- Email: [email protected]
Host cryptographic operations: A software implementation
344
Host Cryptographic Implementation *
Operations: 1. Introduction
Hilmi Erdem Research Assistant, Department Brwsel, Brussels, Belgium
of Injormatics,
Vrije Universiteit
A comparative overview of two well-defined key management schemes using the Data Encryption Standard, the IBM Cryptographic System and the Key Notarization System, is presented with emphasis on the interaction between the host operating system and the host cryptographic operations suggested in the two systems. Therefore, integrating cryptography into computer networks is a topic of current interest. A software scheme to implement the host cryptographic operations defined by the KNS is outlined. Keywords; Computer Networks, Data ment, Host Cryptographic Operations
Security,
Key Manage-
Hilmi Erdem received the B.S. in Electrical Engineering (High Hons.) from Middle East Technical University, Ankara, Turkey in 1979 and the degree of “Grade complementaire de l’Ingimieur des TClCcommunications et de 1’Electronique” (Distinction) from l‘UniversitC Libre de Bruxelles, Brussels, Belgium in 1981. From September 1981 to September 1982 he worked as an R&D engineer in an electronics company based in Ankara, Turkey, where he participated in the design of a patient-monitoring system. He is currently both a research assistant and a doctoral candidate working in the areas of computer communication, operating systems and computer network security at the Department of Informatics, Vrije Universiteit Brussel, Brussels, Belgium.
* This work has been carried out as part of research projects in Computer Crime & Computer Security in the Center for International Criminal Law of the Vrije Universiteit Brussel, Brussels, Belgium.
North-Holland Computers & Security 0167-4048/86/$3.50
A Software
5 (1986) 344346 0 1986, Elsevier Science Publishers
Potential security violations in an electronic data processing environment are categorized as unauthorized release of information, unauthorized modification of information and unauthorized denial of use of resources. Physical theft of data storage media, active and passive wiretapping, and Trojan Horse attacks are all possible causes of such violations. In a network environment, cryptography helps provide secure on-line and off-line communications, and secure storage and transport of data. It prevents unauthorized release of information and helps detect other types of attacks in conjunction with suitable protocols. Schemes have been developed that use publickey and conventional cryptographic algorithms. Two schemes that use the Data Encryption Standard (DES) are the IBM’s cryptographic system [2-41 and the Key Notarization System (KNS) described by Miles E. Smid [l].
2. Comparative Overview of the KNS and the IBM Cryptographic System Both of these systems are designed for computer networks which consist of host computers, to which a number of user terminals are interconnected by communication channels. A user terminal connected to one host can communicate with terminals on the same host or with terminals of other hosts via these communication channels. This pattern of data exchange implies the degree of granularity of key distribution required: the endpoints of a data exchange operation are user terminals (in the KNS, the terminal-to-host connections are assumed to be physically protected, and the endpoints are users themselves). Such a fine level of granularity leads to the so-called key proliferation problem. In order to deal with this problem, both systems define a hierarchy of keys in which there are two types of keys: data-encrypting keys, which are used to securely store and exchange data between
B.V. (North-Holland)
345
H. Erdem / Hosi Gypiographic Operations
users, and key-encrypting keys, which are used to securely store and exchange data-encrypting keys between users. Key-encrypting keys are used as a bootstrapping mechanism for secure distribution and storage of data-encrypting keys and for secure storage, in the IBM scheme, of other key-encrypting keys at a lower level in the key hierarchy. The exact way the key hierarchy is defined is different in the two systems. In the IBM system, a clear distinction is made between on-line communications, and off-line communications and file security, whereas, in KNS, no such distinction is made. An important part of these two systems is a secure, tamper-resistant area at every host in the network where the clear keys at the top of the key hierarchy are stored and the cryptographic operations required by the system are implemented. These operations are defined in such a way that it is not possible to recover keys in the clear outside this secure area, regardless of the inherent security of the supporting operating system. Only encrypted keys exist outside this area, some of them only temporarily and others for longer periods of time. These keys are presented in encrypted form as parameters to any cryptographic operation in which they are used. Data-encrypting keys for on-line communications exist only during a communications session and are erased or overwritten at the completion of the session. They may need to be temporarily stored in user memory because of iesource-sharing due to other active communication sessions. During these short periods, they may be stolen (by copying) or substituted by other keys. But, the danger is more real in case of off-line communications and file security. In these cases, data-encrypting keys encrypted under keyencrypting keys or encrypted key encrypting keys in lower levels of the key hierarchy exist for longer period of time in unprotected memory. Encryption provides only key secrecy but is not effective against theft or substitution. Therefore, in the IBM scheme which provides only key secrecy, the supporting operating system is required to provide read/write protection of the memory where encrypted keys are stored through accesscontrol mechanisms to protect against attacks from malicious but otherwise legitimate users of the system. Another possible way [4,5] defines additional operations in the cryptographic system
that implement techniques of validation of timeinvariant quantities. The approach taken in KNS is to use the identifiers of the two parties involved in the exchange of data in the cryptographic process to obtain encrypted data keys. A user invoking an encipher or decipher operation must also supply his own identifier and that of the other party in addition to the encrypted data key (loading of data keys and encipherment/decipherment are, in fact, defined as separate operations for efficiency reasons). The system must also be able to check the authenticity of the supplied user identifier by some personal authentication mechanism. The KNS requires the inclusion of a strong user authentication scheme into the cryptographic system. The way in which the two identifiers are used to encrypt and decrypt data keys is as follows: Let i j KS KD E,(D) XOR II Then, lows: encrypted
_ 2%bit identifier of the user invoking the operation, _ 28-bit identifier of the other party involved in the data exchange, key, - 56-bit key-encrypting - 64-bit data key (56 key bits + 8 parity bits), of a 64-bit data block D - Encryption under 56-bit key K, - Exclusive or operation, operation. - Concatenation encrypted
data
key is obtained
as fol-
key = EK~X~R F( i , J)
Where F(i, j) = i 11 j. With this method of obtaining encrypted data keys, attacks of theft are eliminated because the thief would need to be authenticated by the system as one of the parties in order to recover the key in the clear; this is prevented by the personal authentication mechanism which we assume to be strong. The attack in which an opponent substitutes a data key that he knows for a data key to be used in a data exchange would also not succeed because, during the calculation of the clear key, a different identifier than that of the opponent would be used, producing a totally different key from the one originally provided by the opponent. Note finally, that F(i, j) # F( j, i) if i #j. This additional property makes it possible to implement
346
H. Erdem / Host Cryptographic
digital signatures. We refer the reader for this and other details about the KNS to [l]. The KNS requires the inclusion of a strong user authentication schemes into the cryptographic system.
3. A Software Implementation The secure area mentioned above is implemented as a hardware device in both systems. This hardware device is called a Cryptographic Facility in the IBM system, and a Key Notarization Facility (KNF) in the KNS. This approach can provide a faster implementation and does not depend on the protection features of the host operating system to provide key secrecy and protect against key theft and substitution in the KNF case. But it requires additional cost. This cost can be avoided in hosts with operating systems implementing protected memory; the secure area needed for the cryptographic subsystem would be implemented in protected memory. Moreover, such an implementation can be an interim solution until economical hardware implementations become available on the market. We used the department’s VAX-11/750/VMS computer facility to implement and test the above ideas in the case of the KNS. Since the host operating system authenticates users through a password scheme before giving them access to its resources, the operations required for user authentication in the KNS are no longer necessary, reducing the number of operations at the user-cryptographic subsystem interface. We have implemented this reduced set of cryptographic operations as a set of system calls. Key-encrypting keys called interchange keys in KNS form the top level of the key hierarchy and form the backbone of key management. Interchange keys themselves, code implementing KNS operations and temporary storage required to hold intermediate results during code execution and active session parameters (such as initialization vectors, clear data keys, DES tables etc.) are all stored in protected memory. Data keys are stored outside the protected memory by encrypting them in the way described above. In VAX/VMS, memory protection is implemented by defining a hierarchy of states that a process may be in: user, supervisor, executive, kernel The user mode is the least privileged and
Operations
the kernel mode is the most privileged of all four states. A process executing in a low-privileged mode can execute more privileged code by making system calls implemented through Change Mode instructions. We have implemented the KNS operations in memory protected by kernel mode. When a process executes a Change-Mode-to-Kernel instruction specifying the code of a key-loading operation, the KNS code fetches from the Process Control Block of the calling process the identifier of the user on behalf of whom the process is executing. Therefore every call is automatically associated with an authenticated user identifier. VAX/VMS defines a 16-bit user identification code which is mapped into a global 2%bit user identifier by the KNS code and used in the Key Notarization operations, preventing a user from pretending to be some other user. Moreover, user code executing in lower-privileged modes can in no way modify the areas protected by the kernel mode, and a process invoking KNS operations can act on the data structures of the KNS only in the ways defined by those operations because the process gets trapped by the system when it makes a system call. Finally, we note that the execution time of our software DES implementation is approximately 35 ms, and that one other software DES implementation under VAX-11/780/VMS is reported to have an execution time of 2.5 ms [6], which indicates that the speed of our implementation can be improved by careful coding. References M.E. Smid: “Integrating the Data Encryption Standard into computer networks”. IEEE Trans. on Communications, COM-29, No. 6, pp. 762-772 (June 1981). 121W.F. Ehrsam, SM. Matyas, C.H. Meyer and W.L. Tuchman: “A cryptographic key management scheme for implementing the Data Encryption Standard”. IBM Systems J., 17, No. 2, pp. 106-125 (May 1978). distribution [31 SM. Matyas and C.H. Meyer: “Generation, and installation of cryptographic keys”. IBM Systems J., 17, No. 2. pp. 126-137 (May 1978). A New [41C.H. Meyer and S.M. Matyas: “Cryptography: Dimension in Computer Data Security”. John Wiley and Sons, New York (1982). S.M. Matyas and C.H. Meyer: “Crypto[51R.E. Lennon, graphic Authentication of Time-Invariant Quantities”. IEEE Transactions on Communications, COM-29, No. 6, pp. 773-777 (June 1981). “Measurement of Crypto[61A. Sorkin and J.C. Buchanan: graphic Capability Protection Algorithms”. Computers and Security, Vol. 3, No. 2 (May 1984).
Host Cryptographic Implementation *
Operations: 1. Introduction
Hilmi Erdem Research Assistant, Department Brwsel, Brussels, Belgium
of Injormatics,
Vrije Universiteit
A comparative overview of two well-defined key management schemes using the Data Encryption Standard, the IBM Cryptographic System and the Key Notarization System, is presented with emphasis on the interaction between the host operating system and the host cryptographic operations suggested in the two systems. Therefore, integrating cryptography into computer networks is a topic of current interest. A software scheme to implement the host cryptographic operations defined by the KNS is outlined. Keywords; Computer Networks, Data ment, Host Cryptographic Operations
Security,
Key Manage-
Hilmi Erdem received the B.S. in Electrical Engineering (High Hons.) from Middle East Technical University, Ankara, Turkey in 1979 and the degree of “Grade complementaire de l’Ingimieur des TClCcommunications et de 1’Electronique” (Distinction) from l‘UniversitC Libre de Bruxelles, Brussels, Belgium in 1981. From September 1981 to September 1982 he worked as an R&D engineer in an electronics company based in Ankara, Turkey, where he participated in the design of a patient-monitoring system. He is currently both a research assistant and a doctoral candidate working in the areas of computer communication, operating systems and computer network security at the Department of Informatics, Vrije Universiteit Brussel, Brussels, Belgium.
* This work has been carried out as part of research projects in Computer Crime & Computer Security in the Center for International Criminal Law of the Vrije Universiteit Brussel, Brussels, Belgium.
North-Holland Computers & Security 0167-4048/86/$3.50
A Software
5 (1986) 344346 0 1986, Elsevier Science Publishers
Potential security violations in an electronic data processing environment are categorized as unauthorized release of information, unauthorized modification of information and unauthorized denial of use of resources. Physical theft of data storage media, active and passive wiretapping, and Trojan Horse attacks are all possible causes of such violations. In a network environment, cryptography helps provide secure on-line and off-line communications, and secure storage and transport of data. It prevents unauthorized release of information and helps detect other types of attacks in conjunction with suitable protocols. Schemes have been developed that use publickey and conventional cryptographic algorithms. Two schemes that use the Data Encryption Standard (DES) are the IBM’s cryptographic system [2-41 and the Key Notarization System (KNS) described by Miles E. Smid [l].
2. Comparative Overview of the KNS and the IBM Cryptographic System Both of these systems are designed for computer networks which consist of host computers, to which a number of user terminals are interconnected by communication channels. A user terminal connected to one host can communicate with terminals on the same host or with terminals of other hosts via these communication channels. This pattern of data exchange implies the degree of granularity of key distribution required: the endpoints of a data exchange operation are user terminals (in the KNS, the terminal-to-host connections are assumed to be physically protected, and the endpoints are users themselves). Such a fine level of granularity leads to the so-called key proliferation problem. In order to deal with this problem, both systems define a hierarchy of keys in which there are two types of keys: data-encrypting keys, which are used to securely store and exchange data between
B.V. (North-Holland)
345
H. Erdem / Hosi Gypiographic Operations
users, and key-encrypting keys, which are used to securely store and exchange data-encrypting keys between users. Key-encrypting keys are used as a bootstrapping mechanism for secure distribution and storage of data-encrypting keys and for secure storage, in the IBM scheme, of other key-encrypting keys at a lower level in the key hierarchy. The exact way the key hierarchy is defined is different in the two systems. In the IBM system, a clear distinction is made between on-line communications, and off-line communications and file security, whereas, in KNS, no such distinction is made. An important part of these two systems is a secure, tamper-resistant area at every host in the network where the clear keys at the top of the key hierarchy are stored and the cryptographic operations required by the system are implemented. These operations are defined in such a way that it is not possible to recover keys in the clear outside this secure area, regardless of the inherent security of the supporting operating system. Only encrypted keys exist outside this area, some of them only temporarily and others for longer periods of time. These keys are presented in encrypted form as parameters to any cryptographic operation in which they are used. Data-encrypting keys for on-line communications exist only during a communications session and are erased or overwritten at the completion of the session. They may need to be temporarily stored in user memory because of iesource-sharing due to other active communication sessions. During these short periods, they may be stolen (by copying) or substituted by other keys. But, the danger is more real in case of off-line communications and file security. In these cases, data-encrypting keys encrypted under keyencrypting keys or encrypted key encrypting keys in lower levels of the key hierarchy exist for longer period of time in unprotected memory. Encryption provides only key secrecy but is not effective against theft or substitution. Therefore, in the IBM scheme which provides only key secrecy, the supporting operating system is required to provide read/write protection of the memory where encrypted keys are stored through accesscontrol mechanisms to protect against attacks from malicious but otherwise legitimate users of the system. Another possible way [4,5] defines additional operations in the cryptographic system
that implement techniques of validation of timeinvariant quantities. The approach taken in KNS is to use the identifiers of the two parties involved in the exchange of data in the cryptographic process to obtain encrypted data keys. A user invoking an encipher or decipher operation must also supply his own identifier and that of the other party in addition to the encrypted data key (loading of data keys and encipherment/decipherment are, in fact, defined as separate operations for efficiency reasons). The system must also be able to check the authenticity of the supplied user identifier by some personal authentication mechanism. The KNS requires the inclusion of a strong user authentication scheme into the cryptographic system. The way in which the two identifiers are used to encrypt and decrypt data keys is as follows: Let i j KS KD E,(D) XOR II Then, lows: encrypted
_ 2%bit identifier of the user invoking the operation, _ 28-bit identifier of the other party involved in the data exchange, key, - 56-bit key-encrypting - 64-bit data key (56 key bits + 8 parity bits), of a 64-bit data block D - Encryption under 56-bit key K, - Exclusive or operation, operation. - Concatenation encrypted
data
key is obtained
as fol-
key = EK~X~R F( i , J)
Where F(i, j) = i 11 j. With this method of obtaining encrypted data keys, attacks of theft are eliminated because the thief would need to be authenticated by the system as one of the parties in order to recover the key in the clear; this is prevented by the personal authentication mechanism which we assume to be strong. The attack in which an opponent substitutes a data key that he knows for a data key to be used in a data exchange would also not succeed because, during the calculation of the clear key, a different identifier than that of the opponent would be used, producing a totally different key from the one originally provided by the opponent. Note finally, that F(i, j) # F( j, i) if i #j. This additional property makes it possible to implement
346
H. Erdem / Host Cryptographic
digital signatures. We refer the reader for this and other details about the KNS to [l]. The KNS requires the inclusion of a strong user authentication schemes into the cryptographic system.
3. A Software Implementation The secure area mentioned above is implemented as a hardware device in both systems. This hardware device is called a Cryptographic Facility in the IBM system, and a Key Notarization Facility (KNF) in the KNS. This approach can provide a faster implementation and does not depend on the protection features of the host operating system to provide key secrecy and protect against key theft and substitution in the KNF case. But it requires additional cost. This cost can be avoided in hosts with operating systems implementing protected memory; the secure area needed for the cryptographic subsystem would be implemented in protected memory. Moreover, such an implementation can be an interim solution until economical hardware implementations become available on the market. We used the department’s VAX-11/750/VMS computer facility to implement and test the above ideas in the case of the KNS. Since the host operating system authenticates users through a password scheme before giving them access to its resources, the operations required for user authentication in the KNS are no longer necessary, reducing the number of operations at the user-cryptographic subsystem interface. We have implemented this reduced set of cryptographic operations as a set of system calls. Key-encrypting keys called interchange keys in KNS form the top level of the key hierarchy and form the backbone of key management. Interchange keys themselves, code implementing KNS operations and temporary storage required to hold intermediate results during code execution and active session parameters (such as initialization vectors, clear data keys, DES tables etc.) are all stored in protected memory. Data keys are stored outside the protected memory by encrypting them in the way described above. In VAX/VMS, memory protection is implemented by defining a hierarchy of states that a process may be in: user, supervisor, executive, kernel The user mode is the least privileged and
Operations
the kernel mode is the most privileged of all four states. A process executing in a low-privileged mode can execute more privileged code by making system calls implemented through Change Mode instructions. We have implemented the KNS operations in memory protected by kernel mode. When a process executes a Change-Mode-to-Kernel instruction specifying the code of a key-loading operation, the KNS code fetches from the Process Control Block of the calling process the identifier of the user on behalf of whom the process is executing. Therefore every call is automatically associated with an authenticated user identifier. VAX/VMS defines a 16-bit user identification code which is mapped into a global 2%bit user identifier by the KNS code and used in the Key Notarization operations, preventing a user from pretending to be some other user. Moreover, user code executing in lower-privileged modes can in no way modify the areas protected by the kernel mode, and a process invoking KNS operations can act on the data structures of the KNS only in the ways defined by those operations because the process gets trapped by the system when it makes a system call. Finally, we note that the execution time of our software DES implementation is approximately 35 ms, and that one other software DES implementation under VAX-11/780/VMS is reported to have an execution time of 2.5 ms [6], which indicates that the speed of our implementation can be improved by careful coding. References M.E. Smid: “Integrating the Data Encryption Standard into computer networks”. IEEE Trans. on Communications, COM-29, No. 6, pp. 762-772 (June 1981). 121W.F. Ehrsam, SM. Matyas, C.H. Meyer and W.L. Tuchman: “A cryptographic key management scheme for implementing the Data Encryption Standard”. IBM Systems J., 17, No. 2, pp. 106-125 (May 1978). distribution [31 SM. Matyas and C.H. Meyer: “Generation, and installation of cryptographic keys”. IBM Systems J., 17, No. 2. pp. 126-137 (May 1978). A New [41C.H. Meyer and S.M. Matyas: “Cryptography: Dimension in Computer Data Security”. John Wiley and Sons, New York (1982). S.M. Matyas and C.H. Meyer: “Crypto[51R.E. Lennon, graphic Authentication of Time-Invariant Quantities”. IEEE Transactions on Communications, COM-29, No. 6, pp. 773-777 (June 1981). “Measurement of Crypto[61A. Sorkin and J.C. Buchanan: graphic Capability Protection Algorithms”. Computers and Security, Vol. 3, No. 2 (May 1984).