Connected: An Internet Encyclopedia
Other algorithms

Up: Connected: An Internet Encyclopedia
Up: Topics
Up: Concepts
Up: Cryptography
Up: Algorithms
Prev: Public Key Ciphers
Next: Key Management

Other algorithms

Other algorithms

Digital Signature Standard (DSS)

DSS, specified in FIPS PUB 186, is a digital signature algorithm based on modulo arithmetic. One of its "features" is that it can't be used for encryption, though this seams a mute point given the widespread availability of solid encryption systems.

Diffie Hellman

Diffie Hellman is a key exchange algorithm based on modulo arithmetic, that can be used to securely exchange keys between two systems that don't share any mutual keys. The problem is to create a shared secret over an insecure communications channel. Simply transmitting an symmetric cipher key is clearly inadequate, because anyone reading the traffic could use the key to decrypt anything encoded with it. Diffie Hellman addresses both of these problems.

Diffie Hellman operates in a large modulo number space, but doesn't rely on properties as exotic as RSA. After agreeing on a large modulus (m) and a common base number (x), each side picks a random number (its local secret), computes x to that power (mod m), and transmits this. Upon receiving this number, the other side raises it to its local secret power, and has computed x to the product of the two powers. Anyone snooping on the wire sees the two partial powers go past, but without the secret powers can't compute the shared secret.

Even with other cryptographic protection in place, Diffie-Hellman is often used to provide perfect forward security, which means that even if a master authentication key is compromised, previously exchanged data can't be read. The stolen key could be used to fabricate false credentials for future sessions, but couldn't be used to decrypt previous sessions because the session keys were exchanged using Diffie Hellman.

Random Number Generation

One of the hardest problems in cryptography is the creation of the keys themselves, a process which usually requires a good random number source. High quality random numbers are surprisingly hard to come by on computer systems, which are almost completely deterministic by nature. "Pseudo-random" number generators (PRNGs), of the type often seen in C libraries, don't do the trick. If the PRNG has only a 16-bit seed, then it will produce one of 216 possible "random" number streams. This means that an 80-bit key generated with this source will only assume one of 216 possible values... not 280 as one would like. In fact, every cryptosystem presently used (and any likely to be developed) will succumb to a brute-force attack if its key can be predicted within 216.

Thus, modern operating systems often go to great lengths to acquire and preserve truly random information. Things like the arrival time of network packets, the exact time between keystrokes, the exact position of the mouse and various windows on the screen - all can be used as random number sources. RFC 1750 discusses the issue to some length. Some Unix kernels now provide a /dev/random (or /dev/urandom) that allows applications requiring random numbers to get them from trusted kernel algorithms that monitor the system for various pieces of random information, using the timing of physical events.


Next: Key Management

Connected: An Internet Encyclopedia
Other algorithms