Chapter 3

KEY GENERATION AND DISTRIBUTION APPROACHES AND ATTACKS

Just as encryption is central to computer security, the generation and sharing of a cryptographic key (sometimes referred to as a password) are central to encryption. Unlike encryption algorithms, which can be difficult to break, the cryptographic key is a central point of attack. A hacker who obtains the cryptographic key for an encrypted file or session has complete access to the information contained therein. Therefore the key (and its handling) must be made as strong as possible. The creation and sharing of strong keys is a critical part of a secure system, and failure to perform either task well can determine the ultimate security of the system.

KEY GENERATION

An ideal key (or “password”) is completely random; it is as large as allowed by the system; and its characters span the entire possible character space, including numbers and special characters. Unfortunately, keys with these characteristics cannot easily be memorized by a user. Cryptographic systems usually place the responsibility for entering the key in the hands of the user. Referred to by some as “something you know,” the concept is that, to the extent that the key is difficult to guess and to the extent that the user keeps the key secret, the system should be secure. Entering complex keys, however, can be taxing for users, especially if they are required to memorize several such keys or change them frequently, as may be required by organizational ...