Overview of Cryptographic Services

This is a brief introductory description of cryptographic services for those readers who are unfamiliar with the subject. For a more detailed treatise on the subject, several excellent references are available *.

Cryptographic services provide a set of functions for encoding and decoding information so that the information may be stored or exchanged securely. Cryptographic functions provide a basis for implementing the following security services:

• Confidentiality of information, preventing unauthorised disclosure
• Integrity of information, detecting unauthorised modification
• Origin authentication, providing verification of the origin of information.

Examples of the basic models of the application of cryptographic services are functions for the encipherment and decipherment of data, and the generation of Hash Values or Digital Signatures on sets of data. In addition functions to support key management and distribution are important.

Encipher and Decipher Functions

The basic concept underlying cryptography is the enciphering of data. Encipher functions encode a set of data, termed cleartext or plaintext, into a protected format termed ciphertext using a reversible mechanism. The ciphertext may be stored or exchanged with a reduced risk of unauthorised disclosure of the data. A corresponding decipher function can be used to decode ciphertext back into its corresponding cleartext form. Thus:

Encipher and Decipher Functions

The encoding is controlled by the algorithm used and a secret value termed a key. The protection afforded to the ciphertext depends upon the strength (but not the secrecy) of the algorithm and the protection of the key used to control the algorithm. Encipherment functions preserve all the original data represented by the cleartext. This type of function is the basis of the provision of information confidentiality services.

Symmetric-Key and Asymmetric-Key Encipherment

There are two classes of encipherment algorithm:

Symmetric-Key Algorithms - (Secret-Key Algorithms)

are algorithms in which the encipher key and the decipher key are identical. To be used for the exchange of enciphered data then a single key value must be shared between the originator and the recipient and protected by both parties. For this reason these types of algorithm are also termed Secret-Key algorithms.

Asymmetric-Key Algorithms - (Public-Key Algorithms)

are algorithms in which the encipher key and decipher key are different. The encipher and decipher keys are generated as a pair by a single operation. Data enciphered by using one key of the pair may be deciphered using the other key of the pair. To be used for the exchange of enciphered data then each party to the exchange makes one of their own pair of keys public, the public-key, and keeps the other key private, the private-key. The originator of an exchange enciphers the data using the public-key of the recipient. The recipient is then able to decipher the received data using his own private-key.

Hash (Unprotected Checksum) Functions

Hash functions encode a set of data that may be of variable length using a one-way function to create a unique fixed length hash value or message digest of the set of data. The hash value is unprotected in the sense that it does not depend upon any secret value component and any individual with the same input data and same algorithm can generate the hash value.

Generate Hash value

A hash function does not preserve the original data represented by the cleartext and therefore the original cleartext cannot be recovered from a hash value. The value of these types of function are that the hash value is unique to a particular input cleartext and can therefore be used to check that the corresponding cleartext has not been modified.

A hash function is the basis of the provision of information integrity services. The hash value generated by the originator of the information is stored or exchanged with the cleartext. The recipient is able to regenerate the hash value from the received cleartext and verify that cleartext is unmodified by comparing the newly generated hash value with that received with the information.

Digital Signature (Protected Checksum) Functions

An asymmetric encipher function and a hash function may be used in combination to provide a digital signature service. The Digital Signature is protected in the sense that its value depends upon the originator’s private key and it can therefore only be gneerated by an individual possessing that key.

First a hash value is produced by the hash function. This is then is enciphered using the asymmetric encipher function using the originator’s private key.

Generate Digital Signature

The recipient may verify the digital signature by comparing the values obtained by recomputing the hash value of the received cleartext and comparing this with the value obtained by deciphering the digital signature using the originator’s public key.

Verify Digital Signature

Key Management Functions

In order to exchange cryptographically protected information then the parties exchanging the information require to have access to the appropriate keys. This means that cryptographic keys, or information permitting their derivation, also have to be exchanged.

The strength of the protection of data using cryptographic services depends critically upon the protection of the key values used to control the algorithms. Functions to securely create and support the secure distribution of cryptographic keys are therefore an essential part of any cryptographic service. Keys may be generated or derived. A key generation function will generate a key based on random information. A key derivation function will derive a key based upon some caller defined input string, such as a pass phrase.

To distribute keys securely they are normally protected by enciphering under a Key Exchange Key, or Key Encrypting Key. Note that the individual parties exchanging keys need to have previously distributed by some other method the Key Exchange key.

The strength of the protection of data using cryptographic services depends critically upon the protection of the key values used to control the algorithms. Functions to securely create and support the secure distribution of cryptographic keys are therefore an essential part of any cryptographic service.

Keys may be generated or derived. A key generation function will generate a key based on random information. A key derivation function will derive a key based upon some caller defined input string, such as a pass phrase.

To distribute keys securely they are normally protected by enciphering under a Key Exchange Key, or Key Encrypting Key. Note that the individual parties exchanging keys need to have previously distributed by some other method the Key Exchange key.

References:
* Applied Cryptography, Bruce Schneier, John Wiley & Sons, 1996

NAVIGATOR

| Home Page | Contents | FAQ | Search | Help Desk | MEMBERS ONLY | News | Events | Requirements | Technical Programme | Publications | Testing | Branding | Branded Products | Membership Information |

Wherever possible we have identified contact points for further information. If you can't find the information you need, please contact X/Open at any of of the following locations:

Copyright X/Open Company Limited, © 1996