Cryptography systems: Putting theory into practice

Information Security Technical Report, Vol. 2, No. 4 (1998) 66-72

CwPtowaPhY into Practice

Systems: Putting theory

Author: Eur. Ing. Charles Brookson BSc CEng MIEE

Introduction

I have been involved in commercial cryptography since the1980, as an engineer building systems. This paper describes some of the systems that I have been involved with, together with the difficulties and challenges of designing and building systems for practical use.

The weaknesses of cryptographic systems have been well documented in the past, such as the use of the key setting sequences in the German Enigma machines and some of these weaknesses are still being perpetuated today.

Satellite Encryption

One of the first systems I was involved in was the encryption of 2 MBps satellite signals, designed for uses such as high speed links to remote locations. The system was to become a European specification, and of course customers using the systems, such as large corporate companies, wanted assurance that only they and not their competitors could receive their sensitive information. The system is fully described elsewhere [l], and consisted of a standard G.732 32 channel 2 MBps data frame. These frames have 30 frames of data, and the first and 16th frames are used for the frame unique word and signalling bits respectively.

The satellite encryption systems doubled up the frames, so that only first frame unique word (used as a sequence to identify the start of each frame of data) was required, the

second was used for cryptographic synchronization using an Initialization Value (IV) transmitted. Sixty-four of the double frames made up the complete IV. Other remaining bits were used for key management, by sending a key number. Each encryption unit had a sequence of keys programmed using a key fill gun, the keys themselves being randomly generated using a noisy diode circuit that produced reasonably random numbers! The cryptographic algorithm used was one that was specially developed, called Telecommunications Administration Cryptographic Algorithm (TACA), which was a cipher of similar properties to DES.

The practical design features of the system proved interesting:

The design meant that there was no increase in bandwidth on the satellite signal, an important characteristic for radio where it is a precious resource.

Key management could be performed by the user, so that no third party need be involved.

Keys were not sent, only the key in use indicated by the key indicator.

In addition, the interesting question as to error characteristics were investigated. These could have either been burst (a sequence of errors) or random (errors occurred in an unconnected way). In this case the error correction was required to protect against the error characteristic of the radio channel, but it had lead to experiments on combining error correction and encryption techniques.

66 0167-4048/98/$19.00 0 1998, Elsevier Science Ltd.

Cryptography Systems: Putting Theory into Practice

The Experimental Years

After the design of the satellite system, which did not see much commercial use, further experimental systems were developed. Some experimental work was undertaken on high speed encryption [2] devices, but of more interest was the published work on public keys.

A handheld device using Diffie Hellman key exchange was built. This was used for key derivation for video conferencing. The idea being that although it offered no authentication, this was implicit as you saw the other parties to the communication on the video link. Of course, the complete link as well as just the audio channel needed protection, as it is possible to lip read. I would not be so confident about such a system these days with the ability to manipulate video images in a more convincing way.

A RSA device was realized for 512 bit calculations using discrete semiconductor logic array components. This was capable of surprisingly fast calculations, although bulky in a 19 inch rack. It was used to develop a subsequent range of equipment that used public key for authentication and key management, and a symmetrical cipher such as DES for the subsequent high speed transmissions. The original equipment was used for key generation until newer devices capable of faster mathematics (such as Digital Signal Processors) became available.

At the same time, it was realized that the practical implementation of security devices in the real world required the development of supporting techniques, such as electrical and mechanical interfaces, key management, cryptographic algorithms. The first product was a practical realization of a physical security standard for cryptographic communications equipment which was

published by the Institute of Electrical and Radio Engineers, which included such measures as tamper indicating devices for the protection of sensitive keys and programmes, physical locks and key fill devices and interfaces.

A commercial encryptor was made for the viewdata service that used simple encryption of letters. It was quickly realized that not all channels were transparent to all characters that meant that the certain characters had to be avoided.

The public key ideas were taken further, and used to produce devices that subsequently became the basis of X.509 certification systems. These ideas were presented at a standards meeting on Messaging Handling Systems in Ottawa, and a public key scheme was adopted against a competing private key scheme, when it was realized to have advantages, not from the point of view of provable security, but rather in showing the concept of various levels of trust through Certification Authorities. The concept has been much developed to mitigate some of the attacks, such as replay.

Financial Systems

It was quickly realized in the course of the building of various experimental concept devices above, that although the cryptographic machines were important, customers were interested in buying applications that were useful! A start had been made on the satellite system, but what was needed was a series of building blocks that would enable tailor made solutions to be put together. These were put together as a series of products described later, but first a start was made on a solution for a financial customer.

It was decided that this was to use RSA public key, certificates and DES encryption as it was a

Information Security Technical Report, Vol. 2, No. 4 67


financial system. The final product, produced in the mid 198Os, was a 512 bit RSA system. It had items of the circuit potted and protected for physical security, and used a plastic key containing a memory chip to contain the certification authority signed public key and the secret key of the user (not all of the key was stored. It had to be exclusive OR’ed with a Personal Identity Number (PIN) to be completed.) These devices were used for some time to secure dial up links on a financial system.

Telecommunications Developments

The success of the financial system lead to a whole family of products being developed to cover the possibilities of any systems that might be put together for customers. This consisted of a development of the earlier financial encryptor for dial up access, a fax encryptor, a high speed encryptor and a PC encryption card. All these products were developed by the late 198Os, and were ahead of their time in many respects.

Dial up encryptors

These were developments of the financial system, and were used to secure links to sensitive computer systems. PIN pads were used to input parts of the keys on the front panels of some units, and additional tamper indicating functions added. At this time a new encryption chip was developed to overcome the limitations of not being able to use DES, except for financial purposes, outside the United States of America.

High speed

A terrestrial high speed encryptor was manufactured in both 64 KBps and 2 MBps versions. This used a variety of interfaces, but was unique in that it used a method of

synchronization that used the cipher stream itself. A sequence was selected that would appear at a certain statistical interval within the ciphertext that was assumed to be random. The previous 64 bits were then taken to be the IV for the algorithm, and used for synchronization. This method of synchronization proved successful in operation, and ensured that there was no extra channel required for the IV

Fax

Certain fax machines were found to have an internal serial port that could be broken out of the machine. This was used to connect to a modified dial up encryptor, so that a secure fax machine could be created.

PC encryption

A further development was an encryption card that worked on a standard ISA personal computer bus. This plug in bus was used to encrypt any disk by intercepting commands to the operating system. This could be both the hard and floppy disks. The key was provided by a plug in card containing a memory chip. Subsequent versions also included a specially developed public key chip, which was also used for secure electronic mail using the certification authority methods previously described.

Mobile radio

I then went on to get involved in the development of the new series of digital mobile phones within Europe, both as a participant in the Digital European Cordless Telephone (DECT), the UK Cordless telephone specification (CT2) and Chairman of one of the groups.

68 Information Security Technical Report, Vol. 2, No. 4


Digital mobiles in the GSM family, commonly given the names GSM (900 MHz), PCN (1800 MHz) and PCS (1900 MHz), use cryptography to offer increased security:

Anonymity. So that it is not easy to identify the user of the system.

Authentication. So the operator knows who is using the system for billing purposes.

Signalling Protection. So that sensitive information on the Signalling channel, such as telephone numbers, is protected over the radio path.

User Data Protection. So that user data passing over the radio path is protected.

The GSM standard has, since its introduction in the early 199Os, proved to be remarkably resilient to technical fraud. This was also the first time that a practical non-financial cryptographic system had been developed on a worldwide scale, with authentication to protect the network operator and encryption to provide the customer with privacy over the radio interface.

Security Techniques The design requirements were simple:

Analogue mobile phone systems were subject to being eavesdropped, and over the past few years the incidence of cloning of mobiles has increased. Many of these analogue problems can be overcome by using fraud engines (systems that monitor network usage to determine abuse), and some systems have used cryptographic protection (such as the Nordic Mobile Telephone System, NMT, which uses a system that drew upon the GSM standard, and also the authentication specification that was retrospectively designed into the UK analogue mobile system) but it is often easier to design the technical measures in from the

The system was to be “as secure as the public switched telephone network”. This implied that only the radio interface was of concern.

There should be no time delay in the cryptographic processing, the authentication was reduced to a few milliseconds delay, the data and signalling with no delay.

There should be a minimal additional complexity in the mobile due to security: the mobile algorithms can be implemented in about 3000 transistors.

start. Existing cellular systems have a number of potential weaknesses that were considered in the security requirements for GSM.

A cloning attack is where a fraudulent user hijacks a legitimate identity of the user and uses it on a network, the billing being charged to the real owner of the phone. The identity may be gained from listening to the signal over the radio, or by obtaining lists of the information. A solution for authentication of analogue mobile phones exists in the technical specifications, but the problem of introducing it within the population of mobiles where not all support the feature has been very difficult.

The GSM system consists of a smartcard Subscriber Identity Module (SIM), which contains all the subscriber details, the identity of the user and the secret information to verify the user. This card can be placed into any mobile, which is identified by a serial number International Mobile station Equipment Identity (IMEI).



Anonymity

Anonymity is provided by using temporary identifiers Temporary Mobile Subscriber Identity (TMSI). When a user first switches on his radio set, the real identity is used, and a temporary identifier is then issued. From then on the temporary identifier is used. Only by tracking the user is it possible to determine the temporary identity being used.

Authentication

Authentication is used to identify the user (or holder of a SIM Smartcard) to the network operator. It uses a technique that can be described as a ‘Challenge and Response’, based on encryption. The smartcard is issued by the network operator, and therefore may be made as physically secure as the network operator wishes. The card may also, of course, be reissued should the security become compromised, but this is a very expensive solution. The main reason for introducing the smartcard was because it gave the operator the ability to own, improve and change the security sensitive features of the system. For example, the authentication key can be changed securely if it is compromised in the network or card, and the operator is not reliant on the manufacturer of the mobile phone for the security of the algorithm or keys.

Authentication is performed by a challenge and response mechanism. A random challenge is issued to the mobile, the mobile encrypts the challenge using the authentication algorithm (A3) and the key assigned to the mobile Individual subscriber authentication key (Ki), and sends a response back. The operator can check that, given the key of the mobile, the response to the challenge is correct.

Eavesdropping the radio channel reveals no useful information, as the next time a new random challenge will be used. Authentication can be provided using this process. A random number is generated by the network and sent to the mobile. The mobile use the Random number R as the input to the encryption, and, using a secret key unique to the mobile Ki, transforms this into a response Signed RESponse (SRES) which is sent back to the network.

The network can check that the mobile really has the secret key by performing the same SRES process and comparing the responses with what it receives from the mobile.

User data and signalling protection

The response is then passed through an algorithm A8 by both the mobile and the network to derive the key Ciphering key (Kc) used for encrypting the signalling and messages to provide privacy (A5 series algorithms).

Other security issues

Networks such as GSM, with international roaming and interactions with other operators, offer other opportunities for exploitation. GSM has been designed to offer various technical solutions to prevent misuse, such as strong authentication, together with anonymity and encryption of the Signalling and data over the radio. However, all systems are dependent on secure management and procedures, and lapses in these areas will have a severe impact on the resilience of the business process to fraud.

SIM card

There is always the possibility that the SIM card can be compromised. This is



considered unlikely, especially as some operators use their own version of A3. Keys Ki and the matching International Mobile Subscriber Identity (IMSI) could be compromised by someone selling the information contained on the Authentication Centre on the network or by SIM manufacturer.

In the United Kingdom smartcard software for breaking satellite television has become very common. This is available in various forms:

?? Devices to reprogram existing cards (because they are activated over the air- satellite channel).

?? Devices to emulate smartcards.

?? Dummy smartcards using single or multiple microprocessors.

The GSM specifications are open standards, and can be easily obtained (GSM Recommendation 03.20).

Most operators use their own versions of A3/8, therefore knowledge of the algorithm A3 and the key Ki are necessary.

If these are compromised, then a smartcard can be ‘cloned’. However, it is necessary to obtain the information: Ki is best obtained by bribery and corruption! Of course, getting the information from a properly designed smartcard should only be by physical attack, although yet again this might be easy if the microprocessor hardware protection or software proves to be vulnerable. The GSM/PCN system has been designed so that there are no master keys, and so compromise of one card will not weaken the system. Similarly, compromise of one operator will not compromise another, as in the roaming description below.

Roaming

International roaming problems are minimized by the use of two procedures:

Rapid exchange of billing information by means of Electronic Data Interchange.

Notification of the home network of the visitor when the visitor has exceeded a certain billing limit.

The security problems are minimized as the subscriber key (Ki) and the algorithms are not shared between networks. The sequence works like this:

The roaming mobile sends out its IMSI to the visited network.

The visited network recognizes the home network from the IMSI of the mobile.

The visited network signals back to the home network the identity of the mobile.

The home network sends the visited network sets of challenges, responses etc. as well as other data about the mobile.

The visited network may now identify the mobiles by using one of the sets of challenges and responses.

Conclusions

During the course of this paper I have described some of the practical problems of realizing encryption systems. The engineering problems range from synchronization methods, to error characteristics and physical security of the equipment. This should give you an insight that strong algorithms are by no means the answer to a strong cryptographic system.



By far the most important consideration is to ensure that the security and key management are analogous with the social order and organizational structure that uses the system, and that for a commercial system it is not cost effective to break the security. In some cases, this is extremely difficult, such as a satellite broadcast system where everyone must end up with the same key!

Acknowledgements

I should like to thank many former colleagues and friends, who in many cases played a leading role in the developments of the above ideas and systems, and whose convivial company lead to many an interesting and stimulating discussion. I have made all efforts to get this article factually correct, but if there are errors then they are all mine.

References

I11 ECS/C 2120, 19 March 1982, Multiservices System Specification.

[*I S.C. Serpell, C.B. Brookson and B.L. Clark, ‘A Prototype Encryption System Using Public Key’, Advances in Cryptdogy: Promf Crypto 84, Lecture Notes in Computer Science, no. 196, G. R. Blakley and D.Chaum (editors), Springer Verlag, Berlin, August 1984 pp. 3-9.

I31 GSM security: a description of the reasons for security and the techniques, Brookson, C., GSM MoU Security Rapporteur, British Telecommun. plc., London, UK, IEE Colloquium on ‘Security and Cryptography Applications to Radio Systems’ (Digest No.1994/141), 1994, pp. 2/l-4.


Documents

Cryptography systems: Putting theory into practice