CS Communications and Systems : CS-Cipher

by Paul Grosse - July 1999

Introduction

With the explosion onto the Internet of electronic commerce and business together with the increase in use of portable computers, the need to encrypt securely data for certain purposes goes without saying - the complexity of the encryption/decryption algorithm reflecting the technology available at the time; the Romans having used a simple character mapping which was all that was required at the time. In 1976, the US adopted as a federal standard DES, the Data Encryption Standard, developed by IBM but there are two factors holding back its use: the US restrictions on the exporting of cryptography which is seen as munitions; and, the fact that computing power is capable of breaking into DES cipher text by brute force, ie, trying every key until one is found that works.

With computing power doubling approximately every 18 months and DES based products restoring to using the 56 bit DES algorithm twice or three times to increase key length, the search is on to find a replacement that is both global and open. The new algorithm needs to be open so that people can inspect it and test it in order that any vulnerabilities are better understood so that the code may be modified if necessary or that weak keys are avoided. It needs to be global to fit the requirements of e-commerce and e-business and allow the USA and the rest of the world to interact.

CS Communications and Systems, in collaboration with the researchers from the computer laboratory at the Ecole Normale Supérieure (Ulm) has developed and patented a symmetric cipher, CS-Cipher that will take key lengths from 40 to 128 bits, encrypting in blocks of 64 bits of text (8 characters), that will work either as a software or a hardware solution.

Products

CS-Cipher

CS-Cipher is an encryption algorithm developed by CS and the Computers Laboratory of the Ecole Normale Supérieure. CS produce three products that use the CS Cipher: CS-Cipher.40; CS-Cipher Pro; and, CS Cipher Advanced. The encryption algorithm is used as software-only and is used to encrypt files on a workstation so that files are protected over the Internet or in the event of theft of the machine.

CS Cipher.40 is a free download (6.6Mb) from the CS Communications and Systems website and is easy to install and use. Once installed, the user starts key generation by selecting Génération des clés from the Start Menu, inputting his identity and a password. Key generation then takes around 30 seconds on a P200. Keys may be imported or exported using the key manager from the Start Menu - Gestion des certificats - which then allows the user to send and receive encrypted files.

Once key generation has taken place, files may be encrypted and decrypted from the desktop, Windows dialogue boxes such as 'Open File' or from Windows Explorer. The user right-clicks on a file and selects CS-CIPHER.40 and then Chiffrer from the menu. The user is then given a choice of encrypting the file with the key from a number of recipients or leaving the recipient part of the form blank - doing the latter, encrypts with the user's key and allows files to be kept securely on the user's machine. When a file is encrypted, a file with the same name but with a '.cip' extension appears in the same sub-directory - this being the encrypted file. It is important not to send the plain-text version of the file over the Internet by mistake.

File decryption is a simple reverse of the process, selecting Déchiffrer from the CS-CIPHER.40 menu and then inputting the user's password. A plain-text version of the file is created with the name of the original file and if there is already a file with that name present in the sub-directory, the user is asked whether or not they wish to overwrite it with the new file.

The three versions of CS-Cipher give the user a range of functions all three providing: A local correspondent directory - allowing the user to choose from a list of recipients; X.509v3 certificates - industry standard; RSA-1024 signature algorithm - asymmetric encryption of a message digest; SHA-1 hashing algorithm; the CS-Cipher encryption algorithm; local time stamping; and a session key length of 40 bits.

The Pro and Advanced versions of CS-Cipher allow 56 and 128 bit key lengths along with smart card support but the Advanced version also allows: Browser integration; connection to LDAP X.509v3 Directory and Trusted Time-stamp servers together with the generation of auto-decryptable files and multiple signatures.

How it works

If the user is not expected to meet with the recipient of the cipher-text so that they can exchange keys, the user has to send the keys by a secure route, ie, by making use of public key cryptography. Public key cryptography is quite secure - brute force attacks being the only effective attack and then only if the hacker has access to an inordinate amount of computing power. However, public key cryptography is very expensive in terms of computing power so it makes more sense to use quicker symmetric encryption to encrypt the body of a message and use asymmetric cryptography to encrypt the session keys.

Using this method, the users would disclose their public keys and keep their private keys secure. For a given message exchange, any text that is to be encrypted has a session key generated that is then used to encrypt the text and the public key cryptography (using the public key of the recipient) is used to encrypt the key. The whole message and encrypted session key is then sent to the recipient whose computer then uses the recipients private key to decrypt the session key and then decrypt the message. The sender is reasonably confident that the only way that the message can be read is using the recipient's private key. If a hacker had access to sufficient computing power to be able to break the session key, only that message could be read as session key is different each time and the public/private key-pair was not compromised therefore subsequent messages are as secure as each other.

Asymmetric methods such as RSA and Diffie/Hellman are well established and reasonably secure - supporting key lengths up to 4096 bits (using a brute-force attack on a key of this size would use up all of the energy in the Universe and is therefore reasonably safe). However, decrypting the session key for the symmetrically encrypted body of the message can be bypassed if the key length is too short. A report by Blaze, Diffie, Rivest, Schneier, Shimomura, Thompson, Weiner on Minimal Key Lengths for Symmetric Ciphers suggested that a 40 bit key could be broken in 12 minutes with a budget of only $12,000 (in 1996 - computing power doubles each 18 months and prices fall). CS-Cipher uses a 128 bit key length in a 64 bit block cipher with the shorter keys padded so that the algorithm remains the same thus making manufacture easier. The CS-Cipher algorithm is implemented in the form of software only for the CS's products so far but the algorithm is easily converted into hard-wired VLSI chips.

It works by breaking each block of plain-text into lengths of 64 bits that it then encrypts using the session key. The plain-text is sliced up and shuffled, compared with constants, tables and a series of derived subkeys in a way that is reversible but such that any patterns that where in the original text cannot be detected using cryptanalytical techniques such as differential and linear cryptanalysis.

On a computer processor that uses a program to tell it how to perform, actions such as swapping or rotating bits can take up many clock cycles and, although possible (this is how the software products work) takes a relatively long time when compared to the option of hard-wiring these functions into an application-specific chip. Taking the example of rotating bits to the left, many clock cycles are taken up while this is performed whereas in the hard-wired version, the output of one set of gates is taken where they need to go in the same way as if the operation was not needed. Thus, using a circuit made from simple nand gates 1216 gates are required in 26 layers therefore it takes 24 clock cycles to perform the encryption on a full 64 bits. This number of gates will fit onto a chip with less than 1mm2 which, running at 30MHz gives an encryption/decryption rate of 73Mbps. On a smartcard running at 4MHz, and encryption rate of 19.8kbps, throughputs can be better than with DES. On a 15mm2 chip with approximately 30,000 nand gates throughputs of around 2Gbps are estimated which can be used to encrypt ATM network communications or a PCI bus.

Platforms

Pricing

CS-Cipher.40	free
CS-Cipher Pro and CS-Cipher Advanced	Expected to be around FRF 1,000

Opinion

DES has been around for quite a long time and although some look on this as a reason to replace it, any replacement found is guaranteed not to be as well understood as DES. However, there are two factors going against the continued use of DES: its short key length and the US government's attitude that it should not be exported in any strength that may be considered useful - placing effective key length limitations of 40 and 56 bits or longer in certain circumstances. Encryptions using key lengths greater than 56 bits are made by encrypting with half the key and then the other half (in the case of 112 bit keys) or with each third of the key for 168 bits. However, it could be that under some circumstances, double or triple encryptions using 56 bit key-slices are not necessarily as strong as an encryption using a suitable encryption algorithm that handles properly a key of the same total length.

The NIST has called for a replacement for DES - the AES (Advanced Encryption Standard) - a 128 bit block cipher that supports key lengths of 128, 192 and 256 bits (it is intended that the selection of the algorithm will be open to public debate). It is intended that the AES will specify an unclassified, publicly disclosed encryption algorithm available world-wide, royalty-free that is capable of protecting sensitive government information well into the next century. By getting into the market quickly and establishing CS-Cipher (64 bit block cipher) as a hardware standard as well as a software standard, CS may find that it is in a position to influence the final decision for a 128 bit block cipher

One area of caution is that of using any new algorithm, no matter how carefully it has been designed, as it may have holes in it that have simply not been seen yet. Even SSL (Secure Sockets Layer, the means by which Web Browsers transfer sensitive information over the Internet such as credit card details) has been breached by an adaptive attack because of a weakness in the design. Assuming that the design is reasonably free of holes, the fact that it uses a 64 bit block cipher and a 128 bit key should make it reasonably secure.

The strength of a particular algorithm is not in its speed but in its design. If the only attacks on a particular algorithm take longer than a brute force attack, then that is all that is left - trying out each key to see which one works. The bit-swapping and other processes that are used in the CS-Cipher algorithm eliminate the rhythms and patterns that are evident in plain-text by smoothing them out over the entire block of 64 bits therefore looking for evidence of the cryptanalytical equivalent of spaces, 't's and 'e's becomes unfeasible.

Speed, however, is a double edged sword that allows high productivity on the legitimate user's machine but also allows higher rates of analysis on the unauthorised user's machine. Speed makes the algorithm practical to use, not more secure.

Current computing technology is based upon refinements of the transistor and other semiconductors which has had roughly half a century to influence computing. Currently under development is a way of computing that uses quantum computing on an atomic scale. The ultimate speed limit for processors is the speed of light which places a limit on size for a given speed. However, when the size is on the atomic scale, today's computers - based upon transistors, joined by wires many hundreds of atoms across - would appear sluggish at best. If or when the quantum computer is developed into a feasible machine, Moore's Law - that the power of computers doubles roughly every 18 months - will have an interesting step in it and instead of the recommendations for the lengths of keys resisting brute-force attacks being only 90 bits to remain secure for a reasonable amount of time, we may find that this has to be extended such that 128 bits is on the borderline of secure.

Strengths

• The CS-Cipher algorithm is open to inspection - there are a number of papers published on the subject where it is discussed in detail. Any vulnerabilities that are discovered in it can be corrected or worked around before they become a danger to the user population.
• CS-Cipher does not originate in the US therefore it is not subject to US export license restrictions. To be global in the world of e-commerce and e-business, the encryption technology used must also be available globally.
• CS-Cipher is not subject to US export restrictions as it was developed outside the US. Although we have seen these restrictions slackened recently, they remain and therefore still stand in the way of a true global commercial environment. Businesses in the US have had to watch powerless as potential markets are taken over by non-US companies.

Weaknesses

• CS Cipher cipher-text versions of the files are saved in the same sub-diretory as the plain-text versions. This means that the pain-text version can still be sent out as an attachment to an e-mail by mistake. Although the cipher-text version is resistant to viewing, there is no protection against the wrong file going out therefore some sort of perimeter detection should still be used.
• Although the cipher-text of a file is only around 700 bytes longer than the plain-text, there is no compression therefore redundancy within the plain-text file is not removed. This can be a weakness in terms of the extra time taken and bandwidth used in transferring files as well as making it easier to identify files in a plain-text based attack.
• Currently, CS-Cipher is in French only so for people whose knowledge of the language is less than it should be, the evaluation version CS-Cipher.40 may be a little more difficult to use to start with even though there is a good, HTML based help document with it. However, there are automatic translators on the Internet.

Conclusions

The hardware implementation of CS-Cipher with a throughput of around 2Gbps provides an excellent base upon which encryption of ATM network traffic, Virtual Private networks and other similar applications can be made.

CS Communications and Systems has a well established background in communications and is looking to make CS-Cipher a widely used standard if no the standard used outside the US. By making the algorithm available and supplying working implementations of it on various platforms (CS-Cipher for the MacOS is planned for later 1999), it is ensuring its future as a supplier of IT encryption.

Company Profile

Founded in 1902 by Francis Cumont, the company pioneered in electrical signalling for the railway and subway, concentrating, in the first half of the century in electromechanical devices. Having extended its operations into telecontrollers and telemetry, telecommunications, defence and transport during the fifties and sixties, CS has developed into the expanding computer systems market and now, as CS Communications and Systems (Compagnie des Signaux), specialises in: Computer systems and services (representing 65 percent of sales); Telecommunications equipment (23 percent); and, Security (12 percent).

CS is listed on the Paris stock exchange, has operations in 50 countries and employs 5,000 people. In 1998, it had a turnover of 3.5 billion francs representing an increase of nearly 12 percent over its 1997 figure of just under 3.2 billion francs. CS group includes: CS Télécom; Vérilog; CSTI; Atheso; CS Route; CS Institut; CISI; 3IP; CS Transtec; SC Rand; and, CS Experdata.

At the end of 1998, CS Communications and Systems Group concentrated all of its French business in the field of computer systems and services into a new group within a single company called CS Systèmes d'Information - these include: CISI, CS Integration de Systèmes, 3IP, CS Route, CS Transtec; Athesa and CS Experdata - the other areas being covered by CS Télécom and CS Sécurité.

CS Systèmes d'Information ranks amongst the first five French computer systems and services companies with a consolidated turnover nearing FRF 2.3 billion and employing more than 3,000 people of whom 70 percent are engineers.

CS Systèmes d'Information has operations in Paris and in the French provinces as well as in Europe through its subsidiaries in the UK (Rand), Germany (CAM), Italy (CISI AID) Austria and the Benelux countries. Its offer is targeted at the telecommunications, aeronautics, aerospace, defence, energy, manufacturing, road construction, banking and insurance industries.

The company's product portfolio comprises of: CS-Cipher (symmetric encryption); CS-WebPass/TTP (Smartcard driven authentication for the World-wide Web using HTTP and LDAP); OSCAR (Open Signature and Certification ARchitecture - a European Trusted Services (ETS) project to implement an organisational, legal and technical infrastructure to support secure information exchange). With the growth and availability of the Internet and the realisation by many companies that e-business and e-commerce are the way forward, CS has put itself in a powerful position to take advantage of this market.

In Europe:

CS Systèmes d'Information
88 rue Brillat Savarin
75013 Paris
France
Tel: +33 1 40 78 75 00
Fax: +33 1 40 78 75 58
Email: marc.milan@cssystemes.cie-signaux.fr
WWW: http://www.cie-signaux.fr/

Copyright (c) 1999 P. A. Grosse. All Rights Reserved.

Back to the Internet Security Index

Back to the Index