Xref: news.lut.fi sci.crypt:26902 talk.politics.crypto:6724 alt.security.ripem:1006 sci.answers:1434 talk.answers:299 alt.answers:3892 news.answers:26401
Path: news.lut.fi!news.funet.fi!news.eunet.fi!EU.net!howland.reston.ans.net!spool.mu.edu!bloom-beacon.mit.edu!senator-bedfellow.mit.edu!faqserv
From: faq-editor@rsa.com
Newsgroups: sci.crypt,talk.politics.crypto,alt.security.ripem,sci.answers,talk.answers,alt.answers,news.answers
Subject: RSA Cryptography Today FAQ (2/3)
Supersedes: <cryptography-faq/rsa/part2_775371303@rtfm.mit.edu>
Followup-To: poster
Date: 19 Aug 1994 02:26:50 GMT
Organization: none
Lines: 1130
Approved: news-answers-request@mit.edu
Expires: 23 Sep 1994 02:26:02 GMT
Message-ID: <cryptography-faq/rsa/part2_777263162@rtfm.mit.edu>
References: <cryptography-faq/rsa/part1_777263162@rtfm.mit.edu>
Reply-To: faq-editor@rsa.com
NNTP-Posting-Host: bloom-picayune.mit.edu
X-Last-Updated: 1994/06/13
Originator: faqserv@bloom-picayune.MIT.EDU

Archive-name: cryptography-faq/rsa/part2
Last-modified: 93/09/20
Version: 2.0
Distribution-agent: tmp@netcom.com


(This document has been brought to you in part by CRAM.  See the
bottom for more information, including instructions on how to
obtain updates.)

===


                          Answers To
                 FREQUENTLY ASKED QUESTIONS
                 About Today's Cryptography



                          Paul Fahn
                      RSA Laboratories
                     100 Marine Parkway
                   Redwood City, CA  94065



   Copyright (c) 1993 RSA Laboratories, a division of RSA Data Security,
      Inc. All rights reserved.

   Version 2.0, draft 2f
   Last update: September 20, 1993



------------------------------------------------------------------------
                         Table of Contents

[ part 2 ]

3 Key Management 
       3.1  What key management issues are involved in public-key 
            cryptography? 
       3.2  Who needs a key? 
       3.3  How does one get a key pair? 
       3.4  Should a public key or private key be shared among users? 
       3.5  What are certificates? 
       3.6  How are certificates used? 
       3.7  Who issues certificates and how? 
       3.8  What is a CSU, or, How do certifying authorities store their 
            private keys? 
       3.9  Are certifying authorities susceptible to attack? 
       3.10  What if the certifying authority's key is lost or compromised? 
       3.11  What are Certificate Revocation Lists (CRLs)? 
       3.12  What happens when a key expires? 
       3.13  What happens if I lose my private key? 
       3.14  What happens if my private key is compromised? 
       3.15  How should I store my private key? 
       3.16  How do I find someone else's public key? 
       3.17  How can signatures remain valid beyond the expiration dates of 
             their keys, or, How do you verify a 20-year-old signature? 
       3.18  What is a digital time-stamping service? 

4 Factoring and Discrete Log 
       4.1  What is a one-way function? 
       4.2  What is the significance of one-way functions for cryptography? 
       4.3  What is the factoring problem? 
       4.4  What is the significance of factoring in cryptography? 
       4.5  Has factoring been getting easier? 
       4.6  What are the best factoring methods in use today? 
       4.7  What are the prospects for theoretical factoring breakthroughs? 
       4.8  What is the RSA Factoring Challenge? 
       4.9  What is the discrete log problem? 
       4.10  Which is easier, factoring or discrete log? 

5 DES 
       5.1  What is DES? 
       5.2  Has DES been broken? 
       5.3  How does one use DES securely? 
       5.4  Can DES be exported from the U.S.? 
       5.5  What are the alternatives to DES? 
       5.6  Is DES a group? 


--------------------------------------------------------------------



3 Key Management

3.1 What key management issues are involved in public-key cryptography?

Secure methods of key management are extremely important. In practice,
most attacks on public-key systems will probably be aimed at the key 
management levels, rather than at the cryptographic algorithm itself. 
The key management issues mentioned here are discussed in detail in 
later questions.

Users must be able to obtain securely a key pair suited to their efficiency 
and security needs. There must be a way to look up other people's public 
keys and to publicize one's own key. Users must have confidence in the 
legitimacy of others' public keys; otherwise an intruder can either change 
public keys listed in a directory, or impersonate another user. Certificates 
are used for this purpose. Certificates must be unforgeable, obtainable in a 
secure manner, and processed in such a way that an intruder cannot misuse 
them. The issuance of certificates must proceed in a secure way, impervious 
to attack. If someone's private key is lost or compromised, others must be 
made aware of this, so that they will no longer encrypt messages under the 
invalid public key nor accept messages signed with the invalid private key. 
Users must be able to store their private keys securely, so that no intruder 
can find it, yet the keys must be readily accessible for legitimate use. Keys 
need to be valid only until a specified expiration date. The expiration date 
must be chosen properly and publicized securely. Some documents need to have 
verifiable signatures beyond the time when the key used to sign them has 
expired.

Although most of these key management issues arise in any public-key 
cryptosystem, for convenience they are discussed here in the context of RSA.


3.2 Who needs a key?

Anyone who wishes to sign messages or to receive encrypted messages must
have a key pair. People may have more than one key. For example, someone
might have a key affiliated with his or her work and a separate key for
personal use. Other entities will also have keys, including electronic 
entities such as modems, workstations, and printers, as well as 
organizational entities such as a corporate department, a hotel 
registration desk, or a university registrar's office. 


3.3 How does one get a key pair? 

Each user should generate his or her own key pair. It may be tempting within 
an organization to have a single site that generates keys for all members who 
request one, but this is a security risk because it involves the transmission 
of private keys over a network as well as catastrophic consequences if an 
attacker infiltrates the key-generation site. Each node on a network should be
capable of local key generation, so that private keys are never transmitted 
and no external key source need be trusted. Of course, the local key generation
software must itself be trustworthy. Secret-key authentication systems, such 
as Kerberos, often do not allow local key generation but instead use a 
central server to generate keys.

Once generated, a user must register his or her public key with some
central administration, called a certifying authority. The certifying 
authority returns to the user a certificate attesting to the veracity of 
the user's public key along with other information (see Questions 3.5 
and following). Most users should not obtain more than one certificate for
the same key, in order to simplify various bookkeeping tasks associated
with the key.


3.4 Should a public key or private key be shared among users?

In RSA, each person should have a unique modulus and private exponent, i.e., 
a unique private key. The public exponent, on the other hand, can be common 
to a group of users without security being compromised. Some public exponents 
in common use today are 3 and 2^{16}+1; because these numbers are small, 
the public-key operations (encryption and signature verification) are fast 
relative to the private key operations (decryption and signing). If one 
public exponent becomes a standard, software and hardware can be optimized 
for that value.

In public-key systems based on discrete logarithms, such as ElGamal,
Diffie-Hellman, or DSS, it has often been suggested that a group of 
people should share a modulus. This would make breaking a key more
attractive to an attacker, however, because one could break every
key with only slightly more effort than it would take to break a
single key. To an attacker, therefore, the average cost to break a 
key is much lower with a common modulus than if every key has a distinct 
modulus. Thus one should be very cautious about using a common modulus; 
if a common modulus is chosen, it should be very large. 


3.5 What are certificates?

Certificates are digital documents attesting to the binding of a public key 
to an individual or other entity. They allow verification of the claim that 
a given public key does in fact belong to a given individual. Certificates 
help prevent someone from using a phony key to impersonate someone else.

In their simplest form, certificates contain a public key and a name. As
commonly used, they also contain the expiration date of the key, the name 
of the certifying authority that issued the certificate, the serial number 
of the certificate, and perhaps other information. Most importantly, it 
contains the digital signature of the certificate issuer. The most widely 
accepted format for certificates is defined by the CCITT X.509 international 
standard [19]; thus certificates can be read or written by any application 
complying with X.509. Further refinements are found in the PKCS set of 
standards (see Question 8.9), and the PEM standard (see Question 8.7). A 
detailed discussion of certificate format can also be found in Kent [40].

A certificate is issued by a certifying authority (see Question 3.7) 
and signed with the certifying authority's private key.


3.6 How are certificates used?

A certificate is displayed in order to generate confidence in the 
legitimacy of a public key. Someone verifying a signature can also 
verify the signer's certificate, to insure that no forgery or false 
representation has occurred. These steps can be performed with greater 
or lesser rigor depending on the context. 

The most secure use of authentication involves enclosing one or more 
certificates with every signed message. The receiver of the message
would verify the certificate using the certifying authority's public
key and, now confident of the public key of the sender, verify the message's 
signature. There may be two or more certificates enclosed with the message, 
forming a hierarchical chain, wherein one certificate testifies to the 
authenticity of the previous certificate. At the end of a certificate 
hierarchy is a top-level certifying authority, which is trusted without a 
certificate from any other certifying authority. The public key of the 
top-level certifying authority must be independently known, for example by 
being widely published.

The more familiar the sender is to the receiver of the message, the less 
need there is to enclose, and to verify, certificates. If Alice sends 
messages to Bob every day, Alice can enclose a certificate chain on the 
first day, which Bob verifies. Bob thereafter stores Alice's public key 
and no more certificates or certificate verifications are necessary. A sender 
whose company is known to the receiver may need to enclose only one 
certificate (issued by the company), whereas a sender whose company is 
unknown to the receiver may need to enclose two certificates. A good rule of 
thumb is to enclose just enough of a certificate chain so that the issuer of 
the highest level certificate in the chain is well-known to the receiver.

According to the PKCS standards for public-key cryptography (see Question
8.9), every signature points to a certificate that validates the public 
key of the signer. Specifically, each signature contains the name of the 
issuer of the certificate and the serial number of the certificate. Thus 
even if no certificates are enclosed with a message, a verifier can still 
use the certificate chain to check the status of the public key.


3.7 Who issues certificates and how?

Certificates are issued by a certifying authority (CA), which can be any 
trusted central administration willing to vouch for the identities of those 
to whom it issues certificates. A company may issue certificates to its 
employees, a university to its students, a town to its citizens. In 
order to prevent forged certificates, the CA's public key must be trustworthy: 
a CA must either publicize its public key or provide a certificate from a 
higher-level CA attesting to the validity of its public key. The latter
solution gives rise to hierarchies of CAs.

Certificate issuance proceeds as follows. Alice generates her own key 
pair and sends the public key to an appropriate CA with some proof of her 
identification. The CA checks the identification and takes any other steps
necessary to assure itself that the request really did come from Alice, and 
then sends her a certificate attesting to the binding between Alice and her 
public key, along with a hierarchy of certificates verifying the CA's public 
key. Alice can present this certificate chain whenever desired in order to 
demonstrate the legitimacy of her public key. 

Since the CA must check for proper identification, organizations will find 
it convenient to act as a CA for its own members and employees. There will 
also be CAs that issue certificates to unaffiliated individuals.

Different CAs may issue certificates with varying levels of identification 
requirements. One CA may insist on seeing a driver's license, another may 
want the certificate request form to be notarized, yet another may want 
fingerprints of anyone requesting a certificate. Each CA should publish 
its own identification requirements and standards, so that verifiers 
can attach the appropriate level of confidence in the certified name-key 
bindings.

An example of a certificate-issuing protocol is Apple Computer's Open 
Collaborative Environment (OCE). Apple OCE users can generate a key 
pair and then request and receive a certificate for the public key; the
certificate request must be notarized.


3.8 What is a CSU, or, How do certifying authorities store their private keys?

It is extremely important that private keys of certifying authorities are 
stored securely, because compromise would enable undetectable forgeries. 
One way to achieve the desired security is to store the key in a tamperproof
box; such a box is called a Certificate Signing Unit, or CSU. The CSU would, 
preferably, destroy its contents if ever opened, and be shielded against 
attacks using electromagnetic radiation. Not even employees of the certifying 
authority should have access to the private key itself, but only the ability 
to use the private key in the process of issuing certificates. 

There are many possible designs for CSUs; here is a description of one design
found in some current implementations. The CSU is activated by a set of data 
keys, which are physical keys capable of storing digital information. The 
data keys use secret-sharing technology such that several people must all 
use their data keys to activate the CSU. This prevents one disgruntled CA 
employee from producing phony certificates. 

Note that if the CSU is destroyed, say in a fire, no security is compromised.
Certificates signed by the CSU are still valid, as long as the verifier uses 
the correct public key. Some CSUs will be manufactured so that a lost private 
key can be restored into a new CSU. See Question 3.10 for discussion of 
lost CA private keys.

Bolt, Beranek, and Newman (BBN) currently sells a CSU, and RSA Data Security
sells a full-fledged certificate issuing system built around the BBN CSU.


3.9 Are certifying authorities susceptible to attack?

One can think of many attacks aimed at the certifying authority, which must
be prepared against them.

Consider the following attack. Suppose Bob wishes to impersonate Alice. 
If Bob can convincingly sign messages as Alice, he can send a message to 
Alice's bank saying ``I wish to withdraw $10,000 from my account. Please 
send me the money.'' To carry out this attack, Bob generates a key pair and 
sends the public key to a certifying authority saying ``I'm Alice. Here is 
my public key. Please send me a certificate.'' If the CA is fooled and sends 
him such a certificate, he can then fool the bank, and his attack will 
succeed. In order to prevent such an attack the CA must verify that a 
certificate request did indeed come from its purported author, i.e., it must 
require sufficient evidence that it is actually Alice who is requesting the 
certificate. The CA may, for example, require Alice to appear in person and 
show a birth certificate. Some CAs may require very little identification, 
but the bank should not honor messages authenticated with such low-assurance 
certificates. Every CA must publicly state its identification requirements 
and policies; others can then attach an appropriate level of confidence to 
the certificates.

An attacker who discovers the private key of a certifying authority could 
then forge certificates. For this reason, a certifying authority must take 
extreme precautions to prevent illegitimate access to its private key. The 
private key should be kept in a high-security box, known as a Certificate 
Signing Unit, or CSU (see Question 3.8).

The certifying authority's public key might be the target of an extensive 
factoring attack. For this reason, CAs should use very long keys, preferably 
1000 bits or longer, and should also change keys regularly. Top-level 
certifying authorities are exceptions: it may not be practical for them to 
change keys frequently because the key may be written into software used 
by a large number of verifiers.

In another attack, Alice bribes Bob, who works for the certifying authority, 
to issue to her a certificate in the name of Fred. Now Alice can send 
messages signed in Fred's name and anyone receiving such a message will 
believe it authentic because a full and verifiable certificate chain will 
accompany the message. This attack can be hindered by requiring the 
cooperation of two (or more) employees to generate a certificate; the 
attacker now has to bribe two employees rather than one. For example, in 
some of today's CSUs, three employees must each insert a data key containing 
secret information in order to authorize the CSU to generate certificates. 
Unfortunately, there may be other ways to generate a forged certificate by 
bribing only one employee. If each certificate request is checked by only 
one employee, that one employee can be bribed and slip a false request into 
a stack of real certificate requests. Note that a corrupt employee cannot 
reveal the certifying authority's private key, as long as it is properly 
stored.

Another attack involves forging old documents. Alice tries to factor the 
modulus of the certifying authority. It takes her 15 years, but she finally 
succeeds, and she now has the old private key of the certifying authority. 
The key has long since expired, but she can forge a certificate dated 15 
years ago attesting to a phony public key of some other person, say Bob; she 
can now forge a document with a signature of Bob dated 15 year ago, perhaps
a will leaving everything to Alice. The underlying issue raised by this 
attack is how to authenticate a signed document dated many years ago; this 
issue is discussed in Question 3.17.

Note that these attacks on certifying authorities do not threaten the 
privacy of messages between users, as might result from an attack on a 
secret-key distribution center.


3.10 What if the certifying authority's key is lost or compromised? 

If the certifying authority's key is lost or destroyed but not compromised, 
certificates signed with the old key are still valid, as long as the verifier
knows to use the old public key to verify the certificate. 

In some CSU designs, encrypted backup copies of the CA's private key are
kept. A CA which loses its key can then restore it by loading the encrypted 
backup into the CSU, which can decrypt it using some unique information 
stored inside the CSU; the encrypted backup can only be decrypted using the 
CSU. If the CSU itself is destroyed, the manufacturer may be able to supply 
another with the same internal information, thus allowing recovery of the key. 

A compromised CA key is a much more dangerous situation. An attacker who 
discovers a certifying authority's private key can issue phony certificates 
in the name of the certifying authority, which would enable undetectable 
forgeries; for this reason, all precautions must be taken to prevent 
compromise, including those outlined in Questions 3.8 and 3.9. If a 
compromise does occur, the CA must immediately cease issuing certificates
under its old key and change to a new key. If it is suspected that some phony 
certificates were issued, all certificates should be recalled, and then 
reissued with a new CA key. These measures could be relaxed somewhat if 
certificates were registered with a digital time-stamping service (see 
Question 3.18). Note that compromise of a CA key does not invalidate users'
keys, but only the certificates that authenticate them. Compromise of a 
top-level CA's key should be considered catastrophic, since the key may 
be built into applications that verify certificates.


3.11 What are Certificate Revocation Lists (CRLs)?

A Certificate Revocation List (CRL) is a list of public keys that have been 
revoked before their scheduled expiration date. There are several reasons why 
a key might need to be revoked and placed on a CRL. A key might have been 
compromised. A key might be used professionally by an individual for 
a company; for example, the official name associated with a key might be 
``Alice Avery, Vice President, Argo Corp.'' If Alice were fired, her company 
would not want her to be able to sign messages with that key and therefore 
the company would place the key on the CRL. 

When verifying a signature, one can check the relevant CRL to make sure
the signer's key has not been revoked. Whether it is worth the time to 
perform this check depends on the importance of the signed document. 

CRLs are maintained by certifying authorities (CAs) and provide information 
about revoked keys originally certified by the CA. CRLs only list current 
keys, since expired keys should not be accepted in any case; when a revoked 
key is past its original expiration date it is removed from the CRL. Although 
CRLs are maintained in a distributed manner, there may be central 
repositories for CRLs, that is, sites on networks containing the latest CRLs 
from many organizations. An institution like a bank might want an in-house 
CRL repository to make CRL searches feasible on every transaction.


3.12 What happens when a key expires?

In order to guard against a long-term factoring attack, every key must 
have an expiration date after which it is no longer valid. The time to 
expiration must therefore be much shorter than the expected factoring time, 
or equivalently, the key length must be long enough to make the chances of 
factoring before expiration extremely small. The validity period for a key 
pair may also depend on the circumstances in which the key will be used, 
although there will also be a standard period. The validity period, together
with the value of the key and the estimated strength of an expected attacker, 
then determines the appropriate key size.

The expiration date of a key accompanies the public key in a certificate
or a directory listing. The signature verification program should check 
for expiration and should not accept a message signed with an expired key. 
This means that when one's own key expires, everything signed with it will
no longer be considered valid. Of course, there will be cases where it is 
important that a signed document be considered valid for a much longer period 
of time; Question 3.17 discusses ways to achieve this.

After expiration, the user chooses a new key, which should be longer than 
the old key, perhaps by several digits, to reflect both the performance 
increase of computer hardware and any recent improvements in factoring 
algorithms. Recommended key length schedules will likely be published. A user 
may recertify a key that has expired, if it is sufficiently long and has not 
been compromised. The certifying authority would then issue a new certificate 
for the same key, and all new signatures would point to the new certificate 
instead of the old. However, the fact that computer hardware continues to 
improve argues for replacing expired keys with new, longer keys every few 
years. Key replacement enables one to take advantage of the hardware 
improvements to increase the security of the cryptosystem. Faster hardware 
has the effect of increasing security, perhaps vastly, but only if key 
lengths are increased regularly (see Question 4.5).


3.13 What happens if I lose my private key?

If your private key is lost or destroyed, but not compromised, you can no 
longer sign or decrypt messages, but anything previously signed with the 
lost key is still valid. This can happen, for example, if you forget the 
password used to access your key, or if the disk on which the key is stored 
is damaged. You need to choose a new key right away, to minimize the number 
of messages people send you encrypted under your old key, messages which you 
can no longer read. 


3.14 What happens if my private key is compromised?

If your private key is compromised, that is, if you suspect an attacker may 
have obtained your private key, then you must assume that some enemy can
read encrypted messages sent to you and forge your name on documents. The 
seriousness of these consequences underscores the importance of protecting 
your private key with extremely strong mechanisms (see Question 3.15).

You must immediately notify your certifying authority and have your old key 
placed on a Certificate Revocation List (see Question 3.11); this will 
inform people that the key has been revoked. Then choose a new key and obtain
the proper certificates for it. You may wish to use the new key to re-sign 
documents that you had signed with the compromised key; documents that had 
been time-stamped as well as signed might still be valid. You should also 
change the way you store your private key, to prevent compromise of the new 
key.


3.15 How should I store my private key?

Private keys must be stored securely, since forgery and loss of privacy 
could result from compromise. The private key should never be stored 
anywhere in plaintext form. The simplest storage mechanism is to encrypt 
the private key under a password and store the result on a disk. Of course, 
the password itself must be maintained with high security, not written down 
and not easily guessed. Storing the encrypted key on a disk that is not 
accessible through a computer network, such as a floppy disk or a local 
hard disk, will make some attacks more difficult. Ultimately, private keys 
may be stored on portable hardware, such as a smart card. Furthermore, a 
challenge-response protocol will be more secure than simple password access. 
Users with extremely high security needs, such as certifying authorities, 
should use special hardware devices to protect their keys (see Question 
3.8).


3.16 How do I find someone else's public key?

Suppose you want to find Bob's public key. There are several possible ways.
You could call him up and ask him to send you his public key via e-mail; you 
could request it via e-mail as well. Certifying authorities may provide
directory services; if Bob works for company Z, look in the directory kept 
by Z's certifying authority. Directories must be secure against unauthorized 
tampering, so that users can be confident that a public key listed in the 
directory actually belongs to the person listed. Otherwise, you might send 
private encrypted information to the wrong person.

Eventually, full-fledged directories will arise, serving as online white or 
yellow pages. If they are compliant with CCITT X.509 standards [19], the 
directories will contain certificates as well as public keys; the presence 
of certificates will lower the directories' security needs.


3.17 How can signatures remain valid beyond the expiration dates of their
    keys, or, How do you verify a 20-year-old signature?

Normally, a key expires after, say, two years and a document signed with an 
expired key should not be accepted. However, there are many cases where 
it is necessary for signed documents to be regarded as legally valid 
for much longer than two years; long-term leases and contracts are examples. 
How should these cases be handled? Many solutions have been suggested but 
it is unclear which will prove the best. Here are some possibilities.

One can have special long-term keys as well as the normal two-year keys. 
Long-term keys should have much longer modulus lengths and be stored 
more securely than two-year keys. If a long-term key expires in 50 
years, any document signed with it would remain valid within that time. 
A problem with this method is that any compromised key must remain on the 
relevant CRL until expiration (see Question 3.11); if 50-year keys are 
routinely placed on CRLs, the CRLs could grow in size to unmanageable 
proportions. This idea can be modified as follows. Register the long-term 
key by the normal procedure, i.e., for two years. At expiration time, if 
it has not been compromised, the key can be recertified, that is, issued 
a new certificate by the certifying authority, so that the key will be 
valid for another two years. Now a compromised key only needs to be kept 
on a CRL for at most two years, not fifty. 

One problem with the previous method is that someone might try to 
invalidate a long-term contract by refusing to renew his key. This 
problem can be circumvented by registering the contract with a digital 
time-stamping service (see Question 3.18) at the time it is originally 
signed. If all parties to the contract keep a copy of the time-stamp, 
then each can prove that the contract was signed with valid keys. In 
fact, the time-stamp can prove the validity of a contract even if one 
signer's key gets compromised at some point after the contract was 
signed. This time-stamping solution can work with all signed digital 
documents, not just multi-party contracts.


3.18 What is a digital time-stamping service?

A digital time-stamping service (DTS) issues time-stamps which associate 
a date and time with a digital document in a cryptographically strong way. 
The digital time-stamp can be used at a later date to prove that an 
electronic document existed at the time stated on its time-stamp. For 
example, a physicist who has a brilliant idea can write about it with
a word processor and have the document time-stamped. The time-stamp and
document together can later prove that the scientist deserves the Nobel 
Prize, even though an arch rival may have been the first to publish.

Here's one way such a system could work. Suppose Alice signs a document 
and wants it time-stamped. She computes a message digest of the document 
using a secure hash function (see Question 8.2) and then sends the 
message digest (but not the document itself) to the DTS, which sends her in 
return a digital time-stamp consisting of the message digest, the date and 
time it was received at the DTS, and the signature of the DTS. Since the 
message digest does not reveal any information about the content of the 
document, the DTS cannot eavesdrop on the documents it time-stamps. Later, 
Alice can present the document and time-stamp together to prove when the
document was written. A verifier computes the message digest of the document, 
makes sure it matches the digest in the time-stamp, and then verifies the 
signature of the DTS on the time-stamp.

To be reliable, the time-stamps must not be forgeable. Consider the
requirements for a DTS of the type just described. First, the DTS itself 
must have a long key if we want the time-stamps to be reliable for, say,
several decades. Second, the private key of the DTS must be stored with 
utmost security, as in a tamperproof box. Third, the date and time must 
come from a clock, also inside the tamperproof box, which cannot be reset 
and which will keep accurate time for years or perhaps for decades. Fourth, 
it must be infeasible to create time-stamps without using the apparatus 
in the tamperproof box.

A cryptographically strong DTS using only software [4] has been 
implemented by Bellcore; it avoids many of the requirements just 
described, such as tamperproof hardware. The Bellcore DTS essentially 
combines hash values of documents into data structures called binary 
trees, whose ``root'' values are periodically published in the newspaper. 
A time-stamp consists of a set of hash values which allow a verifier 
to recompute the root of the tree. Since the hash functions are one-way 
(see Question 8.2), the set of validating hash values cannot be forged.
The time associated with the document by the time-stamp is the date of 
publication.

The use of a DTS would appear to be extremely important, if not essential, 
for maintaining the validity of documents over many years (see Question 
3.17). Suppose a landlord and tenant sign a twenty-year lease. The public 
keys used to sign the lease will expire after, say, two years; solutions 
such as recertifying the keys or resigning every two years with new keys 
require the cooperation of both parties several years after the original 
signing. If one party becomes dissatisfied with the lease, he or she may 
refuse to cooperate. The solution is to register the lease with the DTS 
at the time of the original signing; both parties would then receive a 
copy of the time-stamp, which can be used years later to enforce the 
integrity of the original lease.

In the future, it is likely that a DTS will be used for everything
from long-term corporate contracts to personal diaries and letters.
Today, if an historian discovers some lost letters of Mark Twain, their
authenticity is checked by physical means. But a similar find 100 years
from now may consist of an author's computer files; digital time-stamps 
may be the only way to authenticate the find.

4 Factoring and Discrete Log

4.1 What is a one-way function?

A one-way function is a mathematical function that is significantly
easier to perform in one direction (the forward direction) than in the 
opposite direction (the inverse direction). One might, for example, 
compute the function in minutes but only be able to compute the inverse 
in months or years. A trap-door one-way function is a one-way function
where the inverse direction is easy if you know a certain piece of
information (the trap door), but difficult otherwise.


4.2 What is the significance of one-way functions for cryptography?

Public-key cryptosystems are based on (presumed) trap-door one-way 
functions. The public key gives information about the particular instance 
of the function; the private key gives information about the trap door. 
Whoever knows the trap door can perform the function easily in both
directions, but anyone lacking the trap door can perform the function only 
in the forward direction. The forward direction is used for encryption and 
signature verification; the inverse direction is used for decryption and 
signature generation.

In almost all public-key systems, the size of the key corresponds to the 
size of the inputs to the one-way function; the larger the key, the greater
the difference between the efforts necessary to compute the function in the 
forward and inverse directions (for someone lacking the trap door). For a 
digital signature to be secure for years, for example, it is necessary to 
use a trap-door one-way function with inputs large enough that someone 
without the trap door would need many years to compute the inverse function.

All practical public-key cryptosystems are based on functions that are 
believed to be one-way, but have not been proven to be so. This means that 
it is theoretically possible that an algorithm will be discovered that can 
compute the inverse function easily without a trap door; this development 
would render any cryptosystem based on that one-way function insecure and 
useless. 


4.3 What is the factoring problem?

Factoring is the act of splitting an integer into a set of smaller integers
(factors) which, when multiplied together, form the original integer. 
For example, the factors of 15 are 3 and 5; the factoring problem is 
to find 3 and 5 when given 15. Prime factorization requires splitting an 
integer into factors that are prime numbers; every integer has a unique 
prime factorization. Multiplying two prime integers together is easy, but 
as far as we know, factoring the product is much more difficult. 

4.4 What is the significance of factoring in cryptography?

Factoring is the underlying, presumably hard problem upon which several 
public-key cryptosystems are based, including RSA. Factoring an RSA
modulus (see Question 2.1) would allow an attacker to figure out 
the private key; thus, anyone who can factor the modulus can decrypt 
messages and forge signatures. The security of RSA therefore depends on 
the factoring problem being difficult. Unfortunately, it has not been 
proven that factoring must be difficult, and there remains a possibility 
that a quick and easy factoring method might be discovered (see Question 
4.7), although factoring researchers consider this possibility remote.

Factoring large numbers takes more time than factoring smaller numbers.
This is why the size of the modulus in RSA determines how secure an 
actual use of RSA is; the larger the modulus, the longer it would take
an attacker to factor, and thus the more resistant to attack the RSA
implementation is.


4.5 Has factoring been getting easier?

Factoring has become easier over the last fifteen years for two reasons:
computer hardware has become more powerful, and better factoring algorithms 
have been developed. 

Hardware improvement will continue inexorably, but it is important to 
realize that hardware improvements make RSA more secure, not less.
This is because a hardware improvement that allows an attacker to factor
a number two digits longer than before will at the same time allow 
a legitimate RSA user to use a key dozens of digits longer than before; 
a user can choose a new key a dozen digits longer than the old one without
any performance slowdown, yet a factoring attack will become much more
difficult. Thus although the hardware improvement does help the attacker, 
it helps the legitimate user much more. This general rule may fail in the 
sense that factoring may take place using fast machines of the future, 
attacking RSA keys of the past; in this scenario, only the attacker gets 
the advantage of the hardware improvement. This consideration argues for 
using a larger key size today than one might otherwise consider warranted. 
It also argues for replacing one's RSA key with a longer key every few 
years, in order to take advantage of the extra security offered by hardware 
improvements. This point holds for other public-key systems as well.

Better factoring algorithms have been more help to the RSA attacker than have 
hardware improvements. As the RSA system, and cryptography in general, have 
attracted much attention, so has the factoring problem, and many researchers 
have found new factoring methods or improved upon others. This has made 
factoring easier, for numbers of any size and irrespective of the speed of 
the hardware. However, factoring is still a very difficult problem.

Overall, any recent decrease in security due to algorithm improvement can 
be offset by increasing the key size. In fact, between general computer 
hardware improvements and special-purpose RSA hardware improvements, 
increases in key size (maintaining a constant speed of RSA operations) have 
kept pace or exceeded increases in algorithm efficiency, resulting in no net 
loss of security. As long as hardware continues to improve at a faster rate 
than that at which the complexity of factoring algorithms decreases, the 
security of RSA will increase, assuming RSA users regularly increase their 
key size by appropriate amounts. The open question is how much faster 
factoring algorithms can get; there must be some intrinsic limit to 
factoring speed, but this limit remains unknown.


4.6 What are the best factoring methods in use today?

Factoring is a very active field of research among mathematicians and
computer scientists; the best factoring algorithms are mentioned below 
with some references and their big-O asymptotic efficiency. O notation 
measures how fast an algorithm is; it gives an upper bound on the number 
of operations (to order of magnitude) in terms of n, the number to be 
factored, and p, a prime factor of n. For textbook treatment of 
factoring algorithms, see [41], [42], [47],
and [11]; for a detailed explanation of 
big-O notation, see [22].

Factoring algorithms come in two flavors, special purpose and general
purpose; the efficiency of the former depends on the unknown factors, 
whereas the efficiency of the latter depends on the number to be factored. 
Special purpose algorithms are best for factoring numbers with small 
factors, but the numbers used for the modulus in the RSA system do not 
have any small factors. Therefore, general purpose factoring algorithms 
are the more important ones in the context of cryptographic systems and 
their security. 

Special purpose factoring algorithms include the Pollard rho method [66], 
with expected running time O(sqrt(p)), and the Pollard p-1 method [67], 
with running time O(p'), where p' is the largest prime factor of p-1. Both 
of these take an amount of time that is exponential in the size of p, the 
prime factor that they find; thus these algorithms are too slow for most 
factoring jobs. The elliptic curve method (ECM) [50] is superior to these; 
its asymptotic running time is O(exp (sqrt (2 ln p ln ln p)) ). The ECM is 
often used in practice to find factors of randomly generated numbers; it is 
not strong enough to factor a large RSA modulus.

The best general purpose factoring algorithm today is the number field 
sieve [16], which runs in time approximately O(exp ( 1.9 (ln n)^{1/3} 
(ln ln n)^{2/3}) ). It has only recently been implemented [15], and is 
not yet practical enough to perform the most desired factorizations. 
Instead, the most widely used general purpose algorithm is the multiple 
polynomial quadratic sieve (mpqs) [77], which has running time 
O(exp ( sqrt (ln n ln ln n)) ). The mpqs (and some of its variations) 
is the only general purpose algorithm that has successfully factored 
numbers greater than 110 digits; a variation known as ppmpqs [49]
has been particularly popular.

It is expected that within a few years the number field sieve will overtake 
the mpqs as the most widely used factoring algorithm, as the size of the 
numbers being factored increases from about 120 digits, which is the current 
threshold of general numbers which can be factored, to 130 or 140 digits. A 
``general number'' is one with no special form that might make it easier to 
factor; an RSA modulus is a general number. Note that a 512-bit number has 
about 155 digits. 

Numbers that have a special form can already be factored up to 155 digits 
or more [48]. The Cunningham Project [14] keeps track of the factorizations 
of numbers with these special forms and maintains a ``10 Most Wanted'' list 
of desired factorizations. Also, a good way to survey current factoring 
capability is to look at recent results of the RSA Factoring Challenge 
(see Question 4.8).


4.7 What are the prospects for theoretical factoring breakthroughs?

Although factoring is strongly believed to be a difficult mathematical
problem, it has not been proved so. Therefore there remains a possibility 
that an easy factoring algorithm will be discovered. This development, which 
could seriously weaken RSA, would be highly surprising and the possibility 
is considered extremely remote by the researchers most actively engaged in 
factoring research. 

Another possibility is that someone will prove that factoring is difficult.
This negative breakthrough is probably more likely than the positive 
breakthrough discussed above, but would also be unexpected at the current 
state of theoretical factoring research. This development would guarantee 
the security of RSA beyond a certain key size.


4.8 What is the RSA Factoring Challenge?

RSA Data Security Inc. (RSADSI) administers a factoring contest with 
quarterly cash prizes. Those who factor numbers listed by RSADSI earn
points toward the prizes; factoring smaller numbers earns more points than
factoring larger numbers. Results of the contest may be useful to those who 
wish to know the state of the art in factoring; the results show the size 
of numbers factored, which algorithms are used, and how much time was 
required to factor each number. Send e-mail to challenge-info@rsa.com 
for information. 


4.9 What is the discrete log problem?

The discrete log problem, in its most common formulation, is to find
the exponent x in the formula y=g^x mod p; in other words, it seeks to 
answer the question, To what power must g be raised in order to obtain 
y, modulo the prime number p? There are other, more general, formulations 
as well.

Like the factoring problem, the discrete log problem is believed to be
difficult and also to be the hard direction of a one-way function. For 
this reason, it has been the basis of several public-key cryptosystems,
including the ElGamal system and DSS (see Questions 2.15 and 6.8). The 
discrete log problem bears the same relation to these systems as factoring 
does to RSA: the security of these systems rests on the assumption that 
discrete logs are difficult to compute.

The discrete log problem has received much attention in recent years; 
descriptions of some of the most efficient algorithms can be found in 
[47], [21], and [33]. The best discrete log problems have expected 
running times similar to that of the best factoring algorithms. Rivest 
[72] has analyzed the expected time to solve discrete log both in terms 
of computing power and money.


4.10 Which is easier, factoring or discrete log?

The asymptotic running time of the best discrete log algorithm is
approximately the same as for the best general purpose factoring
algorithm. Therefore, it requires about as much effort to solve
the discrete log problem modulo a 512-bit prime as to factor a 
512-bit RSA modulus.  One paper [45] cites experimental evidence 
that the discrete log problem is slightly harder than factoring: 
the authors suggest that the effort necessary to factor a 110-digit 
integer is the same as the effort to solve discrete logarithms modulo 
a 100-digit prime. This difference is so slight that it should not 
be a significant consideration when choosing a cryptosystem.

Historically, it has been the case that an algorithmic advance in either 
problem, factoring or discrete logs, was then applied to the other. This 
suggests that the degrees of difficulty of both problems are closely 
linked, and that any breakthrough, either positive or negative, will affect 
both problems equally.


5 DES

5.1 What is DES?

DES is the Data Encryption Standard, an encryption block cipher defined 
and endorsed by the U.S. government in 1977 as an official standard;
the details can be found in the official FIPS publication [59]. It was 
originally developed at IBM. DES has been extensively studied over the 
last 15 years and is the most well-known and widely used cryptosystem 
in the world. 

DES is a secret-key, symmetric cryptosystem: when used for communication,
both sender and receiver must know the same secret key, which is used both
to encrypt and decrypt the message. DES can also be used for single-user
encryption, such as to store files on a hard disk in encrypted form. In
a multi-user environment, secure key distribution may be difficult; 
public-key cryptography was invented to solve this problem (see Question 
1.3). DES operates on 64-bit blocks with a 56-bit key. It was designed to 
be implemented in hardware, and its operation is relatively fast. It works
well for bulk encryption, that is, for encrypting a large set of data. 

NIST (see Question 7.1) has recertified DES as an official U.S. government 
encryption standard every five years; DES was last recertified in 1993, 
by default. NIST has indicated, however, that it may not recertify DES 
again.


5.2 Has DES been broken?

DES has never been ``broken'', despite the efforts of many researchers 
over many years. The obvious method of attack is brute-force exhaustive 
search of the key space; this takes 2^{55} steps on average. Early on 
it was suggested [28] that a rich and powerful enemy could build a 
special-purpose computer capable of breaking DES by exhaustive search 
in a reasonable amount of time. Later, Hellman [36] showed a time-memory 
trade-off that allows improvement over exhaustive search if memory space 
is plentiful, after an exhaustive precomputation. These ideas fostered 
doubts about the security of DES. There were also accusations that the 
NSA had intentionally weakened DES. Despite these suspicions, no feasible 
way to break DES faster than exhaustive search was discovered. The cost 
of a specialized computer to perform exhaustive search has been estimated 
by Wiener at one million dollars [80]. 

Just recently, however, the first attack on DES that is better than 
exhaustive search was announced by Eli Biham and Adi Shamir [6,7],
using a new technique known as differential cryptanalysis. This attack 
requires encryption of 2^{47} chosen plaintexts, i.e., plaintexts chosen 
by the attacker. Although a theoretical breakthrough, this attack is 
not practical under normal circumstances because it requires the attacker 
to have easy access to the DES device in order to encrypt the chosen 
plaintexts. Another attack, known as linear cryptanalysis [51], does not 
require chosen plaintexts.

The consensus is that DES, when used properly, is secure against all but
the most powerful enemies. In fact, triple encryption DES (see Question 
5.3) may be secure against anyone at all. Biham and Shamir have stated 
that they consider DES secure. It is used extensively in a wide variety 
of cryptographic systems, and in fact, most implementations of public-key 
cryptography include DES at some level. 


5.3 How does one use DES securely?

When using DES, there are several practical considerations that can
affect the security of the encrypted data. One should change DES keys 
frequently, in order to prevent attacks that require sustained data 
analysis. In a communications context, one must also find a secure way 
of communicating the DES key to both sender and receiver. Use of RSA or 
some other public-key technique for key management solves both these 
issues: a different DES key is generated for each session, and secure 
key management is provided by encrypting the DES key with the receiver's 
RSA public key. RSA, in this circumstance, can be regarded as a tool for 
improving the security of DES (or any other secret key cipher).

If one wishes to use DES to encrypt files stored on a hard disk, it is
not feasible to frequently change the DES keys, as this would entail 
decrypting and then re-encrypting all files upon each key change. Instead,
one should have a master DES key with which one encrypts the list of DES
keys used to encrypt the files; one can then change the master key 
frequently without much effort.

A powerful technique for improving the security of DES is triple encryption, 
that is, encrypting each message block under three different DES keys in 
succession. Triple encryption is thought to be equivalent to doubling the 
key size of DES, to 112 bits, and should prevent decryption by an enemy 
capable of single-key exhaustive search [53]. Of course, using 
triple-encryption takes three times as long as single-encryption DES.

Aside from the issues mentioned above, DES can be used for encryption in 
several officially defined modes. Some are more secure than others. ECB 
(electronic codebook) mode simply encrypts each 64-bit block of plaintext 
one after another under the same 56-bit DES key. In CBC (cipher block 
chaining) mode, each 64-bit plaintext block is XORed with the previous 
ciphertext block before being encrypted with the DES key. Thus the encryption 
of each block depends on previous blocks and the same 64-bit plaintext 
block can encrypt to different ciphertext depending on its context in the 
overall message. CBC mode helps protect against certain attacks, although 
not against exhaustive search or differential cryptanalysis. CFB (cipher 
feedback) mode allows one to use DES with block lengths less than 64 bits. 
Detailed descriptions of the various DES modes can be found in [60].

In practice, CBC is the most widely used mode of DES, and is specified in 
several standards. For additional security, one could use triple encryption 
with CBC, but since single DES in CBC mode is usually considered secure 
enough, triple encryption is not often used.


5.4 Can DES be exported from the U.S.?

Export of DES, either in hardware or software, is strictly regulated by 
the U.S. State Department and the NSA (see Question 1.6). The government 
rarely approves export of DES, despite the fact that DES is widely 
available overseas; financial institutions and foreign subsidiaries of 
U.S. companies are exceptions. 


5.5 What are the alternatives to DES?

Over the years, various bulk encryption algorithms have been designed as 
alternatives to DES. One is FEAL (Fast Encryption ALgorithm), a cipher for 
which attacks have been discovered [6], although new versions have been 
proposed. Another recently proposed cipher designed by Lai and Massey 
[44] and known as IDEA seems promising, although it has not yet received 
sufficient scrutiny to instill full confidence in its security. The U.S. 
government recently announced a new algorithm called Skipjack (see Question 
6.5) as part of its Capstone project. Skipjack operates on 64-bit blocks of 
data, as does DES, but uses 80-bit keys, as opposed to 56-bit keys in DES. 
However, the details of Skipjack are classified, so Skipjack is only 
available in hardware from government-authorized manufacturers.

Rivest has developed the ciphers RC2 and RC4 (see Question 8.6), which can 
be made as secure as necessary because they use variable key sizes. Faster 
than DES, at least in software, they have the further advantage of special 
U.S. government status whereby the export approval is simplified and 
expedited if the key size is limited to 40 bits. 


5.6 Is DES a group?

It has been frequently asked whether DES encryption is closed under
composition; i.e., is encrypting a plaintext under one DES key and
then encrypting the result under another key always equivalent to a 
single encryption under a single key? Algebraically, is DES a group?
If so, then DES might be weaker than would otherwise be the case; see 
[39] for a more complete discussion. However, the answer is no, DES 
is not a group [18]; this issue was settled only recently, after many 
years of speculation and circumstantial evidence. This result seems to 
imply that techniques such as triple encryption do in fact increase 
the security of DES.


       --------------------------------------------

RSA Laboratories is the research and consultation division of RSA Data
Security, Inc., the company founded by the inventors of the RSA
public-key cryptosystem. RSA Laboratories reviews, designs and
implements secure and efficient cryptosystems of all kinds. Its
clients include government agencies, telecommunications companies,
computer manufacturers, software developers, cable TV broadcasters,
interactive video manufacturers, and satellite broadcast companies,
among others.

For more information about RSA Laboratories, call or write to 
                        RSA Laboratories
                        100 Marine Parkway
                        Redwood City, CA 94065
                        (415) 595-7703
                        (415) 595-4126 (fax)



PKCS, RSAREF and RSA Laboratories are trademarks of RSA Data
Security, Inc. All other trademarks belong to their respective 
companies.

This document is available in ASCII, Postscript, and Latex formats
via anonymous FTP to rsa.com:/pub/faq.

Please send comments and corrections to faq-editor@rsa.com.



===
DISTRIBUTION: How to obtain this document

This document has been brought to you in part by CRAM, involved in the
redistribution of valuable information to a wider USENET audience (see
below). The most recent version of this document can be obtained via
the author's instructions above. The following directions apply to 
retrieve the possibly less-current USENET FAQ version.

  FTP
  ---
    This FAQ is available from the standard FAQ server rtfm.mit.edu via
    FTP in the directory /pub/usenet/news.answers/cryptography-faq/rsa/

  Email
  -----
    Email requests for FAQs go to mail-server@rtfm.mit.edu with commands
    on lines in the message body, e.g. `help' and `index'.

  Usenet
  ------
    This FAQ is posted every 21 days to the groups

      sci.crypt
      talk.politics.crypto
      alt.security.ripem
      sci.answers
      talk.answers
      alt.answers
      news.answers

_ _, _ ___ _, __,  _, _  _, ___ _  _, _, _ _  _, __,  _, _  _ ___ __,
| |\ | |_ / \ |_)  |\/| / \  |  | / \ |\ | | (_  |_) / \ |  | |_  | )
| | \| |  \ / | \  |  | |~|  |  | \ / | \| | , ) |   \ / |/\| |   |~\
~ ~  ~ ~   ~  ~  ~ ~  ~ ~ ~  ~  ~  ~  ~  ~ ~  ~  ~    ~  ~  ~ ~~~ ~  ~

===
CRAM: The Cyberspatial Reality Advancement Movement

In an effort to bring valuable information to the masses, and as a
service to motivated information compilers, a member of CRAM can help
others unfamiliar with Usenet `publish' their documents for
widespread dissemination via the FAQ structure, and act as a
`sponsor' knowledgable in the submissions process. This document is
being distributed under this arrangement.

We have found these compilations tend to appear on various mailing
lists and are valuable enough to deserve wider distribution. If you
know of an existing compilation of Internet information that is not
currently a FAQ, please contact us and we may `sponsor' it. The
benefits to the author include:

- use of the existing FAQ infrastructure for distribution:
  - automated mail server service
  - FTP archival
  - automated posting

- a far wider audience that can improve the quality, accuracy, and 
  coverage of the document enormously through email feedback

- potential professional inquiries for the use of your document in 
  other settings, such as newsletters, books, etc.

- with us as your sponsor, we will also take care of the 
  technicalities in the proper format of the posted version and 
  updating procedures, leaving you free of the `overhead' to focus on 
  the basic updates alone

The choice of who we `sponsor' is entirely arbitrary. You always have
the option of handling the submission process yourself.  See the FAQ
submission guidelines FAQ in news.answers. 

For information, send mail to <tmp@netcom.com>.

 \   \   \   \   \   \   \   \   \   |   /   /   /   /   /   /   /   /   /   /
          _______       ________          _____        _____  _____
         ///   \\\      |||   \\\        /// \\\       |||\\\///|||
        |||     ~~      |||   ///       |||   |||      ||| \\// |||
        |||     __      |||~~~\\\       |||~~~|||      |||  ~~  |||
         \\\   ///      |||    \\\      |||   |||      |||      |||
          ~~~~~~~       ~~~     ~~~     ~~~   ~~~      ~~~      ~~~
 /   /   /   /   /   /   /   /   /   |   \   \   \   \   \   \   \   \   \   \

C y b e r s p a t i a l  R e a l i t y  A d v a n c e m e n t  M o v e m e n t

* CIVILIZING CYBERSPACE: send `info cypherwonks' to majordomo@lists.eunet.fi *