The powerful, competently constructed cryptographic systems are capable of much, but it is impossible to consider as their panacea. The users giving of too much attention to algorithms of enciphering to the detriment of other methods of safety, are similar to people who instead of enclosing the possession of a high fence, partition off road massive collars, without reflecting at all that malefactors cannot take a step aside and to bypass this "an unapproachable bastion".

In popular magazines classification of products of enciphering is spent, as a rule, on algorithm and length of a key. Reviews are printed under bright headings. The description of features of this or that product and its comparison with competing offers easily keeps within literally some words. For certain each of you could meet type statements: "128-digit keys provide reliable protection while 40-digit are opened easily enough", "the algorithm triple-DES is much more reliable in comparison with usual algorithm DES" or even "enciphering RSA with a 2048-digit key is better RSA with a 1024-digit key".

However in cryptography not all so is simple: longer keys at all do not guarantee the raised safety.

Let's try compare algorithms of enciphering to the lock from an entrance door. In many door-locks it is established four metal thorns, each of which can be in one of ten positions. If the key corresponds to a lock configuration, the lock opens. Thus, the design of each same lock provides 10 000 various combinations. Hence, to get into the house, the burglar should try to 10 000 keys.

Locks of an advanced design have already 10 thorns (10 billion combinations), but it does not mean at all that for safety of the dwelling now it is possible not to worry. Abundantly clear that burglars do not begin to try consistently all possible keys (it would be too primitive): they are clever enough to get into the house a different way (the analogy to cryptographic attack in this case arises). To break a window much easier and more effectively, to break open a door or to change clothes in the form of the policeman and to put a pistol trunk to a head of nothing suspecting owner. One of robbers in California, without thinking twice, has sawn a house wall бензопилой. It is clear that from such actions will not rescue even the best locks.

The powerful, competently constructed cryptographic systems are capable of much, but it is impossible to consider as their panacea from all troubles. The users giving of too much attention to algorithms of enciphering to the detriment of other methods of safety, are similar to people who instead of enclosing the possession of a high fence, partition off road massive collars, without reflecting at all that malefactors cannot take a step aside and to bypass this "an unapproachable bastion". The qualified burglars will filter even through the most imperceptible gap.

Company Counterpane Systems here already for many years is engaged in creation, the analysis and breaking of systems of enciphering. We investigate algorithms or the reports which specifications are published in the open press; the work most part is connected with studying of features of concrete products. We could project and analyze the means protecting private secret, guaranteeing the confidentiality, defending justice and providing functioning of systems of electronic trade. We worked with the most various software packages, independent hardware and hardware-software decisions. To us weak places of algorithms of enciphering are perfectly known, but almost always we found more elegant ways of detour of systems of safety.

The cryptographic system cannot be more reliable than the separate algorithms of enciphering used in it. Differently, to overcome protection system, it is enough to crack any of its components. Use of good building materials yet is not a guarantee of durability of a building. And the cryptographic system constructed on the basis of powerful algorithms and reports, too can appear weak.

Many systems "lose a guarantee" safety if are used incorrectly. We will tell, check of an admissibility of values of variables is not carried out, "casual" parametres are used repeatedly that is absolutely inadmissible. Algorithms of enciphering unessentially provide integrity of the data. Reports of an exchange of keys unessentially guarantee that both parties will receive the same key.

Some systems of the enciphering using connected keys, can be cracked, even if each key is separately reliable. To provide safety, insufficiently simply to realise algorithm and to wait that all will work. Even presence of the qualified engineers, the help of the known companies and persistent work cannot guarantee absolute reliability. The gaps which have been found out in algorithms of enciphering of systems of cellular communication of standards CDMA and GSM, and also in report Microsoft Point-to-Point Tunneling Protocol (PPTP), visually illustrate it. For example, in reliable enough algorithm RC4 on which report PPTP is constructed, we managed to find out a mode which did protection absolutely transparent.

One more weak place of cryptographic means - generators of random numbers. To develop the good generator of random numbers uneasy as it often depends on features hardware and the software [1,2]. The system of enciphering can be executed at high level but if the generator of random numbers gives out easily guessed keys all remained barriers are overcome without special work. In a number of products the generators of random numbers developing keys in which certain law is traced are used. In such cases it is not necessary to speak about safety. It is interesting that application of the same generator in some areas provides demanded degree of safety, and in others - is not present.

One more possible weak place - interaction between separately safe reports of enciphering [3]. Almost for each safe report, as a rule, it is possible to find another, not less reliable which will bring to nothing all advantages of the first if both of them use identical keys on the same device. If various standards of protection are applied in one environment, insufficiently accurate interaction between them frequently can lead to rather undesirable consequences.

Many systems bring because of errors in realisation. Some products do not guarantee that, having ciphered the text, they will destroy the original. In others for the prevention of loss of the information in case of system failure time files are used, and accessible operative memory extends at the expense of memory virtual; in this case on a hard disk there can be separate fragments of not ciphered text.

Overflow of the buffers, the classified information not erased up to the end, insufficiently reliable system of detection and restoration after errors - all is examples of gaps in concrete realisations through which very often and malefactors get. In most egregious examples the operating system even leaves keys on a hard disk. In one of products of the large software company password input was carried out through a special window. Thus the password remained in the buffer of a window and after its closing. To conduct the further researches of security of system any more had no sense. We have got into it through the user interface.

Weaknesses of other products not so obviously were evident. Sometimes the same data was ciphered by means of two keys: the first of them was reliable, and the second stole up easily enough; but thus experiments with already picked up key helped to pick up and another. In other systems master keys and keys "on one session" were applied; and safety of the main key the insufficient attention was paid, and the basic hopes were assigned to disposable keys. For creation of rather reliable system of safety it is necessary to exclude completely possibility of the analysis of a structure of keys, instead of to be limited only to the most obvious safety measures.

Founders of systems of electronic commerce are often compelled to make a compromise for the sake of functionality expansion. And as developers prefer to endow safety, in protection continually there are holes. Verification of accounting records, for example, can be spent only once a day, but in some hours the burglar is capable to cause really an enormous damage! The overload of procedure of identification can lead to that the person of the attacking will not be distinguished. Some systems bring doubtful keys in "black lists"; access reception to these lists essentially facilitates a problem of the burglar. Many systems of protection are overcome after repeated attacks and use of old messages or their parts confusing system.

Potential danger is put in possibility of restoration before used keys in systems with splitting [4]. In good cryptographic systems term of a life of keys is limited to as much as possible short time interval. Restoration procedure allows to prolong a key life already after it have refused. Used for restoration of keys of a database in itself are a danger source, and their architecture should be verified with special carefulness. In some cases gaps in them allowed burglars to mask under legal users.

Some systems (more often commercial appointment) have so-called "a safety ring", consisting of hardware the raised stability to breakings (smart cards, electronic wallets, electronic keys etc.) [5,6]. Founders of similar systems start with the assumption that the architecture of system in this ring is reliably protected from unapproved access. - very important component of complex systems of safety, but it is not necessary to trust reliability of the equipment completely to the decisions protecting only from larceny and the inept reference.

The majority of similar technologies in practice do not work, and tools for their breaking are continuously improved [5,6]. At designing of similar systems it is very important not to forget about additional mechanisms of protection which should work if burglars manage to overcome the first defensive redoubts. It is necessary to try to complicate as much as possible a problem of the opponent and to make its decision unprofitable from the economic point of view. Cost of the protected data should be considerably below expenses for destruction of system of safety. Value of the electronic travel card cannot go to any comparison with cost of a portfolio of securities. Proceeding from it also it is necessary to project protection frames.

In 1995 the number "attacks under the schedule" has considerably increased: it was found out that confidential keys RSA can be restored, measuring time intervals between operations of enciphering [7]. A number of cases of successful breaking of smart cards, and also servers of electronic commerce in Internet has been registered. It was found out that attacks were under construction on the basis of measurement of power consumption, the analysis of electromagnetic radiation and other collateral sources of the information. Experts in cryptography managed to reconstruct to these signs logic of many systems with open keys, having shown their unreliability.

The great popularity was got by a method of the analysis of the failures, allowing to find weak places криптопроцессоров and to restore confidential keys. Similar methods on the spirit are faster the biological. Cryptographic systems in this case are considered as difficult objects which react on external раздражители. They cannot be described accurately by means of the mathematical equations, but consequences of such attacks are destructive.

Many interesting ways of overcoming of protective boundaries are connected with models of confidential relations in system. First of all, it is necessary to reveal communications between separate components of system, to understand restrictions and the mechanism of realisation of the scheme of confidential relations. Simple systems (means of enciphering of telephone conversations and the information on hard disks) use elementary confidential models. Complex systems (means of electronic trade or a protection frame of the multiuser packages of e-mail) are constructed on the basis of difficult (and much more reliable) models of the confidential relations describing interrelations of set of elements.

In e-mail program the superreliable algorithm of enciphering of messages but if keys are not certificated by a source which is reliable can be used, and this certification cannot be confirmed in real time, safety of system remains in doubt. Some trading systems can be opened under the agreement of the seller with the buyer or as a result of combined efforts of several clients. In other systems presence of means of safety, but quality of these means anybody never is provided checked. If the model of confidential relations is not documented, in the course of expansion it is possible to make to a product casually any inadmissible changes then symmetry of system of safety will be broken.

Many software packages too trust in security of hardware. It is supposed that the computer is absolutely safe. Sooner or later "Grecian horse" who selects passwords gets into such program, reads out not ciphered text or any otherwise interferes with work of system of protection. To developers of the systems functioning in computer networks, it is necessary to see to it about safety of network reports. Vulnerability of the computers connected to Internet, repeatedly increases.

The system of enciphering which is overcome "from outside networks", does not suit anywhere. There are no the programs which safety has stood after the opponent managed to apply return designing. Very often the system is projected counting on one model of confidential relations, and another appears in practical realisation absolutely. The decisions made in the course of designing completely are ignored after transfer of a ready product to users. The system which is absolutely safe when its operators are reliable, and access to computers is completely supervised, loses all advantages if duties of operators are carried out низкооплачиваемые by the workers employed for short term, and the physical control over computers is lost.

However, good models of confidential relations continue to work even in the event that separate components bring.

Even if the system guarantees reliable protection at correct operation, users can casually break it, especially if the system is designed insufficiently well [8]. A classical example is the employee giving the password to colleagues so that they had possibility to solve urgent problems during its absence. Attack with the account of "the human factor" frequently appears much more effective, than months of the laborious analysis of algorithms [9].

Users can not inform within several days about утере a smart card. They do not give demanded attention to digital signature check. Confidential passwords at times are repeatedly used in unclassified systems. Clients do not try to liquidate at all weak places in safety system. Certainly, even good systems not in a condition to liquidate consequences of the reasons of social property, but they can reduce them to a minimum.

Many products are cracked because their protection is constructed on the basis of the passwords generated by users. Given to themselves people do not reflect on how to choose unusual sequence of symbols. After all the password which cannot be picked up, not so simply to remember. If as a confidential key such password is applied to pick up it, as a rule, it is possible is much easier and faster, than using a brute force method.

Many user interfaces facilitate a problem of the burglar even more, limiting length of the password to 8 signs, преобразуя entered sequence in symbols of the bottom register etc. Even passwords-phrases do not provide demanded degree of safety. It is much easier to malefactor to pick up a phrase from 40 letters, than to touch all possible sequences of 64-digit casual keys. Sometimes protection in which keys of sessions are applied very reliable mechanism, collapses because of use of the weak passwords intended for restoration of keys. The desire to facilitate restoration of system after failure actually opens before attacking a rear entrance.

Developers of reliable systems not in a condition to close up in a safety fence all smallest cracks, but at least gaping holes they liquidate. Restoration of a key to one file will not allow the burglar to consider all information which is on a hard disk. Manufacturing of a counterfeit money - very serious crime, after all the owner of technology of printing of money can destroy national currency. The hacker cracking a smart card, studies secrets of the given concrete device, instead of all other smart cards entering into system. In the multiuser systems the knowledge of secrets of one person should not open access to the information of others.

Many systems are by default established in a mode with the disconnected means of safety. If the protection system "заедает", the user simply disconnects it and continues to be engaged in the business. Such behaviour does especially effective type attacks denial-of-service ("refusal in service"). If the on-line system of authorisation of credit cards is disconnected, the seller is compelled to be content with much less reliable paper technology.

Sometimes burglars have a possibility to take advantage of return compatibility of various versions of the software. As a rule, in each new variant of a product developers try to eliminate the gaps which were available in the old. But the requirement of return compatibility allows attacking to apply the report of the old, not protected version.

Some systems have no restoration means. If protection is destroyed, to return the program in an efficient condition it is not obviously possible. Failure of system of electronic trade to which millions clients address, threatens to turn back accident. Therefore similar systems should have means of the organisation of counteraction attacking and to support possibility of updating of system of safety without a program stop.

Well thought over system itself knows, how it is better to resist to attack and that it is necessary to do for elimination of damages and operative restoration of working capacity.

Sometimes weak places can be found and it is direct in enciphering system. Some products are created on the basis of not too successful algorithms of own working out. As a rule, to open known algorithms of enciphering it is possible only in exceptional cases. If the developer stakes on own methods, chances of burglars raise repeatedly. Ignorance of a secret of algorithm is not a special obstacle. The qualified expert has enough couple of days that on objective code to restore initial algorithm of enciphering.

Reliability of standard architecture for e-mail S/MIME 2 not in a condition to compensate weaknesses of algorithm of enciphering. And without that not too reliable protection GSM against weak algorithm of enciphering loses even more. In many systems too short keys [10] are used.

It is possible to result set of other examples of errors in enciphering systems: programs repeatedly generate "unique" casual values, algorithms of the digital signature not in a condition to provide the control over transferred parametres, hesh-functions open that should protect. The changes not provided by developers are made to enciphering reports. Users like to "optimise" available means, leading up them to so primitive level that all system of protection falls, as a house of cards.

Enciphering means reduce probability of that users become victims of a deceit, swindle, incorrect actions etc. But architecture of safety it is impossible to limit to so narrow frameworks.

The reliable system should find out independently unapproved operations and liquidate undesirable consequences of attack. One of main principles of designing of similar systems consists in knowledge of that sooner or later attacks of the opponent will crown success. Most likely, blow will be put in the most unexpected direction, with use of methods unknown to developers. Very important in due time to distinguish such attack and to take all necessary measures minimising a damage.

It is even more important to restore as soon as possible working capacity of the system damaged during attack. It is necessary to generate new steams of keys, to replace the report, to stop use of the means opened by the opponent, to exclude from system knots to which the burglar managed to get access, etc. Unfortunately, many products are not engaged in gathering of the necessary information, do not supervise a situation and not in a condition it is reliable to protect the data from changes.

In registration magazine all events should be reflected, allowing to establish the attack fact. The incontestable evidence, capable to convince judges and jurymen in guilt of the malefactor should be in case of need produced.

Developers of systems of safety should follow manuals of such authorities as the Prussian general Charles a background of Klauzevitts asserting that good defensive means should reflect any blows, even about what for today still it is not known.

Attacking, on the contrary, it is enough to find the unique gap, and all system of protection will be liquidated. They resort to the diversified dodges. Burglars do not shun to participate in plots, carefully mask the illegal actions and occurrence of necessary means are ready to wait during enough long time. In their arsenal always there will be an idea, allowing to strike unexpected blow for developers.

There is nothing easier, than to protect the information a shaky, fragile barrier with holes gaping in it. To construct impenetrable system of protection very difficult. Unfortunately, many users do not see a difference. In other areas the analysis of functionality allows to distinguish qualitative products from hastily constructed systems without effort. Advantages of the good codec are visible with open years, bad looks much weaker and does not support those functions which are accessible to its competitors.

In cryptography all in another way. That fact that enciphering programs work, yet does not allow to speak about reliable protection. How the majority of products is created? Developers read Applied Cryptography, choose the algorithm which has attracted by it and the report, test it, and here already the project is ready. Actually all not so is simple.

Functionality and high quality are not synonyms, and even infinite testing does not allow to eliminate all gaps in protection system. It is necessary to understand terminology subtleties well: even the products possessing absolutely well-tried remedies of enciphering, frequently cannot guarantee to users of full safety.

Bruce Schneier, Cryptographic Design Vulnerabilities, IEEE Computer, September 1998, pp. 29-33. Reprinted with permission, Copyright IEEE CS. All rights reserved.

Bruce Shnajer - the president of company Counterpane Systems rendering consulting services in questions of enciphering and construction of systems of computer safety. It is the author of the book "Applied cryptography" (Applied Cryptography, John Wiley and Sons, 1995) and the inventor of algorithm of enciphering Blowfish and Twofish. From cryptography area it is possible to subscribe For its free bulletin of the latest news on a Web-server www.counterpane.com/.

[1] P.Gutmann, "Software Generation of Random Numbers for Cryptographic Purposes", Proc. 1998 Usenic Security Symp., Usenix Assoc., Berkeley, Calif., 1998, pp. 243-257.
[2] J.Kelsey, B.Schneier, and D.Wagner, "Protocol Interactions and the Chosen Protocol Attack", Security Protocols, 5th Int'l Workshop, Springer-Verlag, New York, 1996, pp. 91-104.
[3] C.Hall et al., "Side-Channel Cryptanalysis of Product Ciphers", Proc. ESORISC 98, Springer-Verlag, New York, 1998.
[4] H.Abelson et al., "The Riscs of Key Recovery, Key Escrow and Trusted Third-Party Encryption", World Wide Web J., No. 3, 1997, pp. 241-257.
[5] R.Anderson and M.Kuhn, "Tamper Resistance: A Cautionary Note", Proc. Second Usenix Workshop Electronic Commerce, Usenix Assoc., Berkeley, Calif., 1996, pp. 1-11.
[6] J.McCormac, European Scrambling Systems, Baylin Publications, Boulder, Colo., 1997.
[7] P.Kocher, "Timing Attacks on Implementations of Diffie-Hellman, RSA, DDS and Other Systems", Proc. Crypto 96, Springer-Verlag, New York, 1996, pp. 104-113.
[8] R.Anderson, "Why Cryptosystems Fail", Comm. ACM, Nov. 1994, pp. 32-40.
[9] I.Winkler Corporate Espionage, Prima Publishing, Placer County, Calif., 1997.
[10] M.Blaze et al., "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security", Oct. 1996

Until you will not join a global infrastructure of systems of enciphering with an open key (GPKI, global public key infrastructure), you will not consider as the full member of global electronic community.

The open and confidential keys

In algorithms of enciphering with an open key two versions of keys - opened and confidential are used. Between them there is the certain mathematical dependence, expressed that the message ciphered by one key, can be decoded only in the presence of another. To define value of one key, knowing another, it is the extremely difficult (and at times and it is simply impossible).

Open keys often are ciphering. To send to Jack the message (provided that read it Jack can only), Dzhill should have near at hand Jack's open key. Having received the message, Jack can decipher it by means of the confidential key. In turn Jack, sending the electronic message, ciphers it by means of an open key of Dzhill, and Dzhill decodes the arrived information the confidential key.

Thus, enciphering with an open key guarantees confidentiality.

Digests

That the addressee could be convinced of authenticity of the received message, the sender puts on it the digital signature. At first the user by means of mathematical hesh-function receives a unique print (digest) of the message. After digest enciphering by a confidential key the signature which goes together with the message is created. The addressee decodes the message and restores the digest by means of the same hesh-function. Signature decoding by an open key of the sender helps to recreate a former image of the digest. If digests coincide, the addressee can be assured that the message has really been sent by that person who has put on it the digital signature, and was not exposed in a way to any changes.

Thus, the technology of enciphering with an open key provides integrity and reliability of the information. Besides, subsequently the sender cannot deny the fact any more transfer of the given message.

Certificates of open keys

The certificate of an open key is the digital document allowing unequivocally to identify the user with an open key. Certificates are intended to certify authenticity of digital documents and to guarantee message delivery only to those people to whom it is addressed. As well as digital signatures, certificates are used as an original personal code.

Special representatives of service CA (certification authority), some kind of clubs on interests are engaged in delivery of certificates. They independently define, who should be accepted in number of the members and who is not present. Such service can be and the governmental organisation which gives out certificates to users and simultaneously gives to the government the information on that, properly to interpret this or that certificate.

Group on interests

The group on interests (community of interests, COI) is a certain similarity of club. You can or enter into number of members of this club, or are not present. Unlike the states on interests geopolitical borders are unfamiliar to groups. More precisely, for them there are at all no constant borders.

For example, readers of magazine is COI. If the magazine publishes materials in Internet only for the limited group of readers it too represents COI.

Soon after occurrence of technology of certificates it became clear, what great value is got by the interaction organisation between various services CA. The group on interests solves, whether it is necessary to recognise certificates which have been let out by service CA, submitting another COI. Each group COI interprets another's certificates how it will want to it. Certificates of other groups can be equal to own, and can be limited in the rights. For each group COI and service CA the level of restrictions is established.

Unknown users

Even if group COI never saw this or that user earlier, it can give it demanded access on the basis of the certificate signature. The group of the general interests informs the stranger about the following: "I do not know about you personally, but I well know your service CA and I trust it. This level of trust allows me to give you access to the necessary information".

What will occur, if any owner of the certificate which has been given out to unknown group of the general interests by service CA, will come nearer to borders COI? At COI there are some variants of actions. It is possible to forbid simply access and terribly to warn: "Stand, a prohibited zone! We do not have information either on you, or on that guy which has signed this certificate".

But it is possible to arrive and in another way. In this case security service COI will try to identify the user. One of ways consists in search of infrastructure GPKI and definition, in what relations given CA is with service CA which is known to group COI. For example, if unknown person CA is a part of service CA the information about which is available in group of the general interests at COI there are sufficient bases to trust the shown certificate.

In another way addressings reflexion of the latent hierarchy of services CA at the expense of an arrangement of signatures of certificates of users in a certain order is. At the introduction on territory COI of the signature of certificates are consistently checked, until group COI will not find out the signature of service CA known to it.

The status of the certificate and other attributes

At performance of some transactions it is impossible to be limited to comparison of the signature given by service CA. Before access granting to the important data it is necessary to check up in addition reliability of the certificate directly during transaction. For the decision of this problem various mechanisms of definition of the status of the certificate are entered.

The oldest way consists in conducting the list of the cancelled certificates (certificate revocation list, CRL) which is supported by service CA for all digital documents given out by it. The certificates which have been given out CA, are considered authentic until they will not appear in list CRL. The given approach is similar to a way of performance of transactions which was applied a little tens years ago in credit cards. The same lacks were inherent in it.

Newer method (its standard is in process now of working out) is based on use of service of network catalogues which gives the information on the certificate status in a mode of real time by means of the report of the status of certificate OCSP (online certificate status protocol). In this case the certificates which have been given out by service CA, are considered void until the information on their status will not be chosen from the catalogue supported CA. One of advantages of model OCSP consists that the given information can be expanded at the expense of inclusion of other user attributes (for example, numbers of a credit card or домаш addresses).