home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Utilities Professional 1-1500
/
Utilities Professional 1-1500 (1994)(WPD)[!].iso
/
12511500
/
var1368.dms
/
var1368.adf
/
RSRead.Me
< prev
next >
Wrap
Text File
|
1992-09-02
|
41KB
|
687 lines
A DEMONSTRATION of the RSA ENCRYPTION ALGORITHM.
================================================
####################################################
# #
# The author of this demonstration disk is : #
# #
# Mr. N. Hensor #
# 86, Teignmouth Road #
# London NW2 - 4DX #
# #
# THERE ARE SEVERAL INSECURE FEATURES TO THIS #
# PACKAGE. ANYONE WISHING TO PURCHASE THE SECURE #
# VERSION, CONTACT ME AT THE ABOVE ADDRESS BY #
# MAIL IN THE FIRST INSTANCE. #
# #
# I also have a wide range of modules for other #
# cryptographic algorithms available. #
# [In C and assembler (Mororola processors)] #
# and will write new modules as required. #
# #
####################################################
#--------------------------------------------------#
The program on this disk is only suitable for use
on Motorola 68000 processors (Amiga 500/600/1000/2000).
It will not run on 68020 or higher processors. The
program on this disk was completed in 1992 after which
a major rewrite was done on an Amiga 1200. This latest
program makes use of the 68020 long (32bit by 32bit)
multiply(and divide) to a 64bit product, and the bit
manipulation instructions available on the 68020. As
a consequence of this, it is 5.5-7 times faster in
operation. Furthermore a text-compression first stage
to encryption has been introduced which alone speeds
encryption by a factor of 4. Also a new all-assembler
seiving section is included in the prime-finding
section. All in all, the Amiga 1200 system is a much
more practical proposition than the system on this disk.
#--------------------------------------------------#
The Rivest-Shamir-Adleman encryption algorithm is one of several recently
developed techniques for encryption which put immensely secure encryption
within reach of the home computer user.
This software was written starting with the following objectives:
(a) The highest possible level of text security should be made available
to the widest possible market.
(b) Encryption speed considerations should not be allowed to intrude on
questions of encryption quality, but once a scheme had been
decided upon, assembler routines would be used to obtain the best
possible speed.
If you ask the question "What is the ultimate encryption method?", there
is, and never will be, a clear cut answer. However if you draw up a list of
say 10 candidates, then some of them are not suitable for use on
micro-computers. Of the remaining half-dozen which are suitable,
comparisons of security are difficult to arrive at. The RSA algorithm would
be on everyones shortlist and provides immense security.
This algorithm belongs to a class of encryption schemes known as
"Public-Key" encrption schemes. These schemes provide a simple solution to
the age-old problem of key-distribution. The algorithm is particularly
suited to ensure telecommunications security but can also be used for
personal file security. A detailed discussion of the algorithm can be found
in many reference books, but the next section contains a thumb-nail sketch
of the method.
The Theory of the RSA algorithm
===============================
The algorithm makes heavy use of raising integers to an integer power
and then reducing the result using an integer modulus. A brief review of
these operations will now be given. [All numbers are integers from this
point on unless stated otherwise]
Modular Arithmetic
------------------
The result of the operation a mod b is the remainder resulting from
dividing a by b.
Hence:
5 mod 3 = 2
8 mod 4 = 0 etc.
Clearly the result is always in the range 0.......(b-1).
More complex operations can be tackled by evaluating "a" first and then
finding a mod b as above.
Hence:
<7cubed> mod 3 = 7*7*7 mod 3 = 343 mod 3 = 1
The RSA algorithm makes use of the following steps for encryption:
(a) The message is broken into blocks.
(b) The blocks of text are turned into numbers (integers).
(c) Each number is raised to a power {e} (the encryption exponent) and
reduced relative to a modulus {N}.
(d) (optional) The resulting number is changed into text - solely for
the purpose of transmission if a modem or hard copy print-out
is to be used.
The resulting text can be restored to its original state by:
(a) and (b) similar to above.
(c) Each number is raised to a power {d} (the decryption exponent)
and reduced relative to the same modulus {N}.
(d) The resulting number is changed back to text.
The results of these operations depend solely on the 3 numbers {N}, {d}
and {e}. Of these {N} and {e} are published - possibly by use of printed
lists, possibly by use of a mailed floppy disk or any other convenient
means. It is presumed at this point that a potential eavesdropper obtains
copies of these numbers. Hence no security is provided by {N} and {e} and
all security is provided by keeping {d} secret. This number must be kept
locked away and if ever it is suspected that {d} has been compromised, then
a new set of numbers {N}, {e}, {d} found, the new {N}, {e} published and
the new {d} locked away - in short send any potential eavesdropper back to
square 1. There are billions of billions ...........of billions of
satisfactory numbers and this software package enables them to be found.
It might be argued that since {N} and {e} are openly published, then it
might be possible for a potential eavesdropper to obtain a {d} by analysis
of {N} and {e}. This is possible if {N} (which is a product of 2 prime
numbers) can be factorized. Factorization is a well known "hard" numerical
problem which we shall briefly discuss.
Factorization algorithms do exist - they are just not very good. The
best available have run times proportional to a constant raised to a power
of SQRT(n. log(n)) where n is the size of the number to be factorized in
either decimal digits or binary bits. To appreciate the significance of
this formula, let us invent a computer - "the Incredible Mk I" which is
something like a million times faster than anything yet built. Suppose the
Incredible Mk I can factorize a 30-digit number in 1 nanosecond. (light
travels 30cm in 1 nanosecond) Run times can be estimated for larger values
as follows:
Decimal Digits in Number | Hypothetical Factorization Time
=================================================================
30 | 1 nanosecond
40 | 25.1 nanosecond
50 | 371 nanosecond
100 | 0.031 secs
150 | 261 secs
200 | 175 hrs
300 | 12,947 yrs !!
----------------------------------------------------------------
The point of this table is that factorization time climbs so steeply that
any opponent just has to give up at some point. If he can factor 200 digit
composites then use 300 digit composites or 400 digits and so on. All of
this would be academic if it were equally hard to put a suitable composite
together in the first place. In fact your humble Amiga 600 can find
suitable 300-digit composites in about 8 hrs of running time which the most
powerful computer on the planet would take millions of years to split apart.
From the point of view of users, the table is revealing in other ways.
It should be clear that security can be set at any desired level with this
algorithm, in proportion to the risks attendant upon disclosure. If large
sums of money or even life and limb are at risk, then choose an {N} with
upwards of 300 digits and change these parameters regularly. On the other
hand a personal diary might be satisfactory with a 50 digit {N} and not
bother changing at all.
The drawback with choosing very large {N} values is the speed of
encryption. Very roughly the speed of encryption (chars/sec)falls off as
the square of the number of digits in {N}. With an {N} of about 100 digits,
this software encrypts/decrypts at about 2 chars/sec and hence encrypting
a message of 1000 characters with an {N} of 300 digits will take about 1 hr.
Clearly the size of {N} has to be carefully considered before selection.
In the software you will be asked to set a value for the size of {N} in
binary bits. It takes about 3.32 binary bits to represent each decimal digit
and hence if an {N} of 300 digits is desired, this corresponds to about
1000 binary bits.
Getting Started with the Software
=================================
The software package is a collection of modules and movement from module
to module is controlled by the special function keys. F10 is always an exit
key and the lower number keys are used for selections.
At the top level, F1-F3 will be the most used keys. Pressing F3 permits
access to various housekeeping utilities. As a first step press F3 to enter
this Miscellaneous section. A list of the utilities will then appear. Let
us now check that the printer is correctly set up.
This demonstration software package assumes:
(a) The printer is connected to the parallel port.
(b) The printer DIP switches are set to receive English symbols (ISO 4)
and will insert a carriage-return when it receives a new-line(0x0A)
command. The Amiga uses a new-line command on its own as a line
terminator.
(c) This software package requires the printer to act in a similar way
to an old fashioned teletype in that visual access is required to
each line as it is printed. Lasers and inkjets do not permit this
and paper consumption with these will be prodigious. The ideal
printer is a dot-matrix type printing to fanfold paper.
Press now F7 which will transfer any disk-file to the printer after you
have entered the file path-name. If the outcome is not satisfactory, then
the DIP switches on the printer will have to be adjusted and F7 tried again
until success has been obtained.
As a second test of the printer, let us use the silent-screen facility.
In this software package, the message which has to remain secure is always
kept off the VDU. VDU's are insecure in that it is possible to capture the
electromagnetic emissions and reconstitute the display using a nearby
receiver. Even a printer is moderately insecure since cases of shredded
paper being reconstituted have been revealed. However if the printer output
is incinerated and the ash pulverised, then a printer will be secure. By
default, the silent-screen message entry facility (F5) will not echo input
to the printer; it will pass it straight to a disk file
"df0:RSpublic/silent.txt". However it is possible to change this by
altering a global variable in section F1, so press F1 now to enter this
section. The 3 global variables "nRabin", "FileStnData", and "SStoprin" can
now be changed. Press now the following keys in order:
7, <enter>, 1, <enter>, 1, <enter> and then F1 signalling OK.
The significance of these variables will be explained shortly, but for
the moment setting "SStoprin" to 1 will force section F5 to echo your input
line-by-line to the printer. (These variables remain in their set-state
until section F1 is re-entered or until the Amiga is reset). Now we are
ready to enter the silent screen section so press F5. You will be given the
option of exiting the section but press F1 to proceed. (These early-exit
options are included to provide a way out for anyone making a wrong
key-press)
Enter now any line of text. Note that the cursor moves but that no text
appears on the VDU. When you press <enter>, the line is output to the
printer and can be inspected together with a chance to accept/reject it. In
this way a message can be built up line by line until a zero-length line is
input signifying the end of text entry. Before you do this make sure that
1 of your lines contains a "£" sign and check that your printer
correctly reproduces it. If it does not, then your printer DIP switches
will need adjusting until it is set to receive English symbols. When you
have completed line entry, you might re-enter section F7 to examine the
complete text that you have just entered.
Most of the remaining Miscellaneous utilities will be described below,
but section F6 can be described now. The final stage of any secure
communication process requires the destruction of any residual evidence. On
the Amiga, the AmigaDOS command "DELETE" is available to delete files.
Unfortunately, this command leaves the file unchanged - it merely destroys
the linkage system which AmigaDOS requires to find a file and marks the
sectors on which the file is physically stored as "available for storeage".
It is fairly easy to recover a file in this state from a disk and hence the
DELETE command is not secure. Utility F6 performs the following steps:
(a) The number of characters in the file is determined.
(b) The file is overwritten with "U" symbols.
(c) The file is set to zero length.
In this way all information is obliterated. If you inspect your directory
(after F6 has been used) with the AmigaDOS "LIST" command, you will find
that the obliterated file still exists but is marked "empty". This is a
sure indicator that F6 has been used. You might want to use "DELETE" at this
point to remove the stub.
Press now F10 to exit the Miscellaneous section and return to the top
level. Let us now consider the problem of finding prime numbers - the
feedstock of modern cryptology. Section F5 permits direct access to the
prime number seeking software. This section is a stand alone module not
related to the main purpose of the package. it was included for the purpose
of anyone tinkering with prime numbers. However the modules are the same
ones used by F4 and it is easier to get familiar with the prime number
seeking software using F5 rather than F4. So press F5 now. Press F1 to get
past the early-exit check and then start to enter your "job-file". Enter
the following numbers:
250 <enter> 240 <enter> 1 <enter> 1 <enter>
250 <enter> 240 <enter> 2 <enter> 1 <enter>
250 <enter> 240 <enter> 3 <enter> 1 <enter>
Then press F1 to approve your input. This job-file will find one prime
number of each type supported, each of moderate size. (250-240 bits) There
is no point in seeking large primes on this familiarisation tour, since all
that happens is the software takes longer and longer. No further input is
needed so sit back and watch the software work.
The software first of all selects a value for the most significant set
bit between the limits you have specified. This is done using a random
number generator. The second stage is to build up a random number of the
required length, again using the random number generator. This then acts as
a starting point for the search. Blocks of numbers ( 1block = 768
consecutive numbers throughout this package) are now searched for primes.
Searching is a two stage process. the first stage eliminates all numbers
divisible by all the small primes from 2 to 65521 inclusive. When this stage
is complete, there are usuallly about 40 numbers remaining which might still
be prime. The remaining candidates are then tested using Rabin's algorithm.
Rabin's algorithm takes as input 2 numbers:
(a) The candidate number to be tested for primality.
(b) A random integer called a "witness" used in the test.
It has two possible outcomes:
NOT PRIME: If this is returned, then the candidate is DEFINITELY not prime.
PRIME: If this is returned, there is a 75% chance that the number is
prime, and a 25% chance that it is not.
Hence, there is a chance that a candidate is not actually a prime but the
test indicates that it is. In this event, the "witness" is known as a "false
witness". Now this, by itself won't do. However, if we apply the test again
with a new "witness", the chances of finding 2 false witnesses in succession
are 0.25 * 0.25 or 1 chance in 16, and we can carry on finding new
witnesses, testing again and driving down the probability of error by a
further factor of 4. After 10 trials the chances of an error are
approximately 1 in 1 million. The number of Rabin tests to be applied is
held in a variable called nRabin. if you have been following this
introduction in detail, you will recall that we set nRabin to a value of 7
in the Miscellaneous section F1.(This value is too low for serious work, but
is good enough for demonstration purposes.) By default this value is set at
30 which will give very high quality results - many authorities recommend
a value of 20. This test is implemented in assembler for maximum speed.
Returning now to the progress report on screen, each candidate is being
examined in this way until a successful outcome is obtained. When a prime
has been found, it is written to file "df0:RSpublic/prime.data", and the
next item on the job-file started. This output file can be printed out using
Miscellaneous F2 when all tasks are completed.
If you have entered the job-file as above, then the prime.data file will
contain:
(a) 1 simple prime.
(b) 1 RSA-suitable prime.
(c) 1 safe prime.
What do these terms mean? A simple prime is just a prime number. The
first few are 2,3,5,7,11 etc. An RSA-suitable prime is a prime suitable for
use with the RSA algorithm. Recall that {N} is the product of 2 primes
conventionally refered to as {p} and {q} ie N = p * q. When the RSA
algorithm was first published, a method of attacking it was discovered which
although feeble, can be countered by finding a {p} and {q} such that:
p = 2.k'.p' + 1
p' = 2.k''.p''+ 1 ( ditto for q )
Where k' and k'' are small primes and p, p', p'' are large primes. These
recommendations are built into this package. The technique is to find a
simple prime to serve as p'', then try succesive low primes k'' until a
prime p' is found. If you watch the progress report, you will see k''
increase apparently erratically. This occurs because p' is tested with a
seive as a first stage, but this takes place so quickly that no attempt is
made to display the results. When the seive is unable to eliminate the p',
the k'' is displayed and Rabin's test is used on p'. Once a p' has been
found, the cycle is repeated to find a p which will be the RSA-suitable
prime we require. One property of this technique is that the size of p
cannot be precisely controlled since the size of the "k's" is not known in
advance. Later on when you use this module to set up an {N} value for
encryption purposes you will find that the {N} value that is output will be
a few bits different from your input demand, and this is a result of the
technique described above.
A safe-prime was a name used in a text-book discussing problems in
cryptology. I personally don't believe there to be anything "safe" about
them - look upon it as just a label. A safe-prime as defined here is a
prime such that:
p = 2.p' + 1 where p' is a simple-prime
Such primes have (p-1)/2 principal roots, and since there are a lot of
them, it is a simple matter to find one. Such values are needed to set up
the 3 128-bit pseudo-random number generators which provide a source of
random bits for various low-grade tasks in the software. Safe-primes have
a nasty property in that there are very large runs containing none of them.
If your starting point leaves you in such a run, you may prefer to reset
your Amiga rather than wait for it to exit.
The "cycle-time" refered to at the base of the screen is a rough
estimate of the time to make one Rabin test. It is not better than about 10%
or 2 secs whichever is greater. The cycle-time for 250-bit numbers is 8.5sec
and for 750-bit numbers 170secs. Another big influence on total run time, is
the distribution of primes themselves. For 250-bit numbers about 1 number in
173 is a prime and for 750-bit numbers about 1 in 520. Allowing for both
these influences, the total run-time varies in proportion to the cube of
the number of bits set (but with a very wide scatter on individual runs)
This software package can handle numbers of 2024 bits (approx 616
decimal digits) but you will be limited to 2000 bits in section F5.
However, run times for such enormous numbers will be many days or even
weeks.
If you have been working steadily through this introduction, you should
by now be developing a feel for the trade off between speed and security
provided by the RSA algorithm. So by now you will be ready to set up your
own {N}, {e}, {d} numbers. In this text these 3 numbers are called a
station and setting them up called station set-up. In regular computer
parlance, the word station refers to the hardware of a terminal, but in this
report, the word station refers to an individual users numbers. In an office
with say 1 terminal and 20 users, we would say that there were 20 stations.
In setting up a station, we go through the following steps:
(a) Find {p}, {q} - 2 RSA-suitable primes.
(b) Find {N} = p * q.
(c) Find a value called {Phi}.
(d) Find values {d}, {e} which depend upon {Phi}
The values {N}, {d}, {e} have to be saved and the values {p}, {q}. {Phi}
can be discarded. Since we assume that a potential eavesdropper can find out
{N} and {e} without too much trouble, we must be aware that:
If {N}, {e} are known by an eavesdropper, then knowledge of ANY ONE OF
THE VALUES {p}, {q}, or {Phi} DESTROYS THE SECURITY OF THE RSA SCHEME.
Consequently, we must take great care with the disposal of these 3 values.
By default, in this package, these 3 values are not stored on disk,
displayed on the VDU or output to the printer. ie they are only ever
stored in memory and these values can be destroyed by powering the machine
down after station set-up is complete. However, for educational purposes,
it is possible to over-ride this state of affairs by setting flag
"FileStnData" to 1 in Miscellaneous F1. If you have been following this
introduction in detail, you will already have done this - if not set this
flag to 1 now. When this flag is set, all 6 station numbers are written to
file "df0:RSpublic/prime.data" in the order {p}, {q}, {N}, {Phi}, {d}, {e},
and can be copied to the printer using Miscellaneous F2, when the station
set-up is complete.
One final point should be made before we enter the station set-up
section. Setting up a new station destroys the old station parameters on
your disk. Consequently, you must be working with a fresh copy of your disk
so that you retain a copy of your old parameters. This is necessary for the
following reasons:
(i) If you are changing your station numbers regularly as a security
measure, there will always be someone who sends you messages using your
obsolete station values, and you will be unable to decrypt these messages
if your old station values are lost. Incidentally this problem highlights
the need for rigid procedures in distributing station numbers.
(ii) If you are archiving your incoming messages for reference purposes,
these messages must be stored in encrypted form and your old station
numbers will always be needed to read these old messages.
So now armed with a freshly copied disk, we can now set up a new station
so press F4. Before the main work starts the 3 128-bit pseudo-random number
generators used for various low-grade tasks are reset. Each of these is set
up by:
(a) Finding a safe-prime of suitable size as a modulus. (actually the
size is in the range 112-128 bits) This is done automatically using
the old generators.
(b) Finding a multiplier which can be manually input or set
automatically (just press <enter> when prompted). If you input the
multiplier yourself, it will be left or right shifted until it is
of a satisfactory size - in other words your input controls the
most significant bits (they may not be immediately recognisable
since since they may have been bit-shifted). This multiplier
should be a principal root, so it is tested and if it is not a
principal root then (multiplier+1), (multiplier+2) etc are tried
until a principal root is found.
When all 3 generators have been reset, (normally a few minutes only) the
main station numbers are started upon. You will be prompted to input the
number of bits in {N}. This is the key variable which we have discussed
above which dictates security level and speed. For the purpose of this
introductory tour, a value of 350 bits will suffice so enter this now. if
you are coming to this point for real, you must make your own decision,
based on the discussion above.
Three prime-searching displays will now appear, 2 RSA primes and 1
simple prime, in that order.(these are {p}, {q} and {d} being found) After
this you will be asked to input a password. It should be clear from the
discussion above that all security in the RSA scheme relies on {d} being
kept secret, and once it has been revealed all security vanishes. In an
office environment, it is very easy to leave a disk lying about in a
moments carelessness, with the possibility of security being compromised.
If your security problems are severe, then you would have to adopt this
assumption and reset your station. However if your problems are less severe
(ie unlikely to be attracting the interest of national agencies) it would
be beneficial if the {d} value were hidden from an unsophisticated
opponent. The scheme that has been used is:
(a) The {d} value is exclusive-ORed with a random value and scatter
loaded into a large (8k) array of random numbers.
(b) The precise details of this operation are controlled by a password
together with the 128-bit pseudo-random number generator in drawer
"df0:RSprivate".
(c) The password is turned into a number in this process and the
following points about this should be noted.
(i) Upper-case and lower-case letters produce the same bit-patterns
in the number - hence a password of "FRED" will be just as
effective in retrieving {d} as "fred".
(ii) The symbols "g", "G", "w", "W", "0" all produce no set bits in
the number. Hence passwords like "www" produce a number of zero
which would produce a crash.(such passwords are trapped and
refused)
(iii) All symbols on the light-tan keys are active and contribute to
the number, which means that passwords like "A U" produces a
different number from "A U" (different number of spaces)
ie all punctuation symbols have an effect.
It must be emphasised that this system is only a defence against a
"nosey parker" and not to be relied on against a sophisticated opponent.
After your password has been input, the station set-up will take a
further few minutes to complete. Your new station parameters will be in
"df0:RSpublic/Ne1.data" (holds {N}, {e}) and "df0:RSprivate/d1.data"
(hides {d}). Since we have FileStnData set, all six values have been copied
to "df0:RSpublic/prime.data" file and so you can go into Miscellaneous F2
and have them printed out.
At this point the {{N}, {e}} pair need to be circulated to all network
members. In the full system, this is accomplished by copying {N} and {e}
to a seperate disk "RSStation:" using Miscellaneous F4 and posting this to
all members who can add in their own pair, copy it and then pass it on. On
this demonstration system, there is no seperate disk, and using
Miscellaneous F4 adds the {N} {e} pair into a file
"df0:RSstation/Station.data". In order to circulate this, you will have to
use AmigaDOS to copy this file to a spare disk and circulate it in this way.
This demonstration system permits only 2 stations in this file. For users
who are just experimenting with the system, it is not necessary to
circulate your numbers in this way and you can just write messages to
yourself. (ie skip Miscellaneous F4)
Now we are ready to start encrypting messages. The "silent screen"
utility is intended for use when entering secure messages, but any word
processor package will do for demonstration purposes, so prepare a short
message now. the following points should be observed in message
preparation:
(a) The message alphabet is restricted to the light-tan keys on your
Amiga keyboard with the exception of the "#" symbol. This symbol
is transmuted into a "?" symbol. The "£" symbol (0xA3 internally)
is changed to "#" (0x23 internally) on input which is the ISO 4
representation. (For the technical, all symbols 0x20 - 0x7D
inclusive are valid with the single exception above)
(b) The only control characters accepted are <newline> (0x0A) and
carriage-return (0x0D). All other symbols are turned into "?"
symbols at encryption time. In particular the "ESCAPE" character
(0x1B) used by many word-processors and printers to change printer
mode (to "itallic", "bold-on" etc. etc.) is NOT VALID! Hence your
message must exclude ALL PRINT ENHANCEMENT FEATURES.
(c) The two symbols <.s> must not occur together in the file name. as
will be explained below the decryption module searches for the
occurences of <.s> to determine wether an encrypted file has been
signed or not. Hence file-names like <my.script> will cause the
decryption module to fail. (the solution is simple - just rename
your file)
Encryption is a straightforward operation - just press F1 and respond as
prompted. If this is your first entry into this section, do not select
"signing" when requested. If your input file was eg "df1:my.text" then the
encrypted file will be "df1:my.text.e". Four appendages are used in this
software and these are:
<s> - this message has been signed.
<e> - this message has been encrypted.
<d> - this message has been decrypted.
<u> - this message has been un-signed.
thus:
my.text.se has been signed and encrypted.
my.text.e has been encrypted.
my.text.ed has been encrypted and then decrypted.
my.text.sedu has been signed, followed by encryption; then decrypted
and finally unsigned.
Your encrypted file my.text.e can now be printed out using Miscellaneous
section F7. Note that it is a straightforward text-file consisting of
symbols 0-9, A-F, + spaces + newlines and hence is suitable for modem
transmission. You will also notice that the file is roughly 3-times longer
than your original file. This is principally because a homophonic
substitution is used as a first stage in encryption. Details will not be
discussed here. Suffice it to say that this improves security with small or
medium sized {N} values.
Decryption is also straightforward. Just press F2 and respond to the
prompts. You might like to experiment with erroneous passwords to convince
yourself that it is impossible to retrieve {d} successfully without a
correct password. Your decrypted file will be in file "df1:my.text.ed" which
can be printed out and will be identical to your original file. If it is
not then your original text contained non-valid characters whose presense
will be revealed by "?" symbols appearing in strange places.
The procedure above can now be repeated but for a signed-encryption
rather than a plain encryption. The <.se> file that results is about 9
times longer than the original because a double homophonic substitution
has been used. On decryption, the software will test for the <.s> appendage
and conclude that the text needs unsigning to retrieve the plaintext.
A final point about encryption/decryption needs appreciating. As the
software proceeds from stage to stage, it obliterates the input file and
writes the output file to disk. During encryption, this means that your
starting plaintext file will be lost, leaving you with a <.e> or a <.se>
file for your archive - which is correct from the security viewpoint, since
these are the only files that can be safely stored. During decryption, the
<.e> or <.se> file is again obliterated in forming the <.ed> or <.sedu>
file - which is a plaintext file. This causes 2 problems:
(a) If the recipient requires to archive the message, then he must copy
the <.e> or <.se> file to his archive before decryption -
otherwise it will be lost.
(b) The <.ed> or <.sedu> (plaintext) files cannot safely be left on disk.
After inspection (copying to the printer with Miscellaneous F7 -
NOT the VDU) the file must be destroyed by Miscellaneous F6. Note
that Miscellaneous F6 actually overwrites the disk-tracks with
garbage unlike the AmigaDOS DELETE command which just destroys
the links between file and access-system. It is just not possible
to do this file obliteration automatically.
Thats all Folk's! The only section that we have not visited is
Miscellaneous F3, which is not much use until such time as "Station.data"
is part-filled by using F4. Both of these sections are self-evident.
The principal assembler routine at the heart of this software has been
timed at 7 times faster on the Amiga 1200 than on an Amiga 600.(the extra
length of the multiply and divide instructions play a big part in this).
The Amiga 4000 should provide a 4-5 speed gain above an Amiga 1200 and this
would then be a secure terminal able to keep up with most typists.
ADDITIONAL NOTES FOR USERS WITH SEVERE SECURITY PROBLEMS
========================================================
The conventional model of an eavesdropper, is of someone working a
wiretap and rushing off at intervals to hand his offerings to a bespectacled
mathematician sitting at a super-computer terminal who breaks the cipher in
a few moments. Such a scheme has little hope of success against the RSA
algorithm. You might think that the security authorities would give up at
this point. Wrong! They are not in the giving-up business. If one technique
fails, then they will dust off another.
Few things are easier to bug than a personal computer. The only way to be
sure of the contents of a black plastic chip is to slice it open and examine
it with a microscope. Who could say that it doesn't contain a short-range
radio transmitter broadcasting your keystrokes? The following procedures
will be needed to ensure security.
(a) When purchasing your Amiga take Sherlock Holmes' advice and don't go
to the first dealer that springs to mind, nor the second but the third and
then insist on selecting one yourself. Seal all access panels and screws
with epoxy resin. The same procedure is required with your printer and
cable, since these 3 items are the obvious points of attack.
(b) Your {d} value hidden in file "d1.data" must be made secure and the
password made as long and as obscure as possible.
(c) Your station parameters should be changed as often as possible. This
limits damage after attack (b) but is not effective against attack (a).
NOMENCLATURE
============
composite : A non-prime. Hence a composite can be expressed as the product
of at least 2 primes.
encrypt : The process of transforming a message to an unintelligible form.
(see decrypt). In the RSA scheme, the recipients public-key is
needed to accomplish this. Thus if a message has to be
transmitted to say 7 different people, then 7 seperate
encryptions will be needed. Also since the public-keys are not
secret in the RSA scheme, a third-party can use the public-keys to
forge a message.("signing" stops this possibility)
decrypt : The process of transforming an unintelligible message back to an
intelligible state.(see encrypt) In the RSA scheme, the recipients
private-key is needed to accomplish this. The private-key must be
kept secret - all secrecy in the RSA scheme relies on this. In
this implementation the private-key can only be accessed by entry
of a password.
homophonic substitution : A very old technique used originally to destroy
letter frequency information by using multiple alternative
substitutes for common letters. In this implementation, it is used
to increase the "fan-out" as follows. The letter "e" has 13
alternative 8-bit representations chosen at random. This means
that a message "eee" has 13 * 13 * 13 possible representations
when encrypted. This increases the number of possible
ciphertexts well beyond the number of possible messages. This
technique also makes it possible to have spaces and other
punctuation marks in the text (space has 21 representations)
when normal cryptographic practice is to delete them.
key : The information needed to encrypt/decrypt a message. Conventionally
one key does both functions but in the RSA scheme a "public-key" is
used for encryption and a "private-key" for decryption. Public-keys
can be openly distributed to anyone who asks for them without loss of
security.
originator : The person who wishes to transmit a message to a recipient.
private-key : The information needed to decrypt a message. In the RSA
scheme the private-key is a single very-large number refered
to as {d} (for decryption exponent).
public-key : The information needed to encrypt a message. This is
invariably the recipients public-key which may be published
in a document like a telephone directory, but in this
implementation will be found from a disk-file "Station.data".
If you are yourself the recipient (adding to a personal
secure archive) then the public-key will be available in
disk-file "df0:RSpublic/Ne1.data". In the RSA scheme the
public-key consists of 2 very large numbers {N} and {e}.
recipient : The only person who can decrypt an incoming encrypted message.
Equivalently, the person to whom the message is directed.
signing : The process by which an originator identifies a message uniquely
with himself. In the RSA scheme, signing is a similar process to
encryption but using {d} (the private key) as the encryption
exponent rather than {e}. A signed message is not secure by
itself and must be followed immediately by a standard encryption
to make it secure. The resulting signed and encrypted message
can only be decrypted by the intended recipient, who can then be
completely certain of the originators identity. A signed message
cannot be forged by a third party intent on mischief. Futhermore
a recipient receiving instructions involving high-risk to himself
might want to insist on the instructions being signed as proof of
the originators identity. Signing is a very strong concept
cryptographically. There is every hope that it will be accepted
in law shortly as contractually binding. The concept of "signing"
opens up a whole new field of use for cryptology beyond the
obvious secret communication one. Using signed messages, "deals"
or "contracts" can be struck instantly between any two parties
anywhere on the planet without the need for signed and witnessed
documents. An all-electronic contract would consist of a signed
message of proposal and a reply of a signed message of acceptance.
Such all-electronic dealing cannot be forged by a third party and
neither signatory could deny that a deal had been struck at some
future date.
principal-root : A number (a) such that the set of numbers
{<a> mod p, <a*a> mod p, ......<a^(p-1)> mod p } [p prime]
is the set
{1, 2, 3, ........(p-1)} permutated (ie shuffled up).