What does the length of the encryption key mean. Public key cryptography

Many modern encryption algorithms with public key are based on the unidirectionality of the factorization function of a number that is the product of two large primes. These algorithms can also be subjected to a brute-force attack against secret key ciphers, with one difference: you don't need to try each key, you just need to be able to factor a large number.

Of course, factoring a large number is a difficult task. However, a reasonable question immediately arises, how difficult. Unfortunately for cryptographers, the complexity of the solution is reduced. Even worse, this difficulty is dropping at a much faster rate than previously expected. For example, in the mid-1970s, it was believed that factoring a number of 125 digits would take tens of quadrillion years. And just two decades later, with the help of computers connected to Internet networks, it was possible to factor out a number of 129 digits. This breakthrough was made possible by the fact that over the past 20 years, not only have new, faster, factorization methods been proposed large numbers, but also increased the performance of the computers used.

Therefore, a skilled cryptographer must exercise very great care and discretion when it comes to the length of the public key. It is necessary to take into account how valuable the information classified with its help is and how long it should remain secret to outsiders.

Why not take a 10,000-bit key? After all, then all the questions related to the strength of the asymmetric public key encryption algorithm based on factoring a large number will disappear. But the point is that ensuring that the cipher is sufficiently strong is not the only concern of the cryptographer. There are additional considerations affecting the choice of the key length, and among them are issues related to the practical implementation of the encryption algorithm for the selected key length.

To estimate the length of the public key, we will measure the computational power available to the cryptanalyst in the so-called pug-years, that is, the number of operations that a computer capable of operating at a speed of 1 million operations per second performs in a year. Let's say that a hacker has access to computer resources with a total computing power of 10,000 pug-years, a large corporation 107 pug-years, the government 109 pug-years. These are quite real numbers, considering that when implementing the above-mentioned project of decomposing a number of 129 digits, its participants used only 0.03 \% of the computing power of the Internet, and in order to achieve this, they did not need to take any extraordinary measures or go beyond law.

Suppose also that the computing power increases 10 times every 5 years, and the method that is used to factor large numbers into factors makes it possible to do this with the complexity indicated in Table. 6.3.

Table 6.3. The complexity of factoring large numbers

The assumptions made allow us to estimate the length of a strong public key depending on the period during which it is necessary to keep the data encrypted with its help in secret (Table 6.4). It should be remembered that public key cryptographic algorithms are often used to protect very valuable information for a very long period of time. For example, in electronic payment systems or during notarization electronic signature... The idea of ​​spending several months factoring a large number may seem very attractive to someone, if as a result they will be able to pay for their purchases with your credit card. In addition, I think that the prospect of being summoned 20 years later to a court hearing at which an inheritance case is being heard and defending the impossibility of forging your grandfather's electronic signature, which he used to draw up a will in your favor, does not smile at you at all.

With given in table. 6.4 Not all reputable cryptographers agree with the data. Some of them flatly refuse to make any long-term predictions, considering it useless. Others, for example, experts from the NSA, are overly optimistic, recommending for digital signature systems a public key length of only 512-1024 bits, which in the light of the data from Table. 6.4 is wholly inadequate to provide adequate long-term protection.

The reliability of a symmetric cryptosystem depends on the strength of the used cryptographic algorithm and on the length of the secret key. Suppose that the algorithm itself is perfect - it can only be opened by trying all possible keys... This type of cryptanalytic attack is called brute force attack. To apply this method, a cryptanalyst will need some ciphertext and the corresponding plaintext. For example, in the case of a block cipher, it is enough for him to have at his disposal one block of encrypted and corresponding plain text. This is not so difficult to do.

A cryptanalyst can know in advance the content of a message, and then intercept it when transmitted in encrypted form. According to some signs, he can also guess that the message sent is nothing more than text file prepared with a common editor, a computer image in a standard format, a file subsystem directory, or a database. It is important for the cryptanalyst that in each of these cases, several bytes are known in the plaintext of the intercepted cipher message, which will be enough for him to launch an attack with knowledge of the plaintext.

Calculating the complexity of a brute-force attack is fairly straightforward. If a key is 64 bits long, then a supercomputer that can test 1 million keys in 1 second will spend more than 5 thousand years checking all possible keys. If the key length is increased to 12cS bits, the same supercomputer will need 10 25 years to iterate over all the keys. The Universe has existed for only 10 "° years, so we can say that 10- is a sufficiently large margin of safety for those who use 128-5 keys.

However, before rushing to hastily invent a cryptosystem with a key length of 4 KB, remember the above assumption, namely: the encryption algorithm used is ideal in the sense that it can only be broken by brute force. To make sure of this in practice is not as easy as it might seem at first glance. Cryptography requires sophistication and patience. New super-complex cryptosystems, on closer examination, often turn out to be very unstable. And making even tiny changes to a strong cryptographic algorithm can significantly reduce its strength. Therefore, it is necessary to use only proven ciphers, which have been known for many years, and not be afraid to be morbidly suspicious of the latest encryption algorithms, regardless of the statements of their authors about the absolute reliability of these algorithms.

It is also important not to forget about the Kerkhoff rule: the strength of the encryption algorithm should be determined by the key, and not by the details of the algorithm itself. To be sure of the strength of the cipher used, it is not enough to analyze it, provided that the adversary is thoroughly familiar with the encryption algorithm. It is also necessary to consider an attack on this algorithm, in which the enemy can receive any amount of encrypted and corresponding plaintext. Moreover, to improve reliability, it should be assumed that the cryptanalyst has the ability to organize an attack with a chosen plaintext of arbitrary length.

Fortunately, in real life, most people interested in the contents of your encrypted files do not have the high-level expertise and computing resources that the governments of the world's superpowers have at their disposal. The latter are unlikely to waste time and money to read your passionate purely personal message. However, if you plan to overthrow "Anti-national government ”, you need to seriously think about the strength of the encryption algorithm used.

The complexity and cost of a brute-force attack

A brute-force attack is usually a type of plaintext attack. Assuming a brute-force attack is the most effective of the possible attacks against the symmetric encryption algorithm you are using. then the key must be long enough to successfully repel this attack. How long?

Among the parameters that must be taken into account when considering a brute-force attack, first of all, it is necessary to mention

The total number of keys to be verified and the time spent by the adversary to verify one key. The number of keys for a particular algorithm is usually fixed. For example, the DES algorithm uses a 56-bit key. This means that its key space contains 2 56 keys.

The speed of key verification is less important than the number of keys. For simplicity of presentation, we can assume that regardless of the encryption algorithm, the time it takes to verify one key is the same. In practice, this assumption is incorrect, and for different cryptographic algorithms, this time can differ tens of times. Since our goal is to find a key length at which the strength of the encryption algorithm against a brute-force attack is millions of times higher than the limit that makes this attack unfeasible in practice, our assumption is quite justified.

When deciding on a sufficient key length, the DES algorithm is most often considered as an encryption algorithm. In 1977 the American cryptologists W. Diffie (W.Diffie) and M. Hellman (M.Hellman) stated that at the current level of development computer technology it is possible to build a specialized supercomputer for cracking DES keys by brute force method. With 1 million microcircuits, each of which is capable of checking 1 million keys per second, this supercomputer would go through all 2,56 keys in 20 hours.

A brute-force attack is ideal for implementation on a parallel supercomputer with many processors. Individual processors searching for a key do not need to establish communication with other processors of the supercomputer during their part of the search. Consequently, all the processors of a specialized supercomputer designed for parallel search for keys are not necessarily located even in the same city, let alone in one room.

In 1993, the American cryptologist M. Wiener (M.Wiener) designed a supercomputer for a brute-force attack on the DES algorithm. Wiener's reasoning is true not only for the DES-algorithm, but also for almost any other encryption algorithm. The supercomputer, developed by Wiener, consists of specialized microcircuits, boards and racks. According to Wiener, in order to guarantee the opening of a 56-bit key in 7 hours, the manufacture of such a supercomputer will require no more than $ 1 million. By Moore's Law, the computing power of computers is captured every 18 months. Therefore, by 2001, the cost of the supercomputer invented by Wiener will decrease 10 times and amount to only 100 thousand dollars. This means that already now large companies and "Cool»Criminal structures can crack 56-bit keys. 64-bit keys are available to military cryptanalysts in most industrialized countries.

In 1996, Diffie, Wiener and other authoritative American cryptologists published the results of their research work on determining the key length needed to adequately protect information from brute-force attacks. (tab. 6.1).

Table 6.1. The cost and computational complexity of a brute-force attack

Who attacks		Complexity of the attack		Strong key
Small business	10 thousand dollars
Big company	USD 10 million
Federal agency	$ 300 million

To those given in table. 6.1 numbers should be treated with caution. Theoretical calculation of the costs of brute-force attacks on cryptographic keys different lengths is always significantly different from what cryptanalysts encounter in practice when buying or developing supercomputers for conducting this kind of attack. This is explained by the fact that some of the assumptions made are very far from reality, while other factors are simply not taken into account. In this case, Diffie, Wiener, and others reckoned that custom-made microcircuits with a price of no more than $ 10 would be used to create a specialized supercomputer for a brute-force attack. According to NSA estimates, such microcircuits are usually 100 times more expensive. The NSA raised doubts and the assumption that regardless of the encryption algorithm, only the length of the key determines the complexity of a cryptanalytic attack. In addition, R&D costs, which typically amount to at least $ 10 million for a first supercomputer, were not included in the table. Computer memory acquisition costs were also not taken into account.

A very important conclusion can be drawn from what has been said. If someone really wants to know the key you used, they just need to spend a sufficient amount of money. Therefore, the decisive factor is the cost of the information you encrypted. If its price on a market day is about $ 2, hardly anyone would dare to spend $ 1 million to get it. But if the profit from reading your encryption is $ 100 million - beware! The only consolation is the fact that over time, any information very quickly becomes outdated and loses its value.

Software attack

Without specialized computer hardware to search for keys in parallel, a brute-force attack is much less likely to succeed. However, if you haven't saved up an extra million dollars to spend on making such equipment, there is another, cheaper, way to try to crack the key you are interested in.

The world has great amount computers (on according to experts, in 1996 their number reached 200 million), which, in order not to be idle, could test the keys. An experiment carried out at the beginning of 1997 showed that in this way a 48-bit key can be opened in two weeks. And although this key was found by a brute-force method after checking slightly more than half of all possible keys, the result is impressive, since no more than 5 thousand computers out of the existing 200 million were simultaneously used during the attack, and in total, only 7 thousand computers were involved in the attack. ...

The main obstacle to using the millions of computing devices scattered around the world is the inability to get their owners to take part in the attack. You can, of course, politely ask each of them for a favor, but firstly, it will take a lot of time, and secondly, the answer in most cases will most likely be a firm "No". You can try to sneak into other people's computers through the network, but this will take even longer, and in addition you can be arrested.

It seems more reasonable to create computer virus which instead of erasing files with hard disk and display stupid messages on the display, unnoticed by the owner of the computer, it will sort out possible keys. Studies have shown that a virus will have 70 to 90% of the CPU time of an infected computer. After opening the key, the virus can generate new virus containing information about the found key, and send it to wander around computer network until he gets to his master.

With a more subtle approach, the virus that detects the key will display information of the form on the computer screen:

A SERIOUS ERROR HAS BEEN DETECTED IN YOUR COMPUTER!

PLEASE CALL BY PHONE (095 )123-45-67

AND READ OUT THE FOLLOWING 48-BIT NUMBER TO THE OPERATOR:

XXXXXXXX XXXXXXX XXXXXXXXXXXXXXXXXXX XXXXXXX

FIRST TO REPORT THIS ERROR IS GUARANTEED

REWARD IN THE SIZE OF 100 (STA) DOLLARS.

If the virus manages to infect 10 million computers, each of which checks at least 1,000 keys per second, then a 56-bit key will be found in less than 3 months. Additionally, you will have to fork out for bribing manufacturers antivirus software, however, this problem has nothing to do with the computer cryptography we are talking about now.

Chinese lottery

Suppose that for a brute-force attack, a special microcircuit is built into every Chinese radio and TV set, without exception, that checks 1 million keys per second. Each of them automatically iterates over its own subset of keys after receiving from the air fragments of the encrypted and corresponding plain text. As soon as the Chinese government wishes to open any key, it passes a decree that obliges all owners of televisions and radios to turn on their devices in certain time so that they can accept a couple of chunks of text and start iterating over the keys.

A significant prize is awarded for the key found. Thanks to this, radios and televisions with embedded microcircuits are well sold out, and the opened keys are brought to the attention of the Chinese government in a timely manner. If we consider that each of the ten Chinese have a radio or TV, it turns out that the Chinese government will take at most 43 hours to open a 64-bit key. Table 6.2 shows the complexity of breaking a 64-bit key using "Chinese lottery "when it is held in China, as well as in the United States, Iraq and Israel.

Table 6.2. The complexity of breaking a 64-bit key using "Chinese lottery "

Cryptographic Keys

It is known that all encryption algorithms, without exception, use cryptographic keys. That is why one of the tasks of cryptography is the management of keys, i.e. their generation, accumulation and distribution. If n users are registered in a computer network and everyone can communicate with everyone, then for it it is necessary to have n * (n-1) / 2 different keys. In this case, each of the n users should be provided with a (n-1) key, since the reliability of the protection of confidential information largely depends on their choice. The choice of the key for the cryptosystem is of particular importance.

Moreover, since almost any cryptographic key can be disclosed by an attacker, then it is necessary to use certain rules for selecting, generating, storing and updating them in the process of exchanging secret messages, as well as their delivery in a safe way to recipients. It is also known that single-key cryptosystems require a secure communication channel for key management. For two-key cryptosystems, there is no need for such a communication channel.

The key generation process must be random. To do this, you can use random number generators, as well as their combination with some unpredictable factor, for example, the choice of bits from the timer readings. When accumulating, keys cannot be written explicitly to media. To increase security, the key must be encrypted with a different key, another with a third, and so on. The last key it does not need to be encrypted in this hierarchy, but it should be placed on a secure piece of hardware. Such a key is called a master key.

Selected keys must be distributed in such a way that there is no pattern in changing keys from user to user. In addition, it is necessary to provide for the frequent change of keys, and the frequency of their change is determined by two factors: the time of validity and the amount of information closed with their use.

Cryptographic keys vary in length and therefore in strength: the longer the key, the greater the number of possible combinations. Let's say if the encryption program uses 128-bit keys, then your specific key will be one of 2,128 possible combinations of zeros and ones. An attacker is more likely to win the lottery than to break this level of encryption using the " brute force"(That is, systematically going through the keys until the right one is found). For comparison, it will take an encryption specialist about 6 hours to find a symmetric 40-bit key on a standard computer. Even ciphers with a 128-bit key are vulnerable to some extent, since professionals have sophisticated techniques that allow them to break even the most complex codes.

The reliability of a symmetric cryptosystem depends on the strength of the used cryptographic algorithm and on the length of the secret key. Let us assume that the algorithm itself is perfect: it can only be broken by trying all possible keys.

whose. This type of cryptanalytic attack is called brute force attack. To apply this method, the cryptanalyst will need some ciphertext and the corresponding plaintext. For example, in the case of a block cipher, it is enough for him to have at his disposal one block of encrypted and corresponding plain text. This is not so difficult to do.

A cryptanalyst can know in advance the content of a message, and then intercept it when transmitted in encrypted form. According to some indications, he can also guess that the sent message is nothing more than a text file prepared using a common editor, a computer image in a standard format, a file subsystem directory or a database. It is important for the cryptanalyst that in each of these cases, several bytes are known in the plaintext of the intercepted cipher message, which will be enough for him to launch an attack.

Calculating the complexity of a brute-force attack is fairly straightforward. If a key is 64 bits long, then a supercomputer that can test 1 million keys in 1 second will spend over 5000 years checking all possible keys. If the key length is increased to 128 bits, the same supercomputer will need 1025 years to iterate over all the keys. We can say that 1025 is a fairly large margin of safety for those who use 128-bit keys.

However, before rushing to hastily invent a cryptosystem with a key length of, for example, 4000 bytes, one should remember the above assumption: the encryption algorithm used is ideal in the sense that it can only be broken by brute force. To make sure of this in practice is not as easy as it might seem at first glance.

Cryptography requires sophistication and patience. New super-complex cryptosystems, on closer examination, often turn out to be very unstable. And making even tiny changes to a strong cryptographic algorithm can significantly reduce its strength. Therefore, it is necessary to use only proven ciphers, which have been known for many years, and not be afraid to be morbidly suspicious of the latest encryption algorithms, regardless of the statements of their authors about the absolute reliability of these algorithms.

It is also important not to forget that the strength of the encryption algorithm should be determined by the key, and not by the details of the algorithm itself. To be sure of the strength of the cipher used, it is not enough to analyze it, provided that the adversary is thoroughly familiar with the encryption algorithm. It is also necessary to consider an attack on this algorithm, in which the enemy can receive any amount of encrypted and corresponding plaintext. Moreover, it should be assumed that the cryptanalyst has the ability to organize an attack with a chosen plaintext of arbitrary length.

Fortunately, in real life, most of the people interested in the content of your encrypted files do not have the qualifications of high-class specialists and the necessary computing resources that are at the disposal of the governments of the world's superpowers. The latter are unlikely to waste time and money to read your ardent, purely personal Yosil. However, if you plan-

If you are trying to overthrow the "anti-popular government", you need to seriously think about the strength of the encryption algorithm used.

Many modern public key encryption algorithms rely on the unidirectional factorization of a number that is the product of two large primes. These algorithms can also be subjected to a brute-force attack against secret key ciphers, with one difference: you don't need to try each key, you just need to be able to factor a large number.

Of course, factoring a large number is a difficult task. However, a reasonable question immediately arises, how difficult. Unfortunately for cryptographers, the solution is being simplified, and worse, significantly faster than expected. For example, in the mid-1970s, it was believed that factoring a number of 125 digits would take tens of quadrillion years. And just two decades later, with the help of computers connected to the Internet, it was possible to quickly factor a number consisting of 129 digits. This breakthrough was made possible by the fact that over the past 20 years, not only have new, faster methods of factoring large numbers been proposed, but also the performance of the computers used has increased.

Therefore, a qualified cryptographer must be very careful and discreet when dealing with a long public key. It is necessary to take into account how valuable the information classified with its help is and how long it should remain secret to outsiders.

Why not take a 10,000-bit key? After all, then all questions related to the strength of an asymmetric public-key encryption algorithm based on factoring a large number will disappear. But the point is that providing sufficient strength of the cipher is not the only concern of the cryptographer. There are additional considerations affecting the choice of the key length, and among them are issues related to the practical implementation of the encryption algorithm for the selected key length.

To estimate the length of the public key, we will measure the computational power available to cryptanalysts in the so-called pug-years, that is, the number of operations that a computer capable of operating at a speed of 1 million operations per second performs in a year. Let's say that an attacker has access to the computer resources of a shared computing power 1000 pug years old, large corporation 107 pug years old, government 109 pug years old. These are quite real numbers, considering that during the implementation of the above-mentioned project of decomposition of a number of 129 digits, its participants used only 0.03% of the computing power of the Internet, and in order to achieve this, they did not need to take any extraordinary measures or go beyond the law. ... From table. 4.6 you can see how much time it takes to decompose numbers of different lengths.

The assumptions made allow us to estimate the length of a strong public key depending on the period during which it is necessary to keep the data encrypted with its help in secret (Table 4.7). It should be remembered that public key cryptographic algorithms are often used to protect very valuable information for a very long period of time. For example, in electronic pla-

Table 4.6. The relationship between the length of numbers and the time it takes to factor them

or when notarizing an electronic signature. The idea of ​​spending several months factoring a large number may seem very attractive to someone, if as a result they will be able to pay for their purchases with someone else's credit card.

With given in table. 4.7 Not all cryptographers agree with the data. Some of them flatly refuse to make any long-term predictions, considering it useless, while others are overly optimistic, recommending for digital signature systems a public key length of only 512-1024 bits, which is completely insufficient to ensure adequate long-term protection.

A cryptanalytic attack against an encryption algorithm is usually directed at the most vulnerable point of the encryption algorithm. To organize encrypted communication, cryptographic algorithms with both secret and public keys are often used. Such a cryptosystem is called hybrid. The strength of each of the algorithms included in the hybrid cryptosystem must be sufficient to successfully resist an attack. For example, it is foolish to use a symmetric algorithm with a key length of 128 bits in conjunction with an asymmetric algorithm in which the key length is only 386 bits. Conversely, it does not make sense to use the symmetric 56-bit key algorithm together with the asymmetric algorithm with the 1024-bit key.

Table 4.8. Key lengths for symmetric and asymmetric algorithms

encryption with the same strength

Table 4.8 lists the pairs of key lengths for a symmetric and asymmetric cryptographic algorithm, for which the strength of both algorithms against a brute-force cryptanalytic attack is approximately the same. From these data, it follows that if a symmetric algorithm with a 112-bit key is used, then an asymmetric algorithm with a 1792-bit key must be used with it. However, in practice, the key for an asymmetric encryption algorithm is usually chosen more secure than for a symmetric one, since with the help of the former, much larger amounts of information are protected and for a longer period.

public key, noted that this requirement denies the whole essence of cryptography, namely the ability to maintain general secrecy in communications.

The second task is the need to create such mechanisms, when using which it would be impossible to replace any of the participants, i.e. need digital signature... When using communications for a wide range of purposes, such as for commercial and private purposes, e-mails and documents must have the equivalent of the signature contained in paper documents. It is necessary to create a method by which all participants will be convinced that electronic message was sent by a specific participant. This is a stronger requirement than authentication.

Diffie and Hellman have achieved significant results by offering a way to solve both problems that is radically different from all previous approaches to encryption.

Let's look at the common features first. encryption algorithms with a public key and the requirements for these algorithms. Let us define the requirements that an algorithm must meet that uses one key for encryption, another key for decryption, and at the same time it is computationally impossible to determine the decryption key, knowing only the encryption algorithm and the encryption key.

In addition, some algorithms, such as RSA, have the following characteristic: each of the two keys can be used for both encryption and decryption.

First, we will consider algorithms that have both characteristics, and then move on to public key algorithms that do not have the second property.

When describing symmetric encryption and public key encryption we will use the following terminology. The key used in symmetric encryption, we will call secret key... The two keys used in public key encryption will be called public key and private key... The private key is kept secret, but we will call it a private key, not a secret, in order to avoid confusion with the key used in symmetric encryption... The private key will be denoted KR, the public key will be KU.

We will assume that all participants have access to each other's public keys, and private keys are generated locally by each participant and therefore should not be distributed.

At any time, the participant can change his private key and publish the composing public key, replacing the old public key with it.

Diffie and Hellman describe the requirements that must be met encryption algorithm with a public key.

1. It is computationally easy to create a pair (KU public key, KR private key).
2. It is computationally easy, given the public key and the unencrypted message M, to create the corresponding encrypted message:
3. It is computationally easy to decrypt a message using the private key:

   M = D KR [C] = D KR]

4. It is computationally impossible, knowing the public key KU, to determine the private key KR.
5. It is computationally impossible, knowing the public key KU and the encrypted message C, to recover the original message M.

   A sixth requirement can be added, although it does not hold for all public key algorithms:

6. The encryption and decryption functions can be used in any order:

   M = E KU]

These are quite strong requirements that introduce the concept. One-way function is called a function in which each argument has a single inverse value, while calculating the function itself is easy, but calculating the inverse function is difficult.

Usually "easy" means that the problem can be solved in polynomial time from the length of the input. Thus, if the input length has n bits, then the calculation time of the function is proportional to n a, where a is a fixed constant. Thus, the algorithm is said to belong to the class of polynomial algorithms R. The term "hard" means a more complex concept. In the general case, we will assume that the problem cannot be solved if the efforts to solve it are greater than the polynomial time of the input value. For example, if the input length is n bits, and the calculation time of the function is proportional to 2 n, then this is considered a computationally impossible task. Unfortunately, it is difficult to determine if a particular algorithm exhibits this complexity. Moreover, traditional understanding of computational complexity focuses on the worst case or average case of the complexity of an algorithm. This is unacceptable for cryptography, where the inability to invert the function for all or almost all of the input values ​​is required.

Let's go back to the definition one-way function with sunroof which, like one-way function, it is easy to compute in one direction and it is difficult to compute in the opposite direction until some Additional Information... With this additional information, the inversion can be computed in polynomial time. Thus, one-way function with a hatch belongs to the family one-way functions f k such that

We see that the development of a particular public key algorithm depends on the discovery of the corresponding one-way function with sunroof.

Cryptanalysis of public key algorithms

As in the case symmetric encryption, encryption algorithm with a public key is vulnerable to a head-on attack. The countermeasure is standard: use large keys.

A public key cryptosystem employs certain non-invertible math functions... The computational complexity of such functions is not linear in the number of bits in the key, but increases faster than the key. Thus, the key size must be large enough to make a frontal attack impractical and small enough to allow practical encryption. In practice, the key size is made such that a frontal attack is impractical, but the result is that the encryption speed is slow enough for general use of the algorithm. Therefore, public key encryption is currently mainly limited to key management and signature applications that require encryption of a small block of data.

Another form of attack is to find a way to compute the private key by knowing the public key. It is impossible to prove mathematically that given form attacks are ruled out for a specific public key algorithm. Thus, any algorithm, including the widely used RSA algorithm, is suspect.

Finally, there is a form of attack that is specific to the way public key systems are used. This is a probable message attack. Suppose, for example, that the message being sent consists solely of a 56-bit session key for a symmetric encryption algorithm. The adversary can encrypt all possible keys using the public key, and can decrypt any message that matches the encrypted text being transmitted. Thus, regardless of the key size of the public key scheme, the attack is reduced to a frontal attack on the 56-bit symmetric key... The defense against such an attack consists in adding a certain number of random bits to simple messages.

The main ways to use public key algorithms

The main uses for public key algorithms are encryption / decryption, signature generation and verification, and key exchange.

Encryption with a public key consists of the following steps:

Rice. 7.1.

1. User B creates a pair of keys KU b and KR b used to encrypt and decrypt transmitted messages.
2. User B makes available his encryption key in some reliable way, i.e. public key KU b. The private key KR b that makes up the pair is kept secret.
3. If A wants to send message to B, he encrypts the message using B's public key KU b.
4. When B receives a message, he decrypts it using his private key KR b. No one else will be able to decrypt the message, since only B knows this private key.

If the user (end system) securely stores his private key, no one will be able to spy on the transmitted messages.

Signature creation and verification consists of the following steps:

Rice. 7.2.

1. User A creates a pair of keys KR A and KU A used to create and verify the signature of transmitted messages.
2. User A makes available his verification key in some reliable way, i.e.

The main purpose of using SSL certificates is to encrypt data transmitted to the server from the client and to the client from the server. To ensure the security of such a connection, modern browsers use the TLS algorithm based on X.509 certificates. This algorithm applies asymmetric encryption to create a session key for symmetric encryption. The latter is used directly for transferring data after establishing a secure connection.

What is a Key in Cryptography?

A key in cryptography is a secret information that is used in cryptography to encrypt and decode messages, to affix a digital signature and verify it, to calculate message authentication codes, and so on. How reliable a key is is determined by the so-called key length, which is measured in bits. The standard key length for SSL certificates is 128 or 256 bits. The root certificate key length must not be less than 4096 bits. All certification authorities we cooperate with provide SSL certificates with a key that fully complies with modern standards:

Public and private key in asymmetric encryption

Asymmetric encryption uses pair of keys: public (Public key) and closed also called secret (Private key). The public and private keys in this case allow the cryptographic algorithm to encrypt and decrypt the message. However, messages encrypted with a public key can only be decrypted using a private key. The public key is published in the owner's certificate and is available to the connecting client, while the private key is kept by the owner of the certificate. The public and private keys are interconnected by mathematical dependencies, so it is impossible to pick up a public or private key in a short time (certificate validity period). That is why the maximum validity period for SSL certificates of a higher security level is always lower. So, you can order for a maximum of 2 years. At the same time, when ordering a new SSL certificate or renewing an old one, it is important to generate a new CSR request, since your private key is bound to it and it is better to renew it when a new SSL certificate is issued. The interaction between the client and the server is as follows:

1. the browser encrypts the request based on the public key and sends it to the server;
2. the server, using the private key, decrypts the received message;
3. the server encrypts its digital identifier with a private key and transmits it to the client;
4. the client verifies the server identifier and transmits its own;
5. after mutual authentication, the client encrypts the key of the future session with the public key and transmits it to the server;
6. all subsequent messages that are transmitted between the client and the server are signed with the session key and encrypted using the public and private keys.

Thus, several points of safety are provided:

• the possibility of information leakage is excluded - if it is intercepted, it will not be possible to decrypt it;
• the server confirms its address and identifier, the possibility of redirecting to another site (phishing) is cut off;
• the client is assigned an individual session, which makes it possible to distinguish him from other clients more reliably;
• once a secure session has been established, all messages are encrypted using the client ID and cannot be intercepted or modified unnoticed.

In general, public and private key encryption can be viewed as a case for which two keys are used: one can only be closed, the other can be opened. If the case was closed with the first key, only the second can open it; if it was closed with the second, to open it, you will need the first. This can be clearly seen in the diagram above.