Stephen M. Matyas

Special feature: Two-phase cryptographic key recovery system

A two-phase method of key recovery which will be referred to as Secure Key Recovery (SKR) is presented. The proposed key recovery system permits a portion of the key recovery information to be generated once and then used for multiple encrypted data communications sessions and encrypted file applications. In particular, the portion of the key recovery information that is generated just once is the only portion that requires public key encryption operations. We also describe a verification mode in which the communicating parties each produce SKR recovery information independently, without checking the others so produced information. In this mode, if at least one side is correctly configured, all required recovery information is correctly produced. In addition, the communicating parties are free to include any optional recovery fields without causing a false invalidation of what the other parties sent. Further, we present a method of verification of key recovery information within a key recovery system, based on a variation of the three-party Diffie-Hellman key agreement procedure. Without communication with a trustee, the sender is able to encrypt recovery information in such a way that both the receiver and the respective trustee can decrypt it. This reduces the number of encryptions, and inherently validates the recovery information when the receiver decrypts it. The method allows full caching of all public key operations, thus further reducing computational overhead.

A cryptographic key management scheme for implementing the data encryption standard

Data being transmitted through a communications network can be protected by cryptography. In a data processing environment, cryptography is implemented by an algorithm which utilizes a secret key, or sequence of bits. Any key-controlled cryptographic algorithm, such as the Data Encryption Standard, requires a protocol for the management of its cryptographic keys. The complexity of the key management protocol ultimately depends on the level of functional capability provided by the cryptographic system. This paper discusses a possible key management scheme that provides the support necessary to protect communications between individual end users (end-to-end encryption) and that also can be used to protect data stored or transported on removable media.

Generation, distribution, and installation of cryptographic keys

A key controlled cryptographic system requires a mechanism for the safe and secure generation, distribution, and installation of its cryptographic keys. This paper discusses possible key generation, distribution, and installation procedures for the key management scheme presented in the preceding paper.

Message Authentication with Manipulation Detection Code

In many applications of cryptography, assuring the authenticity of communications is as important as protecting their secrecy. A well known and secure method of providing message authentication is to compute a Message Authentication Code (MAC) by encrypting the message. If only one key is used to both encrypt and authenticate a message, however, the system is subject to several forms of cryptographic attack. Techniques have also been sought for combining secrecy and authentication in only one encryption pass, using a Manipulation Detection Code generated by noncryptographic means. Previous investigations have shown that a proposed MDC technique involving block-by-block Exclusive-ORing is not secure when used with the Cipher Block Chaining (CBC) mode of operation of the Data Encryption Standard (DES]. It is shown here that the Cipher Feedback (CFEI) mode of operation exhibits similar weaknesses. A linear addition modulo 264 MDC is analyzed, including discussion of several novel attack scenarios. A Quadratic Congruential Manipulation Detection Code is proposed to avoid the problems of previous schemes.

A proposed mode for triple-DES encryption

We propose a new mode of multiple encryption—triple-DES external feedback cipher block chaining with output feedback masking. The aim is to provide increased protection against certain attacks (dictionary attacks and matching ciphertext attacks) which exploit the short message-block size of DES. The new mode obtains this protection through the introduction of secret masking values that are exclusive-ORed with the intermediate outputs of each triple-DES encryption operation. The secret mask value is derived from a fourth encryption operation per message block, in addition to the three used in previous modes. The new mode is part of a suite of encryption modes proposed in the ANSI X9.F.1 triple-DES draft standard (X9.52).

The data encryption standard

In 1972, the NBS Institute for Computer Sciences and Technology (ICST) initiated a project in computer security, a subject then in its infancy. One of the first goals of the project was to develop a cryptographic algorithm standard that could be used to protect sensitive and valuable data during transmission and in storage. Prior to this NBS initiative, encryption had been largely the concern of military and intelligence organizations. The encryption algorithms, i.e., the formulas or rules used to encipher information, that were being used by national military organizations were closely held secrets. There was little commercial or academic expertise in encryption. One of the criteria for an acceptable encryption algorithm standard was that the security provided by the algorithm must depend only on the secrecy of the key, since all the technical specifications of the algorithm itself would be made public. NBS was the first to embark on developing a standard encryp-tion algorithm that could satisfy a broad range of commercial and unclassified government requirements in information security. Ruth M. Davis, then Director of ICST, asked the National Security Agency (NSA) to help evaluate the security of any cryptographic algorithm that would be proposed as a Federal standard. She then initiated the standards development project by publishing an invitation in the Federal Register (May 15, 1973) to submit candidate encryption algorithms to protect sensitive, unclassified data. NBS received many responses demonstrating interest in the project, but did not receive any algorithms that met the established criteria. NBS issued a second solicitation in the Federal Register (August 17, 1974) and received an algorithm from the IBM Corp., which had developed a family of cryptographic algorithms, primarily for financial applications. After significant review within the government, NBS published the technical specifications of the proposed algorithm in the Federal Register (March 17, 1975), requesting comments on the technical aspects of the proposed standard. NBS received many comments on the security and utility of the proposed standard and held two public workshops during 1976 on its mathematical foundation and its utility in various computer and network architectures. After intense analysis of the recommendations resulting from the workshops, NBS issued the Data Encryption Standard (DES) as Federal Information Processing Standard (FIPS) 46 on Novem-ber 23, 1977 [1]. Many NBS, NSA, and IBM technical staff members participated in this initiative, which combined expertise from government and industry. In 1973 the Bureau hired Dennis Branstad to …

Common cryptographic architecture cryptographic application programming interface

Cryptography is considered by many users to be a complicated subject. An architecture for a cryptographic application programming interface simplifies customer use of cryptographic services by helping to ensure compliance with national and international standards and by providing intuitive high-level services that may be implemented on a broad range of operating systems and underlying hardware. This paper gives an overview of the design rationale of the recently announced Common Cryptographic Architecture Cryptographic Application Programming Interface and gives typical application scenarios showing methods of using the services described in the architecture to meet security requirements.

Key handling with control vectors

A method is presented for controlling cryptographic key usage based on control vectors. Each cryptographic key has an associated control vector that defines the permitted uses of the key within the cryptographic system. At key generation, the control vector is cryptographically coupled to the key via a special encryption process. Each encrypted key and control vector is stored and distributed within the cryptographic system as a single token. Decryption of a key requires respecification of the control vector. As part of the decryption process, the cryptographic hardware also verifies that the requested use of the key is authorized by the control vector. This paper focuses mainly on the use of control vectors in cryptosystems based on the Data Encryption Algorithm.

Digital signatures — An overview

Abstract To satisfy the requirements demanded by many of todays business transactions, a communications system must provide the capability for messages to be signed by digital signatures. Being dependent upon both the message and the originator, digital signatures can be used by the message recipient to prove to an impartial third party (judge or adjudicator) not only the identify of the messages originator but also the messages true content. Two types of digital signatures are investigated: true signatures, and arbitrated signatures. A true signature can be validated by anyone having the correct nonsecret (public) validation parameter, whereas an arbitrated signature must be validated by a trusted arbiter. Arbitrated signatures appear to be adequate if the sender and receiver both belong to a common organization. However, true signatures are usually required when the sender and receiver belong to different organizations.

A key-management scheme based on control vectors

This paper presents a cryptographic key-management scheme based on control vectors. This is a new concept that permits cryptographic keys belonging to a cryptographic system to be easily, securely, and efficiently controlled. The new key-management scheme—built on the cryptographic architecture and key management implemented in a prior set of IBM cryptographic products—has been implemented in the newly announced IBM Transaction Security System.