Lecture Notes in Computer Science 1528 Editedby G.Goos,J. Hartmanisand J.van Leeuwen 3 Berlin Heidelberg NewYork Barcelona HongKong London Milan Paris Singapore Tokyo Bart Preneel Vincent Rijmen (Eds.) State of the Art in Applied Cryptography Course on Computer Security and Industrial Cryptography Leuven, Belgium, June 3-6, 1997 Revised Lectures 1 3 SeriesEditors GerhardGoos,KarlsruheUniversity,Germany JurisHartmanis,CornellUniversity,NY,USA JanvanLeeuwen,UtrechtUniversity,TheNetherlands VolumeEditors BartPreneel VincentRijmen KatholiekeUniversiteitLeuven Dept.ofElektrotechniek/ESAT K.Mercierlaan94,B-3001Heverlee,Belgium E-mail:[email protected] [email protected] Cataloging-in-Publicationdataappliedfor DieDeutscheBibliothek-CIP-Einheitsaufnahme Stateoftheartinappliedcryptography:revisedlectures/Course onComputerSecurityandIndustrialCryptography,Leuven,Belgium, June3-6,1997.BartPreneel(ed.).-Berlin;Heidelberg;NewYork ;Barcelona;HongKong;London;Milan;Paris;Singapore; Tokyo:Springer,1998 (Lecturenotesincomputerscience;Vol.1528) ISBN3-540-65474-7 CRSubjectClassification(1998):E.3,D.4.6,K.6.5,F.2.1-2,C.2,J.1 ISSN0302-9743 ISBN3-540-65474-7Springer-VerlagBerlinHeidelbergNewYork Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer-Verlag.Violationsare liableforprosecutionundertheGermanCopyrightLaw. (cid:1)c Springer-VerlagBerlinHeidelberg1998 PrintedinGermany Typesetting:Camera-readybyauthor SPIN10692883 06/3142–543210 Printedonacid-freepaper Preface The Department of Electrical Engineering-ESAT at the Katholieke Universiteit Leuvenregularlyrunsacourseonthestateoftheartandevolutionofcomputer security and industrial cryptography. The (cid:12)rst course took place in 1983, the second in 1989, and since then the course has been a biennial event. The course is intended for both researchers and practitioners from industry and government. It covers the basic principles as well as the most recent de- velopments. Our own interests mean that the course emphasizes cryptography, but we also ensure that the most important topics in computer security are covered. We try to strike a good balance between basic theory and real-life ap- plications,betweenmathematicalbackgroundandjudicialaspects,andbetween recent technical developments and standardization issues. Perhaps the greatest strength of the course is the creation of an environment that enables dialogue between people from diverse professions and backgrounds. In 1993, we published the formal proceedings of the course in the Lecture Notes in Computer Science series (Volume 741). Since the (cid:12)eld of cryptography has advanced considerably during the interim period, there is a clear need to publish a new edition. Since 1993, several excellent textbooks and handbooks on cryptology have been published and the need for introductory-level papers has decreased. The growth of the main conferences in cryptology (Eurocrypt, Crypto,andAsiacrypt)showsthatinterestinthe(cid:12)eldisincreasing.Inaddition, new conferences have emerged (such as Fast Software Encryption and Informa- tion Hiding) which illustrate the expansion of the research. These conferences o(cid:11)er ample opportunity to present new research results. However, there is still a need for papers presenting an overview of the state of the art in areas that areparticularlyimportantfor applications,or papersintroducing novelareasor applications. We believe that the authors of this volume have done an excellent jobinexplainingrecentdevelopmentsinawiderangeoftopicswithinthisexcit- ing area.We thank them for their considerablee(cid:11)orts.We alsoacknowledgethe assistanceofallmembers ofourresearchgroupCOSIC(Computer Securityand Industrial Cryptography) in the preparation and running of another successful course. Finally, we would like to dedicate this book to the memory of Rita De Wolf, whodidanoutstandingjobinorganizingourcourses,butwhowasalsoavaluable friend and colleague. Leuven, Belgium B. Preneel and V. Rijmen 1998 Table of Contents Trends in the Fight Against Computer-Related Delinquency............. 1 Bart De Schutter Block Ciphers — A Survey.......................................... 18 Lars R. Knudsen Cryptographic Primitives for Information Authentication — State of the Art .............................................................. 49 Bart Preneel Recent Developments in the Design of Conventional Cryptographic Algorithms........................................................ 105 Bart Preneel, Vincent Rijmen, Antoon Bosselaers Elliptic Curve Public-Key Cryptosystems — An Introduction............ 131 Erik De Win, Bart Preneel Key Management Techniques........................................ 142 Walter Fumy Security of Computer Networks...................................... 163 Jan Verschuren Internet Security Protocols.......................................... 186 Walter Fumy Securing Internet Electronic Mail .................................... 209 Mark Vandenwauver, Frank Jorissen GSM: Security, Services and the SIM ................................. 224 Klaus Vedder TTPs Overview — Concepts and Review of the State of the Art from a Technical Point of View............................................. 241 Peter Landrock Management of Secret Keys: Dynamic Key Handling ................... 264 Joan Daemen On Solutions to the Key Escrow Problem ............................. 277 Mark P Hoyle, Chris J. Mitchell Smart Cards — Requirements, Properties and Applications ............. 307 Klaus Vedder, Franz Weikmann VIII Table of Contents Smart Card Security ............................................... 332 Ernst Bovenlander Security Aspects of the EcashTM Payment System ..................... 338 Berry Schoenmakers International Standardisation of IT Security........................... 353 Klaus Vedder Security Management — The Process ................................ 366 David W. Roberts Introduction to Computer Security................................... 377 Bart De Decker Author Index ................................................. 395 Trends in the Fight Against Computer-Related Delinquency Bart De Schutter Center for the interaction between law and technology Vrije Universiteit Brussel 1 The Phenomenon The grasp of information technology upon almost all societal activities is an indisputable and irreversible fact. Transfer of data, information, knowledge or know- how has undergone with the technological wave a profound change in its form, speed and distance coverage. This mutative effect can certainly be beneficial to society in all its components (economic, strategic, intellectual, cultural). It seems, however, that the margin between use and abuse is rather narrow. Even if criminality related to information has always existed, the intervention of the computer with its above-mentioned characteristics of time, volume and place, leads to the risk of a criminal activity, the nature of which might be different from the more classical information crimes. To look into the phenomenon, its size frequency and profile, will lead to the necessary conclusion for the need of policies, which may be necessary to effectively combat this anti-social behaviour. In that exercise one encounters a number of difficulties. A first one concerns already the definition of computer delinquency. According to the purpose for which it is needed, one can work with a more criminology-oriented definition, describing the deviant pattern from the sociological angle, or could need a more precise terminology when introducing the illegal act as crime in the penal arena, then requiring precise material and moral elements in the definition. Avoiding the multitude - and the nuances - of definitions of the expert writers [1], there is much merit in the OECD working definition, referring to "any illegal, unethical or unauthorised behaviour relating to the automatic processing and/or the transmission of data" [2], since the answer to computer criminality is likely not to be limited to an exercise of criminal law drafting alone. However, the danger of such an extensive "opening definition" is that it allows a somewhat overqualification of incidents, in which the computer does not play any instrumental role at all. Some demystifying and relativation has to be done to bring the phenomenon back into real proportions, avoiding the sensationalism of its media coverage. Scarcely a day passes without any newspaper-clip on computer-crime or fraud. Television picks up the item and visualizes the "hacking" techniques. The difficulty, however, is to bring those individual findings into some global figures and clear indicators. This seems, often, to be too delicate, if not impossible. There is clear reluctance and unwillingness in communication of incidents. Banks, insurance companies or any other potential victim are not easily communicative on B. Preneel, V. Rijmen (Eds.): COSIC'97 Course, LNCS 1528, pp. 1-17, 1998. ª Springer-Verlag Berlin Heidelberg 1998 2 Bart De Schutter losses occurred through incidents related to their information system. Image-loss, indirect consequences such as the thrust of the customers or the competitive position, all push towards secrecy and discretion. The simple anonymous transfer of information for statistical purpose to official instances, even international ones, is objected to. The interference of judicial authorities is considered as being "counter- productive". Many of the incidents come in the daylight through indiscretion, erroneous behaviour of the criminal himself or when insurance companies oblige the client to do so before refunding any loss. Besides, some countries are more communicative than others [3]. For sure one can state that figures are incomplete, that guesses should be considered with care and that we only know the top of the ice-berg. Since several years a considerable number of official bodies or professional circles are showing interest in gathering valuable information. All of it should be read with a critical eye, since under- or overscoring is likely. Nevertheless, figures are impressive and worthwhile to be recalled : SRI mentions 100 million $/year in the U.S., the FBI makes two billion dollars out of it [4]. For Europe, an interesting estimate is the one of the Association Internationale pour l'Etude de l'Assurance, which comes up with six billion dollars loss for Europe already in 1988. A U.K. survey by the Local Government Audit Inspectorate led to 80 % of 320 interviewed firms having been victim of a computer fraud [5], while in 1985 four major British banks budgeted £ 85 million against computer frauds. The French CLUSIF reports a yearly amount of nearly 11 billion FF of voluntary or accidental damaging of information systems.[6] It is not the purpose of this paper to recall the spectacular and classical examples such as the Equity-funding [7] or Security Pacific Bank [8], or Memorial Sloan Kettering Cancer Institute [9], the French ISOVER Case [10] or the CLODO activities [11], or many other [12] not to forget the Internet misbehaviours or "cybercrimes" such as pornography, libel or racism [13] but it may be important to recall that not all incidents are linked to economic interests as such, but may equally concern health, privacy, morality or state strategic survival. If the overall size of computer abuses is substantially high, though not full-proof, it has also been shown that these totals concern a limited number of victims. Concentrating the losses upon few leads to the conclusion that the average gain of such crime is a hundred times that of the average classical hold-up, while the average time for the discovery of the misbehaviour seems to be counted in years, not in months [14]. To be added to this picture is the great potential of the transborder dimension of information technology, whereby the physical presence of the actors across the border is no longer necessary. The internationalization of this criminality adds a new dimension to the task of society in reacting against this phenomenon. As to the actors themselves, they seem roughly to fall into two major groups: on one hand the computer-freaks, the youngsters trying to hack systems for fun, competition, challenge; whizkids or wargamers, i.e. "short-pants criminality", not necessarily with a clear criminal intent; on the other hand, willful criminality by hackers or employees within the system, often highly qualified and technically skilled, often acting from within, abusing the hi-tech and jargon oriented "state in the state" position of the EDP-sector. In conclusion on the characteristics of the phenomenon one can say that information systems, whether used for simple data storage or retrieval, word processing, business activities, banking, electronic fund transfer, electronic mail,