A Key Notarization System For Computer Networks Miles E. Smid A cryptographic, Key Notarization System is proposed for computer networks to protect personal (nonshared) files, to communicate securely both on and off-line with local and remote users, to protect against key substitution, to authenticate system users, to authenticate data, and to provide a digital signature capability using a nonpublic key encryption algorithm. The system is implemented by the addition of key notarization facilities which give users the capability of exercising a set of commands for key management as well as for data encryption functions. Key notarization facilities perform notarization which, upon encryption, seals a key or password with the identities of the transmitter and intended receiver. This paper proposes a Key Notarization System (KNS) which may be used in conjunction with a cryptographic device to provide increased data security. In 1977 the National Bureau of Standards published a completely defined encryption algorithm known as the Data Encryption Standard (DES) which became a Federal standard for the protection of unclassified data [2]. Since publication, several companies have produced hardware devices which implement the standard, and there has been an increased awareness that, in certain applications, encryption offers the only effective means of protecting information. The first applications of the encryption of unclassified data appeared in the area of electronic funds transfer, but the passage of the Privacy Act of 1974 (5 USC 522a) and Transmittal Memorandum No. 1 of Management and Budget Circular A-71 placed added responsibilities on Federal data systems for the protection of nonfinancial data as well. DES Even before the DES was adopted, it was clear that there was more to cryptographic security than a secure encryption algorithm. Efforts were initiated by NB S to have additional standards, based on the DES, developed. An area which needed to be addressed was secure key management. keys are 64-bit binary vectors which are individually selected in order to provide the unknown quantity necessary for security in the encryption algorithm. Key management involves the secure generation, distribution, and storage of cryptographic keys. If the key management is weak, then the secure cryptoalgorithm will be of little value. In fact, a very strong cryptoalgorithm used in a weak key management system can give a false sense of security. Previous work on key management systems may be found in Ehrsam, et al [4] and Everton [5]. This paper develops a simple key hierarchy and a set of commands or protocols which in conjunction with a secure random key generator and a strong encryption algorithm may be used to generate and store keys as well as to encrypt and decrypt data. These commands have been devised for computer systems which employ key notarization facilities (KNF ́s). They are to be tested on the NBS UNIX system but they are not UNIX dependent. It is intended that the system be applicable to many different situations. On-line communications, file encryption, offmail, and digital signatures all are to be protected. Key notarization is presented to help provide security while maintaining the required flexibility. line 2. REQUIREMENTS com The Key Notarization System (KNS) may be used in puter networks along with key notarization facilities (KNF's) to: of 1. Securely communicate between any two users; 2. Securely communicate via encrypted mail (off-line); 3. Protect personal (nonshared) files; 4. Provide a digital signature capability. Secure communication involves preventing the disclosure plain text, detecting fraudulent message modification, detecting fraudulent detecting fraudulent message insertion or deletion, and replay of a previously valid message. The KNS must be consistent with these goals and yet operate at speeds sufficient for normal network communications. With mail encryption, data is encrypted and then sent via mail or some means which cannot provide an immediate response. The data is stored in the encrypted form until decryption at some later time. In this situation one cannot have an interactive system for exchanging keys because no real-time response is possible. Therefore, protocols must be devised so that the receipt of keys need not be immediately acknowledged. Once encrypted, personal files can only be decrypted by the original owner. They are encrypted for secure storage rather than secure communication. In this case encryption is used to protect against accidental disclosure, such as spillage, and intentional disclosure, such as scavenging. It is often desirable that the data encrypting key be stored with the cipher for ease of recovery. Of course, the key would be encrypted under another long term key which is kept for the user either in the KNF or in a secure location from which it may be entered into the KNF. equal Digital signatures were developed in conjunction with public key systems. (See Diffie and Hellman [3] and Rivest, et al [8].) In such systems the decryption key is not to, and cannot be computed from, the encryption key. Encryption keys may be made public while decryption keys are kept secret. A digital signature is decrypted using the secret decryption key and sent to the receiver. The receiver may encrypt, using the public key, and verify the signature, but the signature cannot be forged since only the transmitter knows the secret decryption key. (The cryptoalgorithm must have the property that decryption of the signature followed by encryption equals the original signature.) Popek and Kline [7] showed that nonpublic key algorithms can also be used for digital signatures in conjunction with a "Network Registry". In the KNS, a different method is proposed for implementing digital signatures with the DES nonpublic key algorithm. 3. SYSTEM DESIGN 3.1 THE NETWORK of The KNS is designed for computer networks which consist host computers, user terminals, and key notarization facilities. Figure 1 shows a four host network. The host controls the normal operation and communication of the terminals. Terminals have the capability of communicating with the host, with other local terminals through the host, and with terminals of other hosts via communication channels called interchanges. Each terminal will be able to use the host KNF by means of user commands. A11 commands will be implemented in the KNF, and every KNF will have the capacity to generate keys for distribution to other hosts or facility users. Interchanges may be electronic communications lines, microwave links, courier routes, etc., or combinations of more than one medium. In Figure 1 only host 3 shares an interchange with host 4. If host 1 shares a common inter 1 may communicate with change key with host 4, then host host 4 through host 3 without intermediate decryption and reencryption. Host 3 would merely act as a switch. This is known as end-to-end encryption. If host 1 does not share a common key with host 4 but does share a key with host 3, and if host 3 shares a key with host 4, then host 1 may communicate with host 4 via host 3. The cipher would have to be decrypted at host 3 and reencrypted in the key shared between host 3 and host 4. Care must be taken to insure that the communications are not compromised when unencrypted. This method of encrypted communications is called encryption. link The lines between the KNF and its host and the lines between each terminal and its host must be protected. They could be physically secured or they could be secured by the addition of cryptographic devices on each end of the links. When a user is editing a file in the host, it is in plain text form, and the host will have to protect the data from other users. Once the user has finished editing, he may command the KNF to encrypt the data and store the resulting cipher in unprotected memory or send it to a remote user over an interchange. 3.2 THE HOST We will assume that the host computer has two types of memory: that which is not accessible to any user, called system memory, and that which is accessible to users, called user memory. User i's memory is core, disk, etc., where user i is permitted to store and recall data. Most computers have a means of protecting system memory from users, and some computers protect one user from another to a certain degree. We will rely on these protective features to the extent that the user should not be able to subvert the operation of the computer. For example, the system must be able to correctly maintain the identity of the user once he has been authenticated and given permission to execute the commands. The system must also prevent one user from taking on the identity of another user and thereby obtaining access his unencrypted data. In other words, encryption by self does not solve the computer security problem. However, if properly used in a system with the necessary protective features, it can provide protection to stored and communi cated data. The encrypted keys of user i are stored in user i ́s memory, and encrypted passwords to which no user needs access will be stored in system memory. Nevertheless, we will assume that any user could gain read and write access to every encrypted password stored in system memory. Each user is expected to manage the encrypted keys which belong to him, but he will not know any clear keys. Yet, key encryption is not sufficient. A method is required to protect against key substitution and to insure that each user correctly identifies the user with whom he is communicating. 3.3 THE KEY NOTARIZATION FACILITY (KNF) a The KNF contains a DES encryption device. It will have control microprocessor and memory to implement commands and data transfers. The KNF must also store the unencrypted interchange keys and the states of active users. An active state consists of a user identifier along with an initialization vector and an unencrypted data key for both transmitting and receiving data. A user is active as soon identifier is loaded into active user memory in the KNF. He may then proceed to load the rest of his state. as his of The KNF contains a key generator which is capable generating unpredictable keys. At any time a user should be able to predict the next key to be generated with only a 1/(2**56) probability of success where 2**56 is two raised to the 56 ́th power. in the Appendix. One possible key generator is proposed |