some cryptographic techniques for machine-to-machine data communications
TRANSCRIPT
PROCEEDINGS OF THE IEEE, VOL. 63, NO. 11, NOVEMBER 1975 1545
Some Cryptographic Techniques for Machine-to- Machine Data Communications
HORST FEISTEL, WILLIAM A. NOTZ, MEMBER, EEE, AND J. LYNN SMITH
Abstract-Some of the threats to the integrity of multiuser t m - cess@ systam d to the data they contain can be countered by the use of cryptography. Stream-genantor aphers are not ideally suited for such an appliation, thus the use of block ciphezs, which have the berrefici.l property of a strong nonlinear intasymbol deperrdence, is wed. This property provides the means for automatic mor de- tbction for verify@ the authenticity of t e m i d operators, and for enmring msssrge integrity. An expaimentd demonstration system has been constructed to illustrate protection featma that can be pro- vided for r a l appliations.
INTRODUCTION
ANGERS to the integrity of data processing systems and to the security of information stored in large centralized data banks under their control are of well-
justified concern to many people and have been the subject of much discussion [ 1 1, [ 2 1. Physical security is a necessity, but even after this has been provided, such systems are vulner- able to attack by various subtle methods, particularly if they are capable of being operated from remote terminals and if the identity of the terminal operator cannot be verified. The danger is especially great if users are permitted to enter pro- grams written in some low-level language because then a knowledgeable intruder can relatively easily gain control of a system in supervisor state and thereby subvert many of the software protection features. By such craft, information can be stolen, corrupted, or even destroyed, and serious ,disrup- tions in the normal operation of data processing systems and data banks could occur, with resulting disaster to any heavily dependent enterprise. The whole subject of protecting a data system from determined attacks is many faceted, and it re- quires a concerted effort from many directions (see, e.g., [ 1 ],
As more and better countermeasures are applied to thwart subversion by the more usual methods, intruders will doubtless resort to wiretapping. A passive wiretapper who might moni- tor both parts of a conversation between an authentic terminal user and a data processor could obtain not only sensitive confidential information but also that user’s password, special procedures, and the formats of special commands used to operate the system. Active wiretapping, by which is meant the covert injection of spurious messages onto a communica- tions line, can be done even without the use of a standard terminal, and various kinds of machinery including a tape recorder can be employed to create much mischief. In particu- lar, an active wiretapper can record legitimate message3 and (even without reading them) replay them to the system at a later time; at the very least, this could cause confusion and
[31-[51).
Manuscript received January 15,1975;revised May 19,1975.
search Center, Yorktown Heights, N.Y. 10598. H. Feistel and W. A. Notz are with the IBM Thomas J . Watson Re-
J. L. Smith was with the IBM Thorn- J. Watson Research Center, Yorktown Heights, N.Y. He is now with the IBM Systems Communica- tions Division, Kingston, N.Y.
might even result in irremediable perturbations of the data fiies.
It is rather obvious that the communications link joining two machines such as a terminal and a data processor can be bracketed by a pair of cryptographic devices, one located at the terminal and the other at the data processor, and it is clear that a passive wiretapper, not having the means to decipher, is foiled if messages are always transmitted in the form of cryptograms.
It is less obvious how cryptography can be used to verify the genuineness and currency of all messages and so to foil an active wiretapper. If the cryptographic system in use is time dependent, that is, if some time-varying quantity is used in the production of the cryptogram for a message, then such verifi- cation is an intrinsic property; correct deciphering of a (pre- recorded) stale message will normally not occur because the time-varying quantity used to decipher will have changed. But if the cryptographic system is not time dependent, it, is natural to suppose that a genuine cryptogram recorded at one time and reinjected into the data system at a later time will be duly deciphered at the destination and be accepted as authentic. Later in this paper, it will be shown how, despite their being meaningfully deciphered, such stale messages can be identified as being spurious and hence be rejected.
Protection of data while in off-line storage can be increased by simply recording the information in the form of crypto- grams. This in no way reduces the risk of physical destruction or bulk erasure of information, but the theft of (unreadable) tapes or disks for the purpose of disclosing information to inimical persons is rendered unlikely.
On-line direct-access storage devices can also be crypto- graphically protected if file-access methods are suitably devised to deal directly with cryptograms, or if the deciphering func- tion can be performed rapidly during file searches so as not to degrade system performance. In any case, arithmetic process- ing cannot be done on data in the form of cryptograms. Cryptography is by no means a panacea, but it offers powerful support and reinforcement to the other protection features in a system.
This paper does not address the overall problem of protec- tion for a system, but rather points out instances where cryp- tography can be of benefit. In recapitulation, some particular dangers that can be countered are:
1) theft of information by passive wiretapping, including data, users’ passwords, special commands, etc.;
2) illegal entry into a system by the use of stolen paswords, special commands, etc.;
3) injection of spurious messages into a system by an active wiretapper including recordings of the cryptograms for genuine messages, whose meaning may be unknown to an intruder;
4) disclosure of information by theft of removable secondary- storage devices.
1546 PROCEEDINGS OF THE IEEE, NOVEMBER 197s
ELEMENTS OF THE CRYPTOGRAPHIC SYSTEMS 4 BITS
All cryptographic transformations [6]-[8] can be regarded as substitutions, whereby information in intelligible form (cleartext) is replaced by the same information in unintelligible form (ciphertext). A cipher is a transformation carried out at the individual-symbol level according to a well-defined algo- rithm and can be applied routinely to any information whatso- ever. On the other hand, a cryptographic code is semantic in character, being a collection of preagreed substitutions for words and phrases (compiled preferably in some nonsystematic way) applicable only to information represented by entries in a code book. The use of codes in this sense is not considered further in this paper.
A popular cryptographic technique is bit-by-bit substitution, for which there is generated a pseudorandom stream of binary digits to be combined with the binary digits of the cleartext by an easily reversible operation such as mod-2 addition [3], [9], [ l o ] . Deciphering consists merely in generating the identical pseudorandom stream and performing the inverse operation on the ciphertext. This stream cipher technique is simple in con- cept and can be performed at high speeds. Being essentially time 'dependent, such cipher systems have the intrinsic capa- bility of verifying the authenticity of messages as mentioned in the introduction, but they also have some inherent proper- ties that restrict their practicality in a multiuser teleprocessing environment. Some of these are as follows.
1) Stream ciphers are inherently synchronous in the sense that identical portions of identical streams must be used at both transmitter and receiver; synchronism in the literal sense, in real time, is required if the streams are generated continu- ously. Loss of synchronism by even one bit (or one increment of time) results in the total loss of deciphering capability, and synchronism must be restored by a special procedure. If a data processor accommodates many users requiring mutual privacy, then as many distinct pairs of streams must be maintained in synchronism.
2) A pseudorandom stream generated by a fixed-key trans- formation of some recurrent input (such as the binary count of message bits) or by any of the'well-known arithmetic algo- rithms is bound to be cyclic. Because reuse of any cyclically repeating stream is a serious cryptographic weakness, the stream generator must be somehow altered or "reseeded" at the conclusion of any cycle in order that the same stream not be reproduced. Again, if there are many users requiring mutual privacy, then as many ever-different pairs of streams must be maintained.
3) As is almost invariably done for ease of reversibility, the pseudorandom stream and the cleartext are combined bit by bit by mod-2 addition, and consequently, there is no inter- symbol dependence. An error in one bit of the ciphertext affects nothing more than the corresponding bit of deciphered cleartext. For some applications which utilize noisy com- munication channels and in which messages have a high degree of redundancy with a high tolerance for errors, this can be a distinct advantage (for example, digitized voice communica- tions) in that errors are neither multiplied nor dispersed but remain easily recognizable. In the present environment charac- terized by little redundancy in messages and little tolerance for errors, however, the lack of intersymbol dependence is no advantage, and it fails to offer a ready means for automatic and virtually certain error detection. (This matter is discussed further in a later section of the paper.)
In contrast to the bit-by-bit substitution technique is the block substitution or block cipher technique [ 1 1 ] in which the
1111 I 4 - B I T DECODER I
24 - L I N E ENCODER
1 I 4 BITS
Fu. 1. General n-bit-n-bit block substitution, S (here shown for n = 4, connected to produce a particular nonsingular transformation)= T
substitution is for a large-size group of digits of the cleahxt treated as a whole. If there are n bits of information in a text block, then the substitute ciphertext block must c o w at least n bits, and it is usually made to contain exactly n. "lbt number of different blocks of n bits is 2", and all such s- tutions may be regarded as mappings within this set of bl& If a mapping for the 2" different blocks is reversible, it id* to be nonsingular, and there exists a one-toone c o r r e w deuce between each block of the set considered as C l e m and some block of the set considered as ciphertext. Thei U lowing examples for n = 2 illustrate this quality of reversiblllg, and the lack thereof:
Reversible Mapping ImvmiMe bfam cleartext ciphertext cleartext ciphertext
00 11 00 11 01 10
11 01 10 00
It should be noted that transformations containing singularyCr are irreversible in principle, and if the argument Mack is '&#p- dundant, there is a loss of information. Such transforma- may, however, be applied in a special way to practical ci- systems as will be described later.
is (2n3"' while the number of different n-gul mations is 2" !. A device which can perform any n formation is exemplified in Fig. 1 ; this comprises BJI address decoder producing a signal on one of 2" points,* an encoder having 2" input points to which the decoder L puts are (variably) connected, producing a different n+t. encoded output for each energized input. The Yariable ca). nectivity of the two sets of 2" internal points of this device k at any time, in accordance with the particular bit pattern of C arbitrary cipher key. The device is completely general, + any conceivable n-to-n transformation can be produced by g appropriate specification of interconnections of the int points (not necessarily one to one). Any one of the 2"! "x versible nonsingular transformations can be produced by d. appropriate set of one-to-one interconnections of the intern4 points, as shown in the figure. In practice, some subset of a0 the possible transformations would be provided, and if reverr ibility is required, this would consist of complementary nor$- singular pairs.
Because the number of logic elements needed to impleme4' this most general cipher system increases at a great rate with
The total number of different n-bit-to-n-bit transforma
FEISTEL e t al.: MACHINE-TO-MACHINE DATA COMMUN!~ATIONS 1547
(DIGITS OF CIPHER KEY - FOR CONTROL OF S BOXES)
0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0
I / P I
1 0 1 0 1 1 1 0 0 0 0 0 1 0 1 0
m. 2. Altsmation-product block-cipher system for n = 16 (heavy arrows show avalanche of changes caused by single input change).
tlre size of the block, the system cannot be realized except when n is small. If n is no larger than 5 or 6, such a device having a small number of transformation choices can be conrtracted, but so small a system is equivalent to the classical ”simple substitution” cipher for alphabetic characters, which ir a notoriously weak system. This weakness stems not from the fact of its being simple in intrinsic structure, but rather from the smallness of the block size. If n is large, of order 100, then complete cataloging of all possible blocks and malyses of their frequency distributions are clearly infeasible.
What is needed is an approximation to this ideal blockcipher q s t e m for large n, built up out of components that are easily rqalizable. This can be attained by utilizing the concept of a Ctoduct cipher, which is the performing of 2 or more basic *hers in sequence in such a way that the final result or poduct is cryptographically stronger than any of the com- ponent ciphers. The use of a product cipher is not new; a notable instance of one is the German ADFGVX field cipher r e d in World War I [6]. Shannon has introduced the notion d a mixing transformation involving products in a somewhat mcia l way, and also the principles of alternating “confusion” u d “diffusion” [ 13 I . An example of an alternation-product system for large n that
could be realized is shown in Fig. 2 [ 1 1 1. The size of the block could be of the order of 100 bits, say, but for the purpose of iUustration it is here taken to be 16. The boxes labeled P represent fixed bit permutations (simple wire crossings), and wch P could be different. Each of the boxes labeled S is a Cbit device of the sort shown in Fig. 1, capable of providing two transformations, and the transformation produced b~& a c h one in each of the various layers is selected by a ut from the cipher key. The transformations choice by the key bits must a l l be nonsingular and suitably
nonaffine,’ and they furnish the elements of confusion. The wire-crossing P furnish the elements of diffusion and create a strong intersymbol dependence over the entire block. The depth of the array (number of alternating layers of S and P) can be made such that every bit of the final result is a very complicated function of every bit of the input block. Fig. 2 also shows schematically the “avalanche” effect caused by one small change in the input block; the heavy arrows denote those places at which the state of the array differs from the state it would have without that initial difference.
It is rather obvious that, if all the S layers in Fig. 2 are made identical, (and with some qualifications on the structures of the P layers) an equivalent system could be built consisting of only 2 P layers and only 1 S layer, to be operated in an itera- tive manner with feed-back connections. The number of iterations, or “rounds,” would correspond to the number of S layers shown in Fig. 2, and for each iteration, the same set of bits of the cipher key would be used to control the single S layer that is used for each corresponding S layer in the multiple- layer array.
Fig. 3 shows a practical system that could be constructed along these lines. The size of the block is 32 bits, and the 32 cells of data storage are shown as the row of shaded squares. The S layer consists of 8 4-bit nonlinear transformation de- vices, indicated in the figure as being all different although they could be all alike. Each one is capable of producing a direct transformation S when its key control bit is a 0, and the corresponding inverse transformation S-’ when the key bit is a 1. Each of the two P layers consists of a direct permutation (PA or PB) for use in enciphering and an inverse permutation (Pi’ or Pi’) for use in deciphering. If PA and PB are the same, then the two P layers would be identical.
The cipher key, consisting of an arbitrary set of bits, should be large enough to make its discovery unlikely by chance and infeasible by exhaustive trials. Eight different key bits are used in each round, and a different set of 8 (key byte) is used in succeeding rounds until the key is exhausted. An alterna- tive scheme is to use a key only half as large and to step through the key-byte sequence twice.
For enciphering, the bits of the key art used in true form, and the direct permutations are done. For deciphering, the key bits are used in inverted form, and the key-byte addressing schedule is in the exact reverse order; also, the inverse permu- tations are employed. It should be obvious that, because the mutual inverses of the P‘s and S’s are provided, the entire iterative process of enciphering is reversible.
There is another way of designing an iterative product- cipher system, in which the permutations P and nonlinear transformations S are not reversed (indeed, the S transforma- tions could even be irreversible). The only fundamental re- quirement on them is that they be repeatable-that is to say, their arguments must be recoverable unchanged. The general procedure is to have the message block subdivided into a num- ber of segments and (in any round) to let one segment be used as an argument of a transformation function, with the result serving to modify another segment by some reveFible convolution operation. From round to round, the segmeni
and Y are two binary vectors of the same dimhd6n and if S is a ’&I aflne transformation S has the following d e f i property: if
transformation of the space of these vectors into itself. and i f Z. d c u b t e d aa Z = S(X) CB S ( Y ) CB S(X CB yX evaluates to a constant vector for dl X and all Y, then S is af€ine. (The symbol @ dcnotea modulo-2 vector addition.) Nonaffiie tmnsformatiolv CUI be found such that 2 compktdy fills the vector space for some X ’ s aad some Ye.
1548 PROCEEDINGS OF THE IEEE, NOVEMBER 1975
(SELECTED
FOR S CONTROL) KEY BYTE
Fig. 3. Practical block-dpha system using reversible transfo-
ru I Reversible convolution owrotion 1 I I I
(convolution)
(iranspositionl
Storage for one half -block
Unrevcrsad transformation of a half -block under cipher-key control (including an S layer and a P layer
Fig. 4. Iterative produdcipher system using unreversed transforma- tions on alternating half blocks.
that take part are chosen on a rotating basis. As an example, let the message block be divided into halves, as shown in Fig. 4, and let the second (lower) half be copied, subjected to any kind and any number of transformations including an S layer and a P layer, and let the result be convolved with the first half by some reversible operation such as mod-2 addition, with the sum replacing the first half. Then let the two halves be transposed, and let the (now modified) first half be copied, transformed in a similar manner, and convolved with the sec- ond half by the reversible operation, and so forth, for as many rounds as may be required. In any round, selected bits of the cipher key are used to control some or all of the transforma- tions. The requirement for repeatability makes it obligatory that, during any round, the half block copied out is itself left unmodified.
The entire process can always be reversed because the effect of any single round can be cancelled by a repetition; as the effect of the last round can be cancelled by simply repeating it (using the same key bits for control and doing the inverse con- volution operation), so all of the rounds can be undone. To decipher, the rounds are executed in the reverse order under control of the same cipher key (in true form) but selected in the reversed-round order.
This technique-the conversion of a cleartext block to a ciphertext block by unreversed transformations and convolu- tions on a rotating segment basis-works under two broad provisos: 1) for apy round, the generation of the bits to be convolved with one of the segments must be repeatable, and 2) any modification of the block iMf must be reversible. The
first proviso requires that the segment copied out be left UIW altered after ;my round, so that any operation on it can repeated; the second proviso permits addition (with an9 modulus) for the convolution, but it excludes the logical ANp and OR, for e:xample. Also permitted are such self-reversin1 operations as transposition of bits controlled by bits of the key,. and a keyed transposition can be done in lieu of an un- conditional transposition.
Fig. 5 is the functional diagram of a practical block cipher system of this kind. In the example, the block size is again 32 bits and the cipher key consists of 64 arbitrarily chosen bits. A message block (cleartext for enciphering or ciphertext for deciphering) is prestored in the data registers, shown as 2 rows of shaded boxes in the figure. There are 5 distinctly different transformations or functions in the system.
1 ) Keyed Transposition: Each of the 16 pairs of corre- sponding bits in the upper and lower data registers is trans- posed or not, depending on the value of the corresponding one of 16 selected key bits.
2 ) Key Addition: The 16 bits in the lower register are copied out and are added mod 216 to 16 selected key bits. (The lower register retains its contents unaltered.)
3) Keyed Nonlinear Transformation: The sum is divided into four 4-bit groups, and each group undergoes one or the other of 2 different nonlinear S transformations determined by the value of the corresponding one of 4 selected key bits.
4) Permutation: The 16 bits resulting from the nonlinear transformations are permuted in some (fixed) arbitrary way to achieve thorough mixing.
5) Convolution: The 16 permuted bits are added mod 2 to the 16 bits in the upper register, and the resultant sums replace the previous contents.
Performing this sequence of functions once constitutes 1 round of the ciphering operation. A complete operation con- sists of 16 such rounds, and the result is contained in the data registers at the conclusion of the last round which is slightly different from the others in its having an extra keyed trans- position at the very end. Within any round, no key bit should ever be used more than once, and from round to round, differ- ent sets of key bits are selected for each keycontrolled function.
Storage for the 64-bit key can be organized in several differ- ent ways. For expository convenience, it is assumed to be a random-access store containing sixteen 4-bit groups with ad- dresses ranging from 0-15. A schedule of addressing these key-bit groups for a complete operation is given in Table I.
To encipher, the schedule is read line by line starting at the top. The 16 bits for controlling the first transposition are
FEISTEL et ai.: MACHINE-TO-MACHINE DATA COMMUNICATIONS 1549
LEGEND: STORAGE FOR ONE B I T
MODULO - 2 ADDITION
Fig. 5. Practical block-cipher system using unreversed transformations on half-block basis.
TABLE I SCHEDULE OF ACCESSING THE CIPHER KEY FOR THE SYS?ZM SHOWN IN FIG. 5
Transoos i t i on Key Addit ion S
l o 1 2 3 Round 1 ~
9 10 11 1 2
1 2 3 4 5 2 '
i 11 12 13 14 4
4 5 6 7
13 14 15 0
6 7 8 9
4
13
6
15
8
1
10
2
11
4
1 3
6
15
8
4
1 3
6 15
a
1
10
5 6 7 8
14 15 0 1
7 8 9 1 0
0 1 2 3
9 10 11 12
2 3 4 5
11 12 13 14
4 5 6 7
1 3 1 4 15 0
7 a 9 10 11
0 1 2 3 4
9 10 11 12 13
2 3 4 5 6
11 12 13 14 15
Note: Table entr ies are the addresses of &bit groups of the key. ~~~ -
Addresses i n column S a r e f o r c o n t r o l b i t s f o r n o n l i n e a r t ransformations.
from addresses 0-3. The 4 bits for controlling the first set of nonlinear transformations are from address 4 (column S), and the 16 bits for the first key addition are from addresses 5-8. The process continues in the prescribed manner until the con- clusion of the sixteenth round, after which an extra transposi- tion is done, controlled by the bits from addresses 0-3.
To decipher, the schedule is read line by line starting at the bottom. The first transposition is controlled by the key bits from addresses 0-3 ; the nonlinear transformations are con-
trolled by the bits from address 11, and key bits for addition are furnished from addresses 12-15. The process continues until the top of the table is reached, and an extra transposi- tion is done as before.
It can readily be understood how deciphering is thus accom- plished by executing the rounds in the reverse order. The only functions that modify the data registers are the transpo- sitions and the convolutions, both of which are self-reversing if the same key bits are used to control each pair of corre- sponding steps in enciphering and deciphering. The 2 processes are exact mirror images of one another.
The cipher system here described is exemplary, and versions can readily be devised which handle larger size blocks, use larger size keys, follow different schedules for key-bit selec- tions, or contain other varieties of transformations.
The difficulties mentioned earlier in connection with stream ciphers are largely nonexistent in the use of one of these block-cipher systems. There is a similar need for synchronism to the extent that the delimiting of the various bbcks of a message must correspond at the transmitter and receiver. Faulty delimiting is quite as disastrous to correct deciphering as is failure of synchronism in a stream cipher, but, signifi- cantly, there is no special resynchronizing procedure required- only a retransmission. The mutual privacy of many users of a teleprocessing system would be achieved simply by furnishing each with a private cipher key, but the same cipher system would be used by all and by the data processor. (It is an underlying assumption that all protection afforded is based not at all on the secrecy of hardware devices or algorithms as such, but only on the secrecy of the individual cipher keys.) A fundamental property of these systems is a strong nonlinear intersymbol dependence, and any corruption of a ciphertext block, even a change of only one bit, will be manifested as drastic effects throughout the entire block after it is de- ciphered. It can be arranged that these effects are detectable with virtual certainty, and beyond mere error detection, this property provides the basis for authentication.
1550 PROCEEDINGS OF THE IEEE, NOVEMBER 1975
AUTHENTICATION There are two essentially different aspects of authentication
[ 11 I in the environment of a cryptographically protected time-shared data system having many users. Users dealing with information that needs to be kept private would require terminals equipped with ciphering capability, and each user would possess a private cipher key on some digital storage medium such as a magnetic-stripe card. Cipher keys would never be transmitted on the usual data-communication chan- nels: but instead, a copy of each user’s key would be kept on file at the data processor for use in an analogous ciphering function. One aspect of authentication is the determination by each of the tenninal operator and the data processor that the other is legitimate, and the other aspect is the verification of message integrity, i.e., that all ciphered messages exchanged in a conversation with a terminal are received correctly (error detection) and that all are in true context.
The test for the legitimacy of a user is basically the question: does the user know the password, and does he possess the cipher key corresponding to his purported identity? In the act of “signing on” to the system, the user must state (in the clear) his identity, say, A . The data processor responds by initiating a challenge-reply test (see Fig. 6). The challenge word con- sists of a group of digits T expressing the date and time of a precision such that it is in every instance unique. A cleartext block is composed containing T and some null pad characters; this is stored for future reference and is then enciphered with the cipher key for A and transmitted to the terminal. Upon its receipt and decipherment at the terminal, the user can deter- mine whether the challenge is current’ and, if so, that he is in “live” communication with the data processor. The reply from the terminal must be this very same set of bits T together with the password for A , enciphered with A’s cipher key. When this is deciphered at the data processor using the cipher key for A , there must be an exact match between the fields of the challenge and reply that contain T and between the r e ceived password and the password on file for A . If these tests succeed, the user will be permitted to continue; if not, he may summarily be denied access to the system.
It is practically impossible for anyone not having the cipher key to produce a ciphertext block that will decipher into the cleartext block containing T and the correct password, and hence this procedure is practically infallible in determining that the user knows the password and possesses the conect key and, equally important, that neither message is a recorded version of some prior legitimate s i p o n .
Message authentication is done through the, use of redun- dancy with superencipherment (i.e., enciphered ciphertext) and is performed by a process called block chaining illustrated in Fig . 6. Here a cleartext message to be enciphered and transmitted from the terminal is shown as being appended to the actual reply to a challenge received from the data proces- sor at signan time. T and the password labeled PW are taken together as the first block; this is enciphered to produce ciphertext block C1 which is transmitted. The second block of cleartext is composed of the information field MI and a portion of the just-transmitted ciphertext block labeled u ;
mp. ‘A more secure method is required. such as by courier or registered
p r o c w r ’ s time m a t c h e s the user’s time to within a few seconds, a By ‘‘current’’ is meant that the date is correct and that the data
precision which depends on the relative accuracy of the two clocks and on possible delays in transmitting.
7, (:,H;lN;E FROM DATA PROCESSOR)
(CLEARTEXT BLOCK)
(ENCIPHER)
co (CIPHERTEXT v BLOCK) 1 1 (TRANSMIT TO TERMINAL)
P
(CIPHERTEXT RECEIVED AT TERMINAL)
(DECIPHER)
(PASSWORD AND MESSAGE FROM TERM.) MI I M2 ]
I
(CLEARTEXT l-1 I I BLOCK)
(ENCIPHER) (CIPHERTEXT
BLOCK) I c1 !- (TRANSMIT TO D.Rl
1 * BLOCK 1
(ENCIPHER) (CIPHERTEXT
BLOCK)
(ENCIPHER)
(CIPHERTEXT1 c3 ’ ; (c17 (TRANSMIT TO D . R l BLOCK 1
(CIPHERTEXT RECEIVED AT DATA PROCESSORI
(MATCH WITH PASSWORD)
Fig. 6. Authentication by block chaining.
this is enciphered to produce the ciphertext block C2 which is transmitted. The process continues in the same manner for as many blocks as make up the whole message. In the lower part of the figure, the ciphertext blocks received at the data processor are shown juxtaposed. These are deciphered in the order received, and the fist block yields T and the password PW which are used to authenticate the user as already de- scribed. The second block C2, when deciphered, yields u and MI. Note that this field u must agree bit for bit with the field u of the previous ciphertext block CI. Similarly, C3, when deciphered, produces M2 and b, which must match with b in C2, and so forth.
For the subsequent message from the data processor, blocks are composed in the same manner, and the fitst authentication field can again be the current date and time like T, or it could be the authentication field from the last deciphered block ( b in the example). It is desirable to make the latter choice for any subsequent message originating at the terminal because usually no real-time clock is automatically accessible there, and because the data processor is thus able to perform an independent check that the last block it transmitted was re- ceived at the terminal correctly as well as that the current reply is in context. It is noteworthy that this authentication procedure does not depend on any highly precise synchronism of clocks.
It is quite straightforward for the data processor to conduct a complete authentication check for all messages it receives. It is less convenient but not difficult to make the terminal do likewise; the only additional requirements are storage for two
FEISTEL et al.: MACHINE-TO-MACHINE DATA COMMUNICATIONS 1 5 5 1
authenticator fields and an identity comparator. But there is little need for automatic checking of authenticators at a terminal for most applications in which messages are sub- jected to visual inspection and interpretation, because an error in any ciphertext block will garble the entire corresponding cleartext block, hardly escaping notice.
After the initial sign-on procedure has been carried out successfully, the terminal operator would usually suppress the visual display of subsequent authenticator fields for ease of interpretation of messages he receives.
This method of authentication by block chaining is a par- ticularly powerful one and has a number of interesting features.
1) If the initial authenticator ( T in the example) is unique as such, the first block of the ciphertext will be unique as such. If the authenticator in each subsequent cleartext block con- sists of m bits extracted from the preceding ciphertext block which resembles a string of randomly chosen bits, this authen- ticator will be unique with probability p very near 1-2-”. Consequently, each subsequent cleartext block and its corre- sponding ciphertext will be unique with probability at least p , irrespective of the information content, and the probability is p that any fixed message enciphered and transmitted repeat- edly will be different each time.
2) Any corruption of a ciphertext block, no matter how much or how little, will result in a “cleartext” block, each bit of which has a probability about one-half of being in error. This means that the probability is p that at least one of the authenticator bits will be in disagreement, and detection can be virtually certain. This is true no matter what the cause- use of the wrong key, accidental ciphering errors, or otherwise undetected transmission errors.
3) A previously recorded legitimate ciphered message re- played to the system upon decipherment, could be intelligible, but the fact that it is out of context can be detected with virtual certainty (probability p ) because the first authenticator will not be the expected one.
4) The length of the authentication fields can be made adjustable from zero to, say, one half of the block size. This is advantageous because authentication is bought at the price of reduced throughput; after sign-on and authentication with 50- percent redundancy, the authenticators could be reduced to one eighth or one sixteenth of the block size, and they could be eliminated altogether if higher throughput is considered to be more important than authentication.
5 ) The continuous authentication of messages from be- ginning to end in a conversation between a terminal and a data processor can be done completely automatically, and there need not be any overt indication of it to a terminal operator except when trouble occurs. Any mismatch of authenticator fields detected by the data processor could be followed by a reinitialization of the authentication chain and a request for retransmission of a garbled block. (An error will cause gar- bling of only the block in which it occurs, and will not propa- gate to successive blocks.) Persistent mismatches could indi- cate an imposture and suitable defensive actions at the data processor could be taken,
IMPLEMENTATION CHOICES
There are many factors to be considered in implementing a cipher system like one of those that have been described. Be- cause terminals seldom contain prolpammable processing units
of a suitable nature, it is appropriate to provide special- purpose hardware devices to perform the ciphering function.
In the cipher systems that have been described, there are functions necessary or, at least, highly desirable that are quite easily and rapidly done in special-purpose hardware but awkwardly done in software with the usual set of machine instructions. Under conditions of heavy traffic of data requir- ing cryptographic processing, the data processor might become compute bound. This could be prevented in various ways as by imposing constraints on the cipher system to eliminate the “awkward” functions that require individual bit manipula- tions, or by the use of another special-purpose hardware device under control of the data processor.
A very important consideration is the interfacing of cryp- tographic devices to a teleprocessing system, and in particular where such functions are to be located. A noteworthy fact is that cipher systems producing pseudorandom ciphertext wiU sometimes generate fortuitous “linecontrolY’ (actually device- control) characters which, without special provision, will affect the devices responsive to them in unpredictable and deleterious ways. Such trouble caused by chance control characters in ciphertext could be avoided by bracketing just the communication link with a pair of complementary hard- ware cryptographic devices. This arrangement is undesirable, however, because the cipher keys would be, in effect, terminal keys rather than individual-user keys, and there would be no selection of keys other than that made on the basis of the address to which a message is sent. Thus there would be no protection of information which might be misdirected to a “wrong” terminal. It is far better to make the cipher-key selection on the basis of the individual user, independently of terminal addressing, and to include all intervening devices between a terminal and the data processor under cryptographic protection. For this, it is necessary either to prevent the occurrence of control characters in ciphertext or else to pre- vent their being so interpreted when they do occur. This provision, called transparency, is a built-in feature in the control disciplines for some terminals. For example, binary synchronous communications (BSC) [ 141 used in the IBM 2770 and 2780 has a transparent mode of operation in which fortuitous control characters are interpreted as text and not control. Most of the terminals now in use (“start-stop” or asynchronous terminals), however, do not have a transparency feature, and the interfacing of a cryptographic device to one of these should somehow provide it. Because transmission control units for start-stop lines are not usually equipped with transparency either, the preferable means of affording it in this case is to prevent the occurrence of chance control characters. Before being transmitted, the ciphertext is scanned, and an innocuous flag is prefixed to all accidental control characters which are then changed to text characters (indigenous flags are themselves flagged). After the ciphertext is received but be- fore it is deciphered, all the flagged characters are reconsti- tuted and the flags removed so as to reproduce the original ciphertext. Genuine control characters are not affected. Having such a transparency feature permits cryptographic protection of information to be maintained all the way be- tween a terminal and storage in a data processor, no matter what devices intervene.
For hardware implementations, there are balances that must be struck among such factors as the amount of ciphering hard- ware, the amount of hardware native to the terminal, and processing speed. The processing speed and the amount of
1 5 5 2 PROCEEDINGS OF THE IEEE, NOVEMBER 1975
I Data Communication Syrtom
2770
(Othor UI.rS’ Terminals)
360/67 Data Procuwr
F‘ii. 7. Block diagram of the experimental demonstration system.
buffering must be such that the peak throughput will not be degraded, but the amount of hardware should not be so great as to make the price unattractive. Moreover, the design should be realizable in LSI technology where the principal limitation is in the number of input-output and interchip connections. All of these considerations indicate the use of a serial-parallel organization for data storage and processing, provided the constraint thereby imposed on the cipher system itself is acceptable. Through the common use of a few hardware devices by many groups of bits (which is the essence of this form of organization), there is an unavoidable loss of flexi- bility or generality, particularly in the bit permutations.
The matters of cipher-key storage for an individual user and the means of its entry into the terminal hardware are of no little concern. Users generally will maintain personal custody of their own keys and the storage medium should be easily portable, rugged, readily concealable, and low cost. Several storage media are available, none of which is eminently satis- factory in all applications. A wallet-size magnetic card has a potentially low unit cost, but a relatively expensive card reader is required at the terminal as well as READ-WRITE internal storage. Individualized plug-in READ-ONLY-store modules require no expensive reader and no internal storage, but the unit cost is considerably more. Bit storage on a punch card re- quires the use of a card reader, in the form of switch contacts or light-sensitive diodes, which is also relatively expensive. As there is an ambivalence associated with each method of key storage and entry, the choice in any instance depends on factors peculiar to the application.
EXPERIMENTAL DEMONSTRATION SYSTEM An early version of a block-cipher system which handles
messages in blocks of bits under control of a binary cipher key has been implemented in both hardware and software and utilized in an experiment to illustrate the uses of cryptography in a multiuser interactive teleprocessing system having remote fileaccess and file-update capability. Fig. 7 is a diagram show- ing the various components used in the experiment. The
terminal is an IBM 2770 Data Communications System using the EBCDIC code and having the transparency feature. The hardware cipher unit has a serial-parallel organization with data-flow paths eight bits wide. It is integrated into the 2770 by being logically interposed between the terminal’s buffer storage and the BSC adapter by a straightforward modification of interconnecting cables. Normal operation of the terminal or operation with ciphering capability is selected by a manual- switch setting. The terminal communicates with a 360/67 data processor through a dial-up telephone connection and through an IBM 2703 transmission control unit. The data processor operates under the supervision of a time-sharing control program, and the experimental activities are carried out in a virtual-machine environment under the Cambridge Monitor System [ 151. The demonstration system itself is managed by a PL/I control program, which can call the cipher- ing program and a telecommunications program conversant with the 2770, both of which are assembly-language subrou- tines. There are three files accessible to the control program. These are a password file having an entry for each “legitimate user,” a key file containing a set of assigned cipher keys, one for each user, and a personnel fi le, which is the data base used for the experiment. This file is actually a copy of a telephone directory containing the usual innocuous information, but each file record includes one field which is treated specially, and it may contain information of a sensitive and private nature.
Several notable features are incorporated in this experi- mental system that are illustrative of what might be provided in a real application. In some cases as indicated, the pro- cedures actually followed are simplified for the sake of demonstration.
1) Messages can be exchanged between the terminal and the data processor either in cipher or in clear, as might be required in some real application. For transmitting from the terminal; this choice is made by a manual-switch setting on the ciphering unit; for transmitting from the data pmumm, the choice is made by a prior command issued fromthcterminal.
FEISTEL et ai.: MACHINE-TO-MACHINE DATA COMMUNICATIONS 1553
(Depending on the application, this choice might be made by a terminal command, or it might be made by the control pro- gram itself.)
Ciphertext must always be transmitted in transparent mode for the reason already given; furthermore, cleartext is always transmitted in nontransparent mode! This affords a simple means for automatically distinguishing cleartext and cipher- text at the receiver. The BSC operational discipline includes furnishing a prefix and suffix for unambiguous indication of transparent text, and the prefix and suffix govern a control signal produced at the receiver which is used to enable the deciphering function. In this way a transmitter’s enciphering has remote control over a receiver’s deciphering.
2) The verification of a user’s authenticity is based on his knowledge of a password entered at the time of s i g n a and on his possession of the cipher key that corresponds to that password. This test, as well as the subsequent verification of message integrity, is carried out by the matching of authentica- tor fields as previously described. At the terminal’s ciphering unit, the length of the authenticator is determined by a manual-switch setting; at the data processor, this length is initially fixed, modifiable within limits by a command issued from the terminal. The transferring of authenticator fields from the ciphering unit to the terminal‘s buffer storage (and hence their consequent display on an output device) may be optionally suppressed by a manual-switch setting. This in no way affects any other aspect of authentication.
In a real application, mismatches of the authenticators could prompt various defensive actions on the part of the data processor, appropriate to the particular circumstances and the application needs. For this experiment, such events are merely recognized, and a tally is kept of their occurrences.
As a direct result of the way in which the authenticator fields are managed, ciphertexts for the same information trans- mitted repeatedly are apparently uncorrelated.
3) The importance of cipher-key management for a real application cannot be overemphasized because cryptographic protection depends ultimately on keeping the keys secret. Usually, there would be 2 copies of every user’s key-one kept by him and the other in a file at the data processor. Safe- guarding of the user’s copy is incumbent on him, but under certain circumstances in which the disclosure of a key by loss, theft, or other malfeasance would be disastrous, a special protection feature is available. In the experimental system, the hardware ciphering unit has the ability to accept cipher keys read consecutively from more than one magnetic card and to form their mod-2 sum. Thus, the actual cipher key used would not be stored on any one person’s card; the loss of one would be temporarily disabling, but the actual key will not have been disclosed.
4) A feature included for demonstration is the protection &om disclosure of highly sensitive information to all persons not having the need to know, including even the on-site system operators who have the means to examine and to obtain in bulk any and all portions of the contents of a data-processing system. This technique consists in storing the information to be so pmteeted in ciphertext form, ciphered by means of a special private key, and in not providing a copy of that key to be kept on file in the data processor. This kind of protection permits the sharing of common files for the storage and retr ied ef different kinds of sensitive information by differ-
‘But law 4).
TABLE I1 COST AND PERFORMANCE OF EXPERIMENTAL CIPHERING IMPLEMENTATIONS
Key s t o r a g e ( m g . card keys) t Inter face to 2770
16
(Tote l ) 58
165 dcroseconds
Softvare version I Bytes of storage
I n i t i a l i z a t i o n
15 7 Buffers and mask 236 hi” loop 156
I
Tables (Total) 1316
161 9 milliseconds
ent users having diverse interests, with a guarantee of mutual exclusivity. As an example, consider a personnel file, each record of which consists of some fields in cleartext form, some fields containing (for example) salary information stored in cipher form under a special “salary” key, other fields contain- ing medical information stored in cipher form under a special “medical” key, and so forth. Payroll officers having the need to know would be equipped with the salary key and staff physicians would have the medical key. Retrieval of records is carried out in the normal way on the basis of the cleartext information, and a special command issued from a terminal causes these records to be transmitted in their actual stored form in transparent mode. At the terminal, such messages will accordingly be deciphered, and all fields will be unintelligible except those that had been enciphered with the special key in use. Updating of these protected fields can be done by trans- mitting (in transparent mode) fresh information in cipher form under the special key, preceded by a special command to tem- porarily disable the data processor’s deciphering function.
If internal processing of these protected fields is required, copies of the special key would have to be kept on file in the data processor; otherwise these keys would nowhere be duplicated.
COST AND PERFORMANCE
The hardware device to perform the ciphering function in the experimental demonstration system was implemented in TTL small-scale and medium-scale IC modules. Altogether some 160 modules were used, of which about 55 percent are for the basic ciphering function including data storage, proces- sing, and control, while about 45 percent are for interfacing to the terminal and for internal cipher-key storage (required for magneticcard keys). The use of large-scale integration sug- gests itself for productariented versions, and it is estimated that such a device could be constructed on 4 LSI chips at a circuit density of about 280 circuits/chip.
Processing speed of the device operating at a 1.5-MHz shift- ing rate is quite adequate, and the ciphering operation is carried out in about 165 p .
In the experimental software version of the ciphering func- tion, some 1300 bytes of storage are required for the assembly-language program, tables, and buffers. Execution time on a 360/67 CPU is about 9 ms for one 16-byte block. Tradeoffs can be made between storage requirement and execution time; in this experimental version, roughly two-
1554
thirds of the execution time is taken in individual bit manipu- lations, steps better accomplished through the use of more and larger tables.
Table I1 contains a summary of costs, in terms of TTL modules and core-storage requirements broken down accord- ing to function, and of performance given as the times re- quired to process one message block.
ACKNOWLEDGMENT The authors wish to thank M. G. Smith, P. E. Green, C. D.
Cullum, Jr., and J. P. Cedarholm for stimulation and encour- agement provided during the course of this work; B. Tucker- man for many helpful discussions on cryptographic systems; and L. R. Bahl, W. E. Daniels, Jr., D. T. Mainey, and M. J. Miller for consultation and assistance in preparing the software programs, all of the aforenamed being with,the IBM Thomas J. Watson Research Center, Yorktown Heights, N.Y.
REFERENCES
[ 1 ] H. E. Petersen and R. Turn, “System implications of information privacy,” in 1% 7 SJCC, AFIPS Con$ Proc., vol. 30. Washing-
[2 ] The Considerations of Data Security in a ComputerEnvironment, t0n.D.C.: Thompson, 1967, pp. 291-300.
PROCEEDINGS OF THE IEEE, VOL. 63, NO. 11, NOVEMBER 1975
IBM Corporation, White Plains, N.Y., Form 520-2169, 1969. J. Carroll and P. McLelland, “Fast ‘infinite-key’ privacy transfor- mation for resourceaharing systems,” in 1969 FJCC, AFIPS Con$ Roc., vol. 35. Montvale, N.J.: AFIPS Press, 1969, pp.
T. Friedman, “The authorization problem in shared files,” IBM
B. Peters, “Security consideration in a multi-programmed com- puter system,” in I967SJCC, AFIPS Con$ Proc., vol. 30. Wash- ington, D.C.: Thompson, 1967, pp. 283-286. D. Kahn, The Codebreakers. New York: Macmillan, 1968. A. Sinkov, Elementary Cryptanalysis. New York: Random House, 1968. J. M. Wolfe, A First Course in Cryptanalysis. Brooklyn, N.Y.: Brooklyn College .Press. (University Microf is , Ann Arbor, Mich., revised 1943.) P. Baran, “On distributed communications,” Rand Corp. Rep., Aug. 1964, voi. IX. R. Skatrud, “A consideration of the application of cryptographic
Proc.,vol. 35. Montvale, N.J.: AFIPS Press, 1969,pp. 111-117. techniques to data processing,” in 1969 FJCC, AFIPS Con$
H. Feistel, “Cryptographic coding for data-bank privacy,” IBM Corp., Yorktown Heights, N.Y., Res. Rep. RC 2827,1970.
1973. , “Cryptography and computer privacy,” Sci. Amer., May
C. Shannon, “Communication theory of secrecy systems,” BeN Syst. Tech. J.,vol. 28, pp. 655-715, 1949. Binary Synchronous Communications, IBM Corp., White Plains,
tem,”IBMSyst. J.,vol. 9, pp. 199-218, 1970. R. Meyer and L. Seawight, “A virtual machine timesharing sys-
223-230.
SYSt. J. , V O ~ . 9, pp. 258-280, 1970.
-
N.Y., SRL Form GA27-3004-2, 1971.
Microprogramming-Another Look at Internal Computer Control
Invited Paper
Abstmct-The intend control of a computer is directed by the in- stnrction. The instnrction awes a sequence of steps (or micminmc- tions) to occur which interpret the instruction. This interpretation of m instruction can be implemented by a storage media c d e d a control store. The ptognms written for this media are ded -.
The recent availability of fast READ-WRITE bipolar storage media now makes posible the rapid changing of content of this storage md hence makes po6siie computer ogrniutions which can interpret a wide variety of different types of instmctions. These computer or&- zations are caued soft nllchine mhitectures.
version of this paper wiU appear as a chapter in Computer Architectun, Manuscript received February 21, 1974; revised June 4, 1975. A
edited by H. Stone, published by the Science Research Associates. This
Administration under Contract AT(O4-3) 326 P.A. 39. work was supported in part by the Energy Research and Development
The author is with the Digital Systems Laboratory, Stanford Univer- sity; Stanford, Calif. 94305.
It ia rlso possible to conceive of new “machine Ianguoges” or ditectiy execulable Imp* which are specidly developed as an intermediate lev4 between a specific high= level language and the microprogram- nuMe machine.
T INTRODUCTION
HIS PAPER is concerned with control within a com- puter system. Probably few areas of computing have received as much recent attention as the specification of
control, especially through the use of “formal” languages. The focus of this attention has been on the definition of “machine- independent” formal language-i.e., languages which specify tasks and algorithms in a precise logical manner (nonambigu- ously) but without identification of specific physical devices. Thus the processing of such languages requires successive stages of translation; at each stage, additional specifications are per-