An Operating Systems Vade Mecum

Data modification 169encryption method is publicly available. Now any program that wishes to authenticate auser may ask for a password, encrypt it, and compare the result to the value in the file. Ifthe values match, the password is correct. In particular, the logon program, which greetsthe user at the beginning of the interactive computer session, can tell if the user knowsthe correct password. However, the huge number of possible passwords and the fact thatno decryption method exists make it infeasible for an intruder to guess the password,because every conceivable password would have to be encrypted and compared with thefile. This scheme assumes, of course, that people choose fairly long and fairly irregularpasswords. Some installations of Unix refuse to allow a password that is too short or tooclosely related to an English word. VMS can be set to insist that specific users changetheir password every so often.Most applications of encryption, however, require that the ciphertext be convertibleback into cleartext. Unfortunately, all current encryption methods have problems.The ‘‘one-time pad’’ is the only provably secure method known at this time. It derivesthe ciphertext by a byte-wise exclusive-or operation between the cleartext and a ‘‘key’’whose length must be at least as long as the message. The decryption method uses thesame key and the same algorithm. The key must never be used again, or it becomeseasier and easier to guess. Since both the originator and the recipient of the ciphertextmust agree on the key, it must be transmitted as well, a procedure that is just as difficultas the original problem of secure transmission. Computer-generated pseudo-randomnumbers create keys that are too easy to guess, by the way.A currently popular encryption method is the Data Encryption Standard (DES).The DES method was developed by the National Bureau of Standards with several goalsin mind. Many commercial applications are currently using DES. The algorithm (eitherencryption or decryption) can be performed efficiently with a special-purpose chip, butfar less efficiently with a program. Since the key is 56 bits long, there is plenty of roomfor picking unique keys. Unfortunately, some keys turn out to be weak; if a weak key isused to encrypt, the ciphertext can be analyzed quite easily to discover the cleartext. It isnot certain how many keys are weak or ‘‘semi-weak.’’ There is some suspicion that 56bits is insufficient to prevent a successful attack that uses massive amounts of computertime. It is possible that a longer key (perhaps 100 bits) would be sufficient.The one-time pad and DES are considered ‘‘conventional;’’ they share the propertythat the same key is used for encryption and decryption. A non-conventionalapproach called ‘‘public-key cryptography’’ uses different keys for the two transformations.One public-key method, called RSA after its inventors (Rivest, Shamir, and Adelman),has resisted attacks so far, although it has not been proved to be computationallysecure.The RSA method itself is too complex to discuss here. The general properties ofpublic-key methods are elegant, however, so we will outline them. Every user U has apair of keys, one for encryption, E U , and one for decryption, D U . It is impossible toguess E U from D U or vice versa. Ciphertext encrypted with E U is decrypted by D U .Everyone’s E key is considered public; it is saved in a public place where anyone mayaccess it. Let’s say A and B are two parties (programs, computers, or people) that wantto send secure messages to each other. A encrypts messages for B using B’s public keyE B . B can decrypt them using its private key D B , but no one else can decrypt thembecause no one else knows D B . Similarly, B encrypts messages for A using A’s publickey E A . These messages are secret. However, B cannot be sure that A has sent the messagesbecause anyone could have used E B , B’s public key.