Classical cryptosystems; Symmetric-key systems; Asymmetric-key systems; One-way hash functions; One-Time Pad

Classical Systems
The classical systems are a varied lot, ranging from simple pen and paper systems to rotor machines such as the German Enigma used during WWII.

The Crypto Dropbox carries a large number of resources related to classical crypto, including Lanaki's Classical Cryptography Course systems covered in this course include simple substitution, polyalphabetic systems, the Enigma machine, transposition ciphers along with several other methods and variants.

Modern Symmetric Ciphers
Symmetric ciphers, or conventional cryptosystems, require that both the sender and reciever of the message share a commonly known key. The two most common methods of symmetric key encryption are stream ciphers and block ciphers.

Stream ciphers take a stream of pseudo-random data (such as from a cryptographically strong random number generator) and XOR it bit-for-bit with the plaintext, the resulting output is the ciphertext. Examples of stream ciphers include A5, RC4, and SEAL.

A5 is the algorithm used in GSM digital phone systems, and isn't secure. Source and articles for A5 include an example of A5 in C, a sci.crypt posting on A5, and a posting from the Cypherpunks list.

RC4 is a variable key-length cipher developed by Dr. Ron Rivest, and its biggest claim to fame is that a 40-bit version of it is used in the SSL protocol. 40-bit SSL has been cracked, but this isn't a weakness in RC4 so much as in the fact that SSL only uses 40-bit crypto. 40 bits just isn't enough. The details of RC4 had been kept secret, but the algorithm was reverse engineered and posted to Usenet. There are some good resources for RC4, linked to below.

RC4 resources:

  1. RC4 in Perl
  2. RC4 for the Hewlett Packard 48 calculator
  3. RC4 in C
  4. A post to sci.crypt on RC4
SEAL is a stream cipher created by Phil Rogaway and Don Coppersmith for IBM. Not much has been done with SEAL so far, and there is not much work to show whether it is really secure or not. Exercise caution. There are two pieces of example C code demonstrating the SEAL algorithm.

Whereas stream ciphers operate on 1 bit of ciphertext at a time, block ciphers operate on an N length block of data, most block ciphers have a block size of 64 bits. Examples of block ciphers are DES, IDEA, REDOC, and SAFER.

DES, the United States' Data Encryption Standard was created in during the early 1970's and finalized as a government standard in 1976. DES has a 64 bit block size and 56 bits of keyspace (with 8 bits for parity checking). Recent cryptanalysis and faster computers have prompted using triple encryption with DES (double encryption is weak as it lends itself to a specialized "meet in the middle attack"), this triple encryption construction is usually called Triple-DES and can be expressed this way:
Encrypt_DES(key_3, Decrypt_DES(key_2, Encrypt_DES(key_1, Message)))

That is, we encrypt the message with our first key giving use ciphertext (C1) we then decrypt C1 with our second key (a different key, which doesnt yield the plaintext) giving C2. When then encrypt C2 with our third key. This encrypt-decrypt-encrypt structure is preferred to three encryptions because it is compatible with single DES if all three keys are the same.

DES and Triple-DES resources:

  1. FIPS Publication 46-2: Data Encryption Standard (Wordperfect format)
  2. Phil Karn's DES source in C
  3. Triple DES in C
  4. Funet's DES directory has a lot of DES related source

IDEA was created by Xuejia Lai and James Massey in 1990 (this early version was called PES). After Sean Murphy cryptanalyzed the algorithm, Lai and Massey strengthed PES against differential cryptanalysis and IPES was born. IPES was eventually renamed IDEA (International Data Encryption Algorithm) in 1992. IDEA has a 64-bit block size, like DES, but at 128 bits of keyspace IDEA has far more keys than DES. 2^72 times as many keys, to be exact.

IDEA resources:

  1. Description of IDEA (postscript)
  2. IDEA implementation in C
  3. IDEA in 8086 assembler

REDOC II and REDOC III are block algorithms created by Michael Wood by Cryptech Inc. REDOC II has a 160-bit key and an 80 bit block size. No published cryptanalysis of REDOC II will can be extended past 1 round (REDOC II has 10 rounds). REDOC III is variant of REDOC II, and has a variable length key and an 80 bit block size. REDOC III can be broken with differential cryptanalysis.

REDOC II and III resources:

  1. REDOC II source in C
  2. REDOC III source in C

LOKI was first created as an alternative to DES. It has a 64 bit block size and 64 bits of keyspace. LOKI89 (the first version of LOKI) is vulnerable to differential cryptanalysis with 14 or fewer rounds (from the work of Lars Knudsen). LOKI91 it secure against differential cryptanalysis, but Knudsen found a related-key attack.

LOKI resources:

  1. LOKI89 and 91 source in C

FEAL is a 64-bit block cipher, with a 64 bit key, created by Akihiro Shimizu and Shoji Miyaguchi from NTT Japan. FEAL is not secure, 4-round FEAL is breakable with a chosen-plaintext attack, 8-round FEAL is subject to attack by differential cryptanalysis, and FEAL was the first cipher broken by linear cryptanalysis. FEAL-NX is a variant of FEAL that uses a 128 bit key and a variable number of rounds. FEAL-NX can be broken with differential cryptanalysis as well. It is dead.

FEAL resources:

  1. 8 round FEAL source in C
  2. FEAL-NX source in C

Blowfish is an algorithm designed by Bruce Schneier (author of Applied Cryptography). Blowfish is a 64-bit block cipher with a variable sized key (up to 448 bits). There are some weak key problems with Blowfish, but they only apply to reduced-round variants. Blowfish is not patented, and is in the public domain.

Blowfish resources:

  1. Documentation for the Blowfish library, libbf
  2. LibBF 0.7.2
  3. Funet's Blowfish directory

RC2 is another algorithm by Ron Rivest. RC2 has a variable-length key and block size of 64 bits. RC2 is protected as RSA Data Security Inc. trade secret, but like RC4 the algorithm has been reveresed engineered and posted to the Internet.

RC2 resources:

  1. RC2 source code in C
  2. RC2 code and related papers

CAST is an algorithm designed by Carlisle Adams and Stafford Tavares. CAST uses a 64-bit block size and a 64-bit key. CAST is resistant to differential cryptanalysis and linear cryptanalysis. CAST is also one of the symmetric algorithms used in PGP version 5.0.

CAST resources:

  1. CAST source in C

SAFER is a 64 bit block cipher designed by James Massey (co-creator of IDEA). SAFER K-64 has a 64 bit key, and SAFER K-128 has a 128 bit key. SAFER K-64 is immune to differential cryptanalysis after 8 rounds, and secure against linear cryptanalysis after 3 rounds. There is a weak key problem with SAFER, but this problem only meaningful when using SAFER as a hash function.

SAFER resources:

  1. SAFER source in C
  2. Description of the SAFER algorithm
  3. Another SAFER implementation

3-Way is an iterated block cipher by Joan Daemen. It uses 96 bits for its keyspace and block size. There is no known successful cryptanalysis against 3-way, and it is free for use.

3-Way resources:

  1. 3-way source in C
RC5 is an algorithm created by Ron Rivest that has a variable keyspace, block size and round definition. With a 64 bit block RC5 is secure against differential cryptanalysis after 15 rounds, and is probably secure against linear cryptanalysis after 6 rounds.

RC5 resources:

  1. The RC5 Encryption Algorithm by Ron Rivest
  2. RC5-32/12/16 in C
  3. RC5 info from RSADSI Inc.

Skipjack is a classfied NSA developed encryption algorithm. It is meant for use in hardware products such as the Clipper and Capstone chips. Skipjack is a key-escrow algorithm, which means that a trusted party (in this case, the government) has the ability to recover the keys used to encrypt a message. This has applications in areas like law enforcement, where a warrant has been obtained to get access to encrypted information, or in business applications where vital company data has been encrypted by an employee, but the employee's key has been lost.

Skipjack is an iterative block cipher with a block size of 64 bits and an 80 bit key.

Since Skipjack is patented, there are no papers available about its operation or source code implementing it, the resources listed are links to products that use Capstone chips, primarily Fortezza products.

Skipjack resources:

  1. Fortezza Documentation
  2. Fortezza PCMCIA Cards
Asymmetric Cryptosystems
Asymmetric cryptosystems use two keys, one for encryption and one for decryption. The key that is used for encryption is called the public key and the one that is used for decryption is called the secret key or sometimes the private key. One can publish they encryption key in a phone book, or in a key registry, or wherever, and then other people can look up your name and get the key. Since only your secret key can be used to decrypt any messages encrypted with your public key, you only need to keep the secret key secure.

Asymmetric cryptosystems are generally based on some computationally "hard" problem, such as factoring. Examples of asymmetric algorithms are RSA, Luc, ElGamal and Rabin.

RSA is a public-key algorithm developed by Ron Rivest, Adi Shamir and Leonard Adleman. RSA is based on the difficulty in factoring large numbers. RSA is patented, but is free for personal use.

RSA resources:

  1. RSA source code in C
  2. RSAREF library
  3. RSA Data Security Inc. Homepage
  4. * RSADSI FTP Server

LUC is a patented public key algorithm based on Lucas sequences. Supposedly LUC can be broken in some implementation (Schneier, Applied Cryptography 2nd ed. p. 481). On the other hand, LUC could be as secure as RSA.

LUC resources:

  1. LUC: A New Public Key System by Peter Smiter and Michael Lennon
  2. LUC in BC
  3. L3 LUC Package
Misc. Public Key Material:
PGP version 5.0 contains source code in C for RSA, and Diffie-Hellman public key cryptosystems, along with source code for IDEA, and CAST.

Funet directory for elliptic curve based public key cryptosystems.

One-Way Hash Functions
Hash functions are designed to take an arbitrary amount of data and provide a fixed-length digital "fingerprint" of it, while at the same time meeting some other general security criteria (such not being about to compute the message from the hash). Common hash function include SHA, MD4, MD5, and Snefru.

SHA is the Secure Hash Algorithm designed by NSA and NIST for use in the Secure Hash Standard (SHS). SHA produces a 160-bit hash, and there are no known attacks against it.

SHA resources:

  1. FIPS 180-1: Secure Hash Standard (pdf format)
  2. SHA in C
MD2 is a 128-bit hash function by Ron Rivest. There are no known weaknesses in MD2, but it is also slower.

MD2 resources:

  1. MD2 Source in C
  2. The MD2 Message-Digest Algorithm

MD4 is another 128-bit hash function by Ron Rivest. There are a few different cryptanalytic attacks against MD4, and although none of them can be applied to the full algorithm it is better to use MD5.

MD4 resources:

  1. MD4 Source in C
  2. The MD4 Message-Digest Algorithm

MD5 is the latest of Ron Rivest's hash functions. Like those before it, MD5 gives a 128-bit hash. Differential cryptanalytic attacks have been mounted against MD5, but none are effective against all 4 rounds. A more troublesome problem is that of producable collisions in MD5, though this hasn't been extended to cause any problem in actual applications.

MD5 resources:

  1. MD5 Source in C
  2. The MD5 Message-Digest Algorithm

Snefru is a hash function created by Ralph Merkle which yields a 128-bit hash.. There are problems with Snefru, namely that it falls to differential cryptanalysis prior to 4 rounds. Merkle recommends using 8 rounds, but using Snefru this way is very slow.

Snefru resources:

  1. Snefru in C
Haval is a variable-length hash function, and can output hashes of 128, 160, 192, 224 or 256 bits. There are no known attacks against HAVAL.

HAVAL resources:

  1. HAVAL in C
Tiger is an impressive hash function by Eli Biham and Ross Anderson. Tiger specifies 128 and 160 bit hash values, and is meant especially for 64-bit architectures. For technical stats on Tiger, read the original design paper for Tiger.

Tiger resources:

  1. Tiger source in C
  2. Tiger S-Box generation
  3. Eli Biham's Homepage
The One Time Pad is the only provably secure, unbreakable cryptosystem known. This lofty position comes with a high price tag: the key must be as long as the plaintext, completely random, and can never be used twice.

It is easy to see why the OTP isn't used very often. Attacks on the OTP will be directed at either the method of generating the random key, or will be attempts at checking if a given pad is used more than once. This second attack was used by the NSA against the KGB in the so-called VENONA Project.

In OTP systems it is extremely important to have a true random source to generate the keystream. No computer-based, algorithmic method will generate a secure pad file. Even cryptographically strong hash functions set up as a random bit generator should not be used. Although these systems are secure source of pseudo-random numbers, the stream can be reconstructed by giving the generator the correct inputs. OTP stream generation should be done with a good hardware random number generator. Such devices may be based on the randomness in a "noisy" zener diode, the phase drift between two oscillators, or timing radioactive decay particles.

The OTP system itself is a simple stream cipher. XOR every bit of plaintext successively with every bit of key, the result is the ciphertext.

In C it looks like this:

     #include <stdio.h>
     int main (int argc, char **argv)
     {
          FILE *pad; char padbyte; char plainbyte;
          /* user needs to supply a filename to open for the pad */
          pad=fopen(argv[1], "rb");
          while ( (padbyte=getc(pad))!=EOF && (plainbyte=getc(stdin))!=EOF )
                  putchar(padbyte^plainbyte);
          fclose(pad);
     }
One Time Pad and Hardware RNG resources:
  1. OTP Software at Funet
  2. Info from Protego on Hardware RNGs
  3. Schematics for a hardware RNG
  4. CryptIC Chip Information
  5. Fortezza cards with RNGs

Corrections, additions, and updates to this page can be sent to Michael Graffam (mgraffam@mhv.net).