simple. But they require knowledge of the key of at least two people, which significantly increases the risk of compromising them (that is, access to unauthorized persons).

Therefore, now mainly used asymmetric cryptography. In asymmetric cryptography, the development of an electronic signature or encryption is performed on one key, and checking the signature or decryption - on the other, steam veneer.

In asymmetric cryptography, the so-called key pairs are applied (Key Pairs). Each such pair consists of two connected keys. One of these keys is closed (Private Key). He is known only to the owner of the key and under any circumstances should not be available to anyone else. Another key is open (Public Key), it can be available

anyone who wants.

Under key information understand the totality of all keys operating in the system. If there is no sufficiently reliable and secure key information management, the effect of the application of cryptographic data protection can be reduced to zero: carved the keys, the violator will be able to access both the protected information. The key management process includes the implementation of three basic functions:

  • key generation;
  • keys storage;
  • Distribution of keys.

Keys generation. Truly random and pseudo-random sequences. Key generation should be made in such a way as to predict the key value (even knowing how it will be generated) was almost impossible. Ideally, the probability of choosing a particular key from a variety of permissible equal to 1 /TO, Where To - The power of the key set (keys are equally).

To get the keys use hardware and software Generation of random values. For systems with high security levels, hardware sensors based on random physical processes are considered more preferred.

So, intel. Developed a random number generator that uses thermal noise of the system as input data. Other companies supply to the market of devices, called cryptographic accelerators, which also have generators of random numbers (Fig. 2.60). These hardware devices generate true random Sequences of numbers.

The sequence is called true randomif it cannot be reproduced. This means that if you run the generator of truly random numbers twice at the same input, then at its output it turns out different random sequences.

At the same time, due to the cheapness and possibilities of unlimited replication, the most common software implementations are

Fig. 2.60.

generators. It should be borne in mind that the sequence obtained in this case will be pseudo-random - If the program generator is re-run with the same initial values, it will give the same sequence (Fig. 2.61).

Frameable software generators of pseudo-random numbers are periodic functions whose values \u200b\u200bare cyclically repeated. The length of a periodically repeated fragment of the pseudo-random sequence (within which there are no repetitions) is called period Function generator. The period is always finite, though, perhaps, a large enough number.

Fig. 2.61.

The simplest and well-known generator of pseudo-random numbers is a linear congruent generator generating a sequence of numbers. R (i):

where BUT and WITH - constants; R (0) - the initial value selected as the generating number. Value t. usually set to 2 p U. Where p -machine word length in bits. The generator has a period of M, after which the generated sequence will begin to be repeated. It is necessary to choose numbers A and C. So the period M. It was maximum. It is proved that this can be achieved then and only when WITH - Especially A. MOD 4 \u003d 1.

The linear congruent generator is not suitable for cryptographic purposes, as simple algorithms are known to allow you to fully restore the generator parameters (and therefore predict the value of any member of the sequence) in just several elements of the sequence generated by it.

So, for example, with known values R (0), R ( 1), R (2), R (3) (or any other four consecutive members of the sequence of pseudo-random numbers R (i)) The generator parameters can be obtained from the equation system.

There are many other generators of pseudo-random numbers, such as nonlinear congruent generators, linear registers with feedback, Mersenna whirlpool, etc., many of which have good speed characteristics, but do not provide sufficient resistance.

As examples of cryptographically strong pseudo-random number generators, the OFB mode can be caused (and its CTR modification) block ciphers, as well as the gammation regime of the domestic cryptoalgorithm GOST 28147-89. At the same time, the keys are specifically reserved for generation tasks. The initial values \u200b\u200bmay be taken, for example, the value of the timer of the computing system. In addition, cryptographically strong generators can be built using one-sided hash functions.

The pseudo-random sequence generator for cryptographic tasks must meet the following requirements:

  • The generated sequence should be statistically indistinguishable for the acceptable time of calculations from an absolutely random sequence;
  • Knowing any initial part of the sequence does not allow to predict the next bit of this sequence for the acceptable calculation time.

To identify possible deviations from chance, a number of statistical tests can be used:

  • classic statistical tests (checking the hypothesis of the uniform distribution of the random variable by the method of chi-square, tests for homogeneity and symmetry);
  • Tests applicable to binary sequences (Series method, frequency periodic test);
  • tests specifically designed or selected for applications in cryptography - NIST tests (16 tests recommended by the National Institute of Standards and Technologies of the United States); Diehard tests, known as one of the most stringent tests; D. Knut tests based on chi-square criteria; Adaptive test "Stack of books" and others.

Bloom generator - Blum - Shuba. The easiest and most effective on this moment The cryptographically strong generator of pseudo-random numbers is the BBS generator (Blum - Blum - Shub), named by the names of the creators of L. Blum, M. Blum and M. Shuba and based on the theory of quadratic deductions but module.

First find two big prime numbers p) Q. Approximately one size, which during division by 4 give residue 3:

To find numbers r and q. You can first select random integers and and v., calculate r = Ai. + 3, q. = 4V. + 3, and then check them on simplicity. If the resulting number was not simple, then you choose a new random value. Then calculates n \u003d pq, called Blum's number. Next, a random integer s, 1 S is mutually simple with p, Node (5, n) \u003d. The initial value of the generator is generated x 0 \u003d. S modrc. Received x () - Random quadratic deduction module p.

As bits of the pseudo-random sequence pS. required length L. Use the younger bits of numbers h.

An interesting feature of the BBS generator is that with the knowledge of the decomposition of the number p For multipliers, he allows an effective direct definition of any bits of the sequence. pS. Anyone x- can be calculated based only from the initial value x 0 and ordinal number i:

The BBS algorithm with the correct selection of initial parameters satisfies all statistical criteria for pseudo-random sequences. The BBS generator is unpredictable to the left and right, i.e. It is impossible to predict the previous or subsequent sequence bit, having any part of it. The period of the pseudo-random sequence generated by the BBS generator is many times the size of the module pC

Example 2.11

We form a pseudo-random 4-bit sequence using the BBS generator.

Find numbers r and q. Choose two random integers and \u003d 3 I. v. \u003d 5. Calculate p \u003d. 4 3 + 3 = 15I p \u003d 15 - not simple and cannot be used in the BBS generator, and the number q \u003d. 23 - simple. Choose the new value and \u003d 7, p \u003d 7-4 + 3 \u003d\u003d 31 - simple. Number of Blumes n \u003d pq \u003d 31 23 = 713.

Choose a random integer 5, mutually simple p. Let s \u003d. 16, under (16, 713) \u003d 1. Then:

As a sequence pS. Take the younger bits of numbers x ( (0 - if the number is even and 1 - if the number is odd), we obtain PS \u003d 0110.

Let it now be required to answer the question: what will be the 12th bit of the sequence pS?

Knowing the decomposition of the number p on multipliers (R \u003d 31 I. q. \u003d 23), calculate x and:

x and - even, then the 12th bit sequence pS. It will be zero.

The effectiveness of the BBS generator can be increased without weakening the resulting sequence pS, If not one, not more Log 2 RJ younger bits numbers x JF. Where g. - the number of binary discharges of the number of Blum p (i.e. approximately log 2 log 2 N younger bits).

Example 2.12.

It is required to find out the maximum possible number of younger bits of numbers. x (,which can be used in BBS-GSNSRATS, NS relaxing it if p= 713.

Calculate Log 2 (713 + 1) "9.48 (add a unit to coding zero), rounding up to the nearest whole, we get r \u003d. 10 - the number of binary discharges of the number 713.

Calculate Log 2 10 ~ 3.32, rounded down to the nearest whole, we obtain 3. So, in the effective implementation of the BBS generator, you can use three younger bits of numbers x ( (For comparison: Log 2 log 2 713 ~ 3.24, the result is the same - three younger bits).

Standard ANSI X9.17. It seems natural to use cryptographic encryption algorithms for constructing a cryptographically strong alternator of pseudo-random numbers. For these purposes, the OFB, CTR or Humming Modes (for GOST 28147-89) are suitable. This method Provides a sufficient quality of the generated sequence, since the cryptographic range has the necessary statistical characteristics. As in the case of other generators of pseudo-random numbers, the sequence will be periodic. Thus, the gamma cipher algorithm GOST 28147-89 has a period of repetition of 64-bit blocks equal to 2 64 -2 32.

One of the key generation schemes using a symmetric cipher is an ANSI X9.17 standard with a Triple DES algorithm (Triple des, 3DES) with a double key (Fig. 2.62). The number of applications using this technology include PGP.


Fig. 2.62.

Let the function E k (x) Enters Encryption X. on zoeb algorithm (encryption - decryption - encryption) on a pre-harvested key k \u003d (to 1, K2), which is used only to generate secret keys. Let the initialization vector IV 0. is an initial 64-bit value that keeps secret from the enemy, and G. is a time stamp when he was generated i.- Key. Then another random key R) calculated by conversion

Another initialization vector value IV i + V which will be used to generate the next random number, is calculated as

The main purpose of the ANSI X9.17 generator consists in obtaining a large number of keys for multiple communication sessions.

Generally speaking, instead of 3DES, any other resistant encryption algorithm can be used, for example GOST 28147-89.

In practice, the need for additional challenges of the encryption procedure (one in the case of gamming and three in the ANSI standard X9.17) makes the generation of a very resource-intensive, which makes it difficult for its hardware implementation and determines the low speed characteristics of this method.

Currently, triple encryption is used (due to low speed) only to change the initial values \u200b\u200bof the pseudo-random sequence generator, the sequence blocks themselves are formed as a result of a single encryption algorithm call.

Key spaces. Key's key space (Key space) is a set of all possible key values.

If any key is made possible keys Provides equal cipher resistance, i.e. There are no weak keys, they talk about homogeneous (linear) key space.

Inhomogeneous key spaces are used to protect against unauthorized use of cryptographic equipment.

One of the problems that military cryptographs have to be solved is that in the event of a steady cryptographic equipment with an opponent, it makes it difficult to maximize its use to protect enemy communications. The first step towards solving this problem is the hardware implementation of the encryption algorithm in the form of a module, which the enemy will not be able to open in order to familiarize themselves with the features of the algorithm.

Then you need to take care that the keys used have a special look. If the entered key has deviations from this species, then a significantly less resistant cryptographic algorithm will be applied to encrypt messages. It is desirable that the chances will accidentally give the key to the special appearance needed for encryption according to the resistant algorithm, were negligible. In this case, the key space is inhomogeneous (nonlinear), Since the keys are not equally resistant.

One way to achieve the nonlinearity of the key space is to separate the key used into two parts: the actual encryption key and some fixed check row obtained by a cryptographically resistant method. After decrypting the verification line, the cryptomodul compares the resulting open text with the reference, and when coincided, it works according to a resistant encryption algorithm, and during a mismatch - uses a less resistant algorithm.

Inhomogeneous key space is characterized by the following features:

  • Encryption of information using a persistent cryptoalgorithm E K. takes place only when using a special type keys;
  • "Right" (resistant) key k \u003d Where k "- actually key encryption length n k (|&| = p K) F - some cryptographic function; | F (K ') | - A, A - p C. -
  • The probability is accidentally obtained by a resistant key is negligible and equal to 2 "d;
  • If the key received on the input key is not resistant, a significantly less resistant algorithm is applied to encryp information. E [.

For example, block algorithm Encryption with a key length 128 bits can use a "composite" key of 192 bits. Then the probability of accidentally use the resistant key will be enough small - only 2 -64.

It is also necessary to ensure that the difference in the sound resistance is not too rushed to the enemy in the eye and he did not guessed anything.

Storage and distribution of keys.It is recommended to regularly replace the keys used in the system. When organizing storing symmetric encryption keys, it is necessary to provide such working conditions so that the secret keys are never written explicitly on the media to which the intruder can access. This requirement can be performed by creating keys hierarchy. Three-level hierarchy implies key division:

  • to the main key (master key);
  • key encryption keys;
  • Data encryption key (session key).

Session keys - lower hierarchy level - used to encrypt data and authentication messages. To protect these keys during transmission or storage, key encryption keys that should never be used as sessions are used. On the upper level The hierarchy is located the main key (or master key). It is used to protect the keys of the second level. To protect the main key in systems using only symmetric ciphers, it is necessary to apply cryptographic products, for example, physical protection tools. In relatively small information systems A two-level keys hierarchy can be used (main and session keys).

Currently, the key distribution is commonly used in open key cryptography schemes, such as Diffy - Hellman (DH) or Nidhem - Strodera protocol, providing mutual authentication of the parties with the formation of a common secret key. Effective solution of the problem distribution task with means of symmetric cryptography is possible when using a common trusted center (key server).

When distributing keys between system subscribers, you must follow the following requirements:

  • ensure the efficiency and accuracy of the distribution of keys;
  • Provide key distribution secrecy.

The distribution of keys can be made:

  • using one or more keys distribution centers (centralized distribution);
  • Direct exchange of session keys between network users (decentralized key distribution).

The decentralized distribution of symmetric encryption keys requires the presence of a large number of keys (for communication with each of the system subscribers), which must be safely distributed, and then ensure their secrecy in the process of snatching.

The centralized distribution of symmetric encryption keys implies that each user has only one main key to interact with the key distribution center. To exchange data with another subscriber, the user addresses the keys server that assigns a session symmetric key to this user and the corresponding subscriber. One of the most famous systems of centralized key distribution is the Kerberos protocol.

Secret communication networks that use a centralized distribution of key information are more protected in the event of a compromise of individual subscribers. Under the compromise of the subscriber is the situation when all information about this subscriber (including its secret keys) becomes a well-known enemy. However, when compromising the keys server is compromised by the entire network of classified communication.

  • DRAFT NIST SP 800-90A, REV. 1. Recommendation for Random Number Generation UsingDeterministic Random Bit Generators // NIST. Nov. 2014. URL: http://csrc.nist.gov/publications/drafts/800-90/SP800-90A_R L_DRAFT_NOVEMBCR2014_VCR.PDF
  • There; STB 34.101.47-2012. State standard The Republic of Belarus. Information Technology and security. Cryptographic algorithms for generating pseudo-random numbers. Minsk: Gosstandart, 2012. URL: http://apmi.bsu.by/assets/files/std/brng-specl7.pdf
  • Brassar J. Modern cryptology. Guide.
  • DRAFT NIST SP 800-90A, REV. 1. Recommendation for Random Number Generation UsingDeterministic Random Bit Generators.

Cryptographic keys are used as secret information.

The cryptographic key is a sequence of symbols developed by certain rules. This sequence is used in cryptographic text transformations. For each cryptographic algorithm there are their requirements, according to which the keys are created. Each key is created for a specific algorithm.

In order to ensure non-reproducibility of electronic signature and the impossibility of reading encrypted texts with foreign people, cryptographic keys are used in cryptography.

The modern cryptographic key is a sequence of numbers of a certain length, created according to certain rules based on the sequence of random numbers. For each key, the sequence of random numbers is prohibited, no sequence is used more than once. For generating sequences of random numbers, special software objects or devices are used, called random numbers sensors.

Each algorithm places its own requirements for keys, so any cryptographic key is created for a specific algorithm and is used only with this algorithm.

If the production of electronic signature and its check, or encryption and decryption of the text are performed using the same key, this approach is called symmetric cryptography (respectively symmetrical algorithms and symmetrical keys). Operations of symmetric cryptography are performed quickly and relatively simple. But they require knowledge of the key of at least two people, which significantly increases the risk of compromising them (that is, access to unauthorized persons).

Therefore, asymmetric cryptography is mainly used. In asymmetric cryptography, the development of an electronic signature or encryption is performed on one key, and checking the signature or decryption - on the other, steam veneer.

In asymmetric cryptography, the so-called key pairs are applied (Key Pairs). Each such pair consists of two connected keys. One of these keys is closed (Private Key). He is known only to the owner of the key and under any circumstances should not be available to anyone else. Another key is open (Public Key), it can be accessible to anyone.

To generate an EDS, a closed key of the author of the message is required, for checking - open. Thus, only the owner of the closed key can create an EDS, and check - any user who received the appropriate open key.

To encrypt text, the public key of the addressee is applied, for decryption - closed. Thus, any person can encrypnify a message, but only the owner of the corresponding closed key, i.e. destination.

The key steam used to work with the EDS (development and testing of the EDS) is called signature keys (Signature Keys). The key steam used to encrypt and decrypt messages is called Exchange Keys.

The problem of asymmetric cryptography is that the encryption on asymmetric algorithms is much slower than according to symmetrical. In addition, if the encrypted text is designed for several addressees, you have to include a copy of the text for each addressee, which dramatically increases both the message volume and the time required to encrypt it.

This problem is solved with the help of the so-called hybrid cryptography.

In the process of encryption, a one-time (so-called session) encryption key is created (SESSION ENCRYPTION KEY). This is a symmetric key, i.e. The same key is used for encryption, and for decryption. It is called one-time or session because it is used to encrypt / decrypt only one message.

A message is encrypted on the session encryption key. Since the message is encrypted over a symmetrical algorithm, the process of encrypting the message occurs quite quickly.

Then the encryption key itself is encrypted over an asymmetrical algorithm on the open key of the recipient's exchange. Since the encryption key is a relatively small amount of data, the encryption of such a key does not take much time.

Encrypted encryption key is included in the message.

As a result, the message turns out insignificantly more by volume (due to the added encryption key of the encryption key), but the encryption process occurs much faster than if the message itself was encrypted using an asymmetrical algorithm.

If several recipients, the message is encrypted once on the session encryption key, and the key (relatively small amount of data) is encrypted separately on the open key of each recipient's exchange. Thus, an encrypted message instead of several copies of a message encrypted for each recipient contains one encrypted copy of the message and several copies of a disposable session encryption key encrypted for each recipient. The volume of the encrypted message and the time required for its encryption is significantly smaller than if the message is encrypted by an asymmetrical algorithm for each recipient.

When the addressee receives a message, among the encrypted session keys included in the message, a session key is session encrypted on the open key of the recipient's exchange. If such a key is located, it is decrypted using the recipient's exchanging key, and then the message itself is decrypted using this key.

Thus, the basic requirement to the process of encryption on an asymmetric algorithm is to the closed exchange key, no one has access, in addition to the owner of this key, is observed. In order to gain access to the encryption key, access to the closed exchange key must be accessed; But after decryption of the encryption key using a closed exchange key, this encryption key is never used again, so it makes sense to talk about its compromise.