Introduction
Although the pace of advances in cryptography is
accelerating, the payoff in secure applications has not yet been
realized [Blaze, Schneier]. In part, this is due to the absence
of a viable infrastructure to serve as a basis for secure computing.
While progress is being made in this direction [S/WAN, DNSSEC,
IPSEC], these efforts may not be acceptable for the most stringent
applications, which must rely on end-to-end security to meet their
needs.
Our goal in this work is to integrate secure cryptographic
mechanisms into an off-the-shelf application. For the application
itself, we selected VIC, the MBONE videoconferencing tool [VIC].
While VIC is already capable of encrypting sessions, it is inflexible
in its approach, and lacks a reasonable key distribution mechanism.
We therefore elected to graft the Generic Security Services Application
Program Interface [GSS-API] to VIC, and extended VIC's Tcl/Tk
interface to allow for selection of the cipher and key distribution
algorithms.
VIC's native cipher is DES, which, while secure (in
our view), suffers from an inadequate key length and is far too
slow for this application. So we added three new ciphers to VIC's
Tk selection panel. First, we selected a trivial cipher that combines
the data stream with a key using exclusive-or (XOR). This cipher
offers a baseline for best-case performance of an encrypted video
stream. The second cipher we added is RC4 [RC4], which has a reputation
for being very fast to compute. The third cipher we elected to incorporate in VIC is
an (as yet) little known stream cipher called VRA [VRA].
VRA is a stream cipher based on a pseudo-random number
generator (PRNG). In a nutshell, VRA starts with a few random
bits (from a Blum-Micali PRNG), and stretches them into a much
longer sequence (using Gabber-Galil expanders and an NP-complete
problem). The authors of VRA prove that the resulting bit stream
has essential cryptographic properties and passes numerous tests
of randomness, including Knuth's multidimensional tests and Marsaglia's
Diehard battery of tests. Furthermore, and of utmost importance
for our videoconferencing application, VRA is fast: our implementation
runs at close to the speed of XORing a constant with the data
stream.
In summary, VRA is blindingly fast and provably secure.
We built a GSS-API interface for VRA so that we could use it with
our modified VIC. What remains is to provide VIC with a reasonable
key distribution algorithm; the LBL version uses out-of-band techniques,
e.g., telephone or email.
We chose SK3 [SK3], a smartcard-based adaptation
of Leighton-Micali. SK3 stores long-term keys on a secure token,
such as a smartcard or PC-card. These keys are shared with a trusted
third-party, presumably the one that generates the keys and initializes
the card. The SK3 protocol generates a session key that can be
used by cooperating parties for cryptographic purposes. In our
case, we use SK3 to generate session keys for encrypting the videoconferencing
data stream.
SK3 was designed to fit the proof framework of Bellare
and Rogaway, and is shown (by its authors) to be secure. Because
it is smartcard-based, it offers security that is superior to
password-based authentication schemes. As with VRA, we built a
GSS-API interface for SK3, and use it with VIC. The result is
a videoconferencing tool that employs secure hardware, provably
secure key distribution, and provably secure end-to-end encryption.
In my talk, I will also describe our smartcard implementation,
give copious perfor-mance data, discuss future directions of the
project, and, if the necessary networking is available, show a
demo.
3 juni 1997