Cryptography Reference
In-Depth Information
20.2
SECRET KEY CRYPTOSYSTEMS
Secret key cryptosystems are the cryptographic systems one usually thinks of
first when one talks about cryptography. This is particularly true for symmetric
encryption systems. These systems have been in use for ages to protect the secrecy
of messages. In Part III of the topic, we had a closer look at symmetric encryption
systems, MACs, PRBGs, and PRFs.
•
Symmetric encryption systems have a long and thrilling history. The level
of security they provide varies considerably. As was shown by Shannon in
the late 1940s, a symmetric encryption system can only be unconditionally
secure and provide perfect secrecy if the key is at least as long as the plaintext
message (see Theorem 10.1). The one-time pad is an example of an uncondi-
tionally secure symmetric encryption system. Unfortunately, the key length re-
quirement of an unconditionally secure symmetric encryption system restricts
its practicality and usefulness considerably. There are, however, a couple of
modifications of the basic Shannon model that can be used to provide uncon-
ditionally secure symmetric encryption that is efficient (these modifications
are only briefly touched on in Section 10.4). But for all practical purposes,
the symmetric encryption systems in use today are “only” conditionally se-
cure. As such, they can be broken theoretically by mounting an exhaustive
key search. Consequently, it is important to make the key space so large that
an exhaustive key search is not feasible. This is certainly the case if the key
has a size of 100 bits or more (in this case, the key space is 2
100
). Examples
of conditionally secure symmetric encryption systems are the DES and the
AES (see Section 10.2). There are several modes of operations in which these
systems (and others) can be operated.
•
Contrary to symmetric encryption systems, MACs can be used to protect the
authenticity and integrity of messages. As compared to digital signatures,
MACs can usually be generated and verified more efficiently. On the negative
side, however, MACs cannot be used to provide nonrepudiation services
(this is because both the sender and the recipient hold a secret key that is
needed to generate the MAC).
1
There are constructions for computationally
secure or information-theoretically secure MACs. For all practical purposes,
computationally secure MACs are the preferred choice. More specifically, the
HMAC construction is employed in almost every Internet security protocol in
use today, whereas the UMAC construction is a possible successor that is very
efficient.
1
Note, however, that it is sometimes required that nonrepudiation services cannot be provided.
