The Data Encryption Standard algorithm can be used in either of these The classical bit-stream additive approach to encipherment has disadvantages making it unattractive for network usage. These problems stem from its inherent need for synchronization of the two random number generators, a problem that has been recognized and overcome for point-to-point operation, but which magnifies considerably in network environment which may require re-ordering of messages due to priority needs, sophisticated line disciplines such as Go-Back-N, etc. One Since synchronization problems are the basis of these difficulties, it is desirable to look for schemes which are inherently self-synchronizing. such technique is to utilize the transmitted cipher text for synchronization since it is available at both the sending and receiving ends. Such schemes are well known and have been described in a number of papers in the open literature.** Each author describes a variation of the same basic theme as shown in Figure 4-3. Connection of a pair of such devices is shown in Figure 4-4, which indicates the operation of the cipher text feedback into the shift registers. When each register has the same content (the "random" sequence, XRPQ, in this example), and has the same function, they will both generate the same sequence of pseudo-random bits for enciphering/deciphering. Since the register content is available to any eaves dropper (e.g., it is the cipher text itself), the secrecy must reside in the function, which is our key in this case. ** The exclusive-OR operation is self-inverting since bb = 0 for b = 0, 1. Savage, J. E., "Some Simple Self-Synchronizing Data Scramblers," Bell System Tech. Jo., Feb. 1967, pp 449-487. Torrieri, D. J., "Word Error Rates in Cryptographic Ensembles," NRL Report 7616, Oct. 1973. Golumb, S. W., "Shift Register Sequences," Holden-Day, Inc., 1967 Figure 4-4. A Pair of Encipherment/Decipherment Devices The self-synchronizing scheme has some disadvantages as well, the most commonly Another potential disadvantage of the self-synchronizing scheme is the need to transmit an N-bit prelude to establish synchronization, i.e., to ensure that the two N-bit shift registers contain the same values. This is necessary whenever a key change is made, and is a definite consideration for multiplexed crypto devices in which the key may be changed for each message handled. (A possible solution to eliminate this overhead is to insert some "deterministic" bit pattern into the shift-register at each key change.) These disadvantages are quite minor compared to the advantages of the selfsynchronizing scheme for network usage. These advantages (over the pseudo random sequence generators) include: Minimal concern for loss of synchronization (much easier to re-establish). Don't have to store previous initializing vectors (IV's) Can decipher messages in a different order than they were The advantages of self-synchronizing schemes are so great that we will only consider them in subsequent analysis. Multiplexed cryptographic equipment is desirable from an economic point of view, and their development has been recommended by Anderson (AND-72), and other members of the ESD Security Panel. Their reasons include: Minimized costs, operator controls, space and other environmental requirements. Provide more than one secure communications path via the same transmission link, primarily on a time multiplexed basis. They projected that a prototype model could be available in FY 76, and that the device could also be designed to provide authentication (similar to the way that the ICD would authenticate the device to which it is attached). Multiplexing of cryptographic devices is a natural extension of the ICD concepts which is consistent with our earlier developments in terms of control, buffering, etc. A message leader would be received and would thereby indicate the key to be utilized via its source and destination. Based on this information, the ICD would retrieve the appropriate key and decipher the message. Multiplexing could also be on the basis of packets (pieces of messages), characters, or even bits, although the overhead of switching keys would be increasingly large as one moved toward the finer level of multiplexing. Therefore, message level multiplexing is felt to be the optimal choice, particularly if a synchronizing prelude is required for each block of data (i.e., self-synchron Certain control information must be passed between the HOST-level and communications-level interfaces without being "randomized" by the crypto function as indicated in Figure 4-5. This information includes: Timing information, e.g., to indicate the beginning and end of a message. Message "type" information. Source, destination (or at least an identifier for a particular HOST-Network status information. The design of this control path must emphasize simplicity and understandability to ensure that it can not be utilized in any way to circumvent the cryptographic function, either accidentally or maliciously. One additional concern for separating control and data information occurs when encipherment is desired at both a mini-HOST system and at a terminal that is connected to it. This situation would occur when end-to-end encryption requires encryption capability at the terminal only while other applications, such as remote batch job entry, require encryption at the mini-HOST itself. |