# A threat is an intentional security breach

A threat is an intentional security breach. A threat determines character of actions, resulting in a loss information of one of its properties.

Classification of threats

Threat - one of key concepts in the field of providing of informative safety.

A threat to the object of informative safety is an aggregate of factors and terms, arising up in the process of co-operation of different objects (their elements) and able to render the negative affecting to concrete object of informative safety. Negative influences differentiate on the character of harm inflicted: by a degree of change of properties of safety object and possibility of liquidation of consequences of threat.

There are a few types of classification of threats informative safety of object; threats divide:

- by source (to its location) - on internal (arise up directly on an object and conditioned co-operating between its elements or subjects) and external (arise up because of its co-operating with external objects);

- by a probability of realization - on potential and real;

- by the sizes of the inflicted harm - on general (harm to object of safety on the whole, rendering the substantial negative affecting terms of its activity), local (affect the conditions of existence of separate elements of safety object) and private (harm for separate properties of elements of object or separate directions of its activity);

- by nature origins - on casual (unconnected with the actions of personnel, state and functioning of object of informative safety, such as refuses, failures and errors in process facilities of automation, natural calamities and other extraordinary circumstances) and intentional (conditioned the ill-intentioned actions of people);

- by nature origins - on natural (or they are yet named by the objective - caused failings systems of informative safety of object, for example, by imperfection of the developed normatively-methodical and organizationally-planned documents, by absence of specialists at a protection etc.) and artificial (they are named yet subjective - conditioned activity of personnel of object of safety, for example, by errors in process, low level of preparation in the questions of protection, ill-intentioned actions or intentions of extraneous persons).

It is possible also to take to the natural threats, for example, natural calamities.

It is possible to take to the artificial threats, for example:

- influence of the strong magnetic fields on magnetic carriers of data;

- careless storage and account of carriers, and also their unclear identification (so, error of data input), careless actions of personnel, resulting in the disclosure of confidential information;

- disclosure, loss of access attributes (passwords, admission etc.);

- entrance in the system in the round of facilities of protection.

Examples of intentional threats:

- masking under an user;

- use of official position;

- rapine of carriers of data and its unauthorized copying;

- dissection of ciphers of cryptographic protection;

- introduction of apparatus and programming book-marks or viruses;

- illegal connecting to the communication line;

- intercept of data.

Intentional threats, in same queue, are divided by 2 kinds:

- passive penetration;

- active penetration.

Types and classification of ciphers

Classification of ciphers is presented on a picture 2.

Picture 2 - Classification of ciphers

Pointers on a picture mean the most meaningful subclasses of ciphers. The dotted lines mean that ciphers can be examined and as a block, and as ciphers of replacement.

Symmetric ciphers utillize the same key for encryption and decryption.

Asymmetrical ciphers are utillized the different keys.

In line ciphers every character is ciphered on a separateness.

At the use of block ciphers, a plaintext is divided by the blocks of the fixed length, each of which is ciphered on a separateness. A size of block to date is 64, 128 or 256 bit.

The ciphers of gamming form the subclass of multialphabetical ciphers. They behave to line ciphers and they are symmetric.

One-way functions

Public-key systems utillize ireversible or one-way functions. A concept of one-way function is the base concept of cryptography with the opened key. One-way function possess such features:

- on the set argument х Х it is easily to calculate the value of this function F(x);

- at the same time, determination х from F(x) is an infeasible task.

In theory х by known value F(x) it is possible to find always, checking up in turn all of possible values of х until the proper value F(x) will not coincide with set. However practically such approach is unrealizable at the considerable dimension of set X.

One-way functions can be compared to the one-sided streets. Easily to reach on such street from a point A to a point B, while it is practically impossible to reach from a point B to the point A. Cipherment examined as direction from A to B. Although we can move in this direction, we are unable to move in retrograde direction – direction of decryption.

easy

x f(x)

with difficultly

Figure 2 – Illustration of one-way function

There is the more strong approach to determination of one-way function:

An one-way function is name the function F(х): X Y, х Х, possessing two properties:

- there is a polynomical algorithm of calculation of values y = F(x);

- there is not a polynomical algorithm of inverting of function F(x) = y.

The algorithm will name polynomical algorithm when an implementation of it is closed no more than after p(n) steps, where n is a size of entrance task, measureable, as a rule, by the amount of characters of text describing this task.

The multitude of classes of one-way functions is generated variety of the systems with the opened key.

Two important requirements are using for an order to guarantee reliable work of the systems with the opened key:

- transformation of the opened message must be irreversible and to eliminate his restoration on the base of the opened key;

- to define the closed key by analysing opened it must be impossible at modern technological level (thus desirably have exact lower estimation of complication of opening of cipher, i.e. amount of operations).

We will notice that until now is not well-proven existence of one-way functions. Use them as basis of asymmetric algorithms of encipherement possibly only until effective algorithms, executing finding of one-way functions for polinomical time, are not found.

The example of candidate on the rank of one-way function is module involution, i.e. function of F(x) є аx mod р, where а is a primitive element of the field of GF(p); р is a large prime number. That this function can be effectively calculated even at the bit of parameters in a few hundred signs, it is possible to show on a next example.

Example. а25 can be calculated by six operations of multiplication (a multiplication will consider operation of raise to square). Number 25 in the binary notation written down as 11001, so that 25 = 24 + 23 + 20.

Therefore: а25 mod р є (а16а8а) mod р є ((((а2 а)2 )2 )2 а) mod р.

The task of calculation of function, reverse module involution, is named the task of the discrete taking the logarithm. To date unknown not a single effective algorithm of calculation of discrete logarithms of large numbers.

An one-wave function as a function of encryption is inapplicable, because, if F(x) is a crypted message of х, nobody, including legal recipient, not able to recover х. Going round this problem is possible by an one-way function with a secret (one-way trapdoor function). Sometimes a term is yet used function with trap.

For example, function Ek: XY, has a reverse function Dk: YX, however it is impossible to know a reverse function only on Ek without knowledge of secret k.

Function Ek: XY, depending on a parameter k and possessing next three properties is named by an one-way function with a secret. There are following properties:

1) at any k there is a polinomical algorithm of calculation of values of Ek(x);

2) at unknown k there is not a polinomical algorithm of inverting of Ek;

3) at known k there is a polinomical algorithm of inverting of Ek;

The function of Ek can be utillized for encrypting of information, and reverse by it function of Dk - for decrypting, because at all х Х justly Dk (Ek(x)) = x.

Implied thus, that, who knows, how information to encrypt, quite not necessarily must know how to decrypt it. Similarly as well as in case with an one-way function, a question about existence of one-way trapdoor function is opened. For practical cryptography a few functions - candidates on the rank of one-way trapdoor function are found. For them the second property is not well-proven, however known it is, that the task of inverting is equivalent the decision of difficult mathematical task.

Application of one-way trapdoor function in cryptography allows:

- to organize an exchange the encrypted messages with the use of the only opened channels of connection, i.e. to turn down the secret channels of connection for a preliminary exchange by the keys;

- to include at dissection of cipher an complicated mathematical problem and the same to increase cipher firmness;

- to decide new cryptographic tasks, different from an encipherement (electronic digital signature and other).

Firmness of most modern asymmetric algorithms is based on mathematical problems which on this stage are an infeasible task:

1) factorization of large numbers (decomposition of large numbers on simple multipliers);

2) the discrete taking the logarithm in the eventual fields (a search of logarithm in the eventual fields);

3) search of roots of algebraic equalizations.

As to date there are not effective algorithms of decision of these tasks or their

decision requires bringing in of large calculable resources or temporal expenses, these mathematical tasks found a wideuse in the construction of asymmetric algorithms.

4 Distributing of the keys

The very important condition of safety of information is a periodic update of key information in the system. Thus both the work keys and master-keys must over fix. In the especially responsible informative systems it is desirable to do the update of key information (session keys) daily. The question of update of key information is closely related to the third element of the keys control - distributing of the keys.

Distributing of the keys is the most responsible process in a management the keys. The followings requirements are produced to its:

- operationability and distributing exactness;

- secrecy of the distributed keys.

Distributing of the keys between the users of computer network will be realized two methods:

1) by the use of one or a few centers of distributing of the keys;

2) by a direct exchange by the session keys between the users of network.

The lack of the first approach consists of that fact: the center of distributing of the keys knows to whom and what keys are up-diffused, and it allows to read all of messages, transferrable on a network. Possible abuses substantially influence on protection. At the second approach a problem consists of that, reliably to certify authenticity of subjects of network.

Authenticity of session of connection must be provided in both cases. It can be carried out, utillizing the mechanism of query - answer or mechanism of mark of time.

Mechanism of query - answer consists in the following. User A plugs in sent message (query) for an user B an unforeseeable element (for example, random number). At an answer user B must execute some operation with this element (for example, to add unit, that it is impossible to carry out beforehand, as unknown, what random number will come in a query. After the receipt of result of actions of user (answer) user A can be sure that a session is authentic.

The mechanism of mark of time supposes fixing of time for every message. It allows every subject of network to define, as far as old coming message, and to reject its, if a doubt will appear in his authenticity. At the use of marks of time it is necessary to set the possible temporal interval of delay.

In both cases for protection of element of control utillize an ncipherement, to carry guarantee, that an answer is sent a not user violator and the rubber stamp of mark of time is not changed.

2 Generation of the keys

Safety of any cryptographic algorithm is determined the in-use cryptographic key. The reliable cryptographic keys must have sufficient length and casual values of bits. In a table 1 lengths of the keys of symmetric and asymmetric cryptosystems, providing identical firmness to the attack of full search (to the attack of "brute force") are led.

Major description of the key is his chance. A presence of regularity in the separate key and in a key array results in lowering of cryptographic firmness of cipher. The use as keys of intelligent words and expressions also results in reduction of order of key set. Search of such keys with the purpose of decryption of cryptosystem is named an attack on a dictionary.

Table 1 - Lengths of the keys of cryptosystem for providing of identical firmness

Length of the key of symmetric cryptosystem (bit) | Length of the key of asymmetric cryptosystem (bit) |

56 | 384 |

64 | 512 |

80 | 768 |

112 | 1792 |

128 | 2304 |

For the receipt of the keys apparatus and programmatic facilities of generation of casual values of the keys are utillized. As a rule, apply the sensors of pseudorandom numbers (PRN). However a degree of chance of generation of numbers must be high. Ideal generators are devices on the basis of "natural" casual processes, for example, on basis white radionoise.

Обозначения на схеме:

In the automated systems with the middle requirements of protection the programmatic generators of the keys, which calculate PRN as a difficult function from current time and (or) number, entered an user, are used.

One of methods of generation of the session key for symmetric cryptosystem described in the standard of ANSI X9.17. He is realized on the basis of one of variants of chart of «triple DES» (it is although possible to apply other symmetric algorithms of encipherement).

2 Digital signature on the basis of El-Gamal cipher

Let’s suppose that addresser intends to sign the document M. He chooses a big simple number p and a number g. These numbers are transferred or stored in open view and they can be common for whole group of users. Addresser choose random number k – secret key, 1< k <p-1, and calculate

Number Y he showed as an open key.

Let’s describe the sequencing for signature constructing. At first the hash-function h(M)=m value is calculated and we choose such random number x, so x<p-1, and number that is coprime with p-1, and next numbers are calculated:

Formed sign message looks like (M, r, s) .

Recipient gets at first the hash-function h(M)=m value and only then verifies the signature authenticity using the equality

If equality executes, signature is authentic.

Example 1.1 Let p = 23; g = 5; k = 7; h(M)=3; x = 5.

Addresser calculates the open key

Proceeds to signature calculating:

Sign message is formed as (M,20,21), and is transferred to the recipient.

Recipient verifies the signature authenticity. At first he calculates hash-function value h(M)=3, and then

Recipient makes conclusion that signature authentic.

Approaches to systems creation of information protection

Вefore to create a concrete system of protection of information (SPI), it is necessary to determine what exactly information is subject of protection, what forces, methods and facilities, for this purpose will be required.

On this account a SPI are created on a method supposing following, cyclic repetitive sequence of executions during of all period of its functioning (Pict. 1).

1. Determination of information, to subject of protection.

2. An exposure of complete great number of potential possible threats and channels of information loss.

3. An estimation of vulnerability and risks of information at the present great number of threats and loss channels.

4. Determination of requirements to protection.

5. Realization of choice of protection facilities and their descriptions.

6. Introduction and employing organization of chosen measures, methods and facilities of protection.

7. Realization of control of integrity and management of protection system.

The indicated sequence of executions is carried out continuously on the exclusive cycle, with a proper analysis of the state of SPI and clarification of requirements to it after every step.

Picture 1 - Continuous cycle of SPI creation

The construction of SPI is always begun with determination of information volume which must be protected. Such estimation on principle is needed and must be on possibility exact, as measures are directed on its protection cost very expensive. It is enough to say that leading firms in countries with a highly developed economy are expending about 20 percents of net profit for protection of production and commercial secrets.

The system of protection must be created simultaneously with creation of enterprise or organization where it will work. It will help to take minimum economic and moral losses in the case of disturbers attack to information. To that purpose security service is created. Tasks of this service are: realization of legal, organizational and technical measures of protection.

Creation of such service must be begun with the economic ground of its creation, because not every organization is in strength to bear expenses on its maintenance.

3 Secret communication systems

Secret communication systems are such transmission systems in which sense of transferrable information hides through cryptographic transformations, but the fact of information transmission is being hidden.

Task of information protection during transmission via its communication channels was first formulated by K. Shennon in September, 1945, and published in open view in 1949 in the technical magazine of Bell System Technical Journal. He offered a secret communication system, which is shown on a Fig. 3.

It is assumed that there are two information generators – source of messages Ті and source of keys Кj on a transmitter side. Thus, for both great numbers Т and К, distributions Р(Т) and Р(К) are set. It means that for any Ті є Т probability р(Ті) є Р(Т) is defined, and for any Кj є К probability р(Кі) є Р(К) is defined and rules are executed:

and .

The key is formed on a side which transfer message with probability of р(Кі), is being transmitted on an opposite side via separate closed communication channel, to which a possible disturber must not have an access. A necessity of such channel is the serious disadvantage of the secret systems, because in networks with the large number of users their implementation requires too large resources.

1 Feistel Network and SPN networks

Distinguish two types of construction of block algorithms of encipherement. One of them is built on the basis of chart (networks) of Feistel. To the number such algorithms belong, for example, a former standard of the USA - the DES algorithm and operating standard of Russia - ГОСТ 28147-89.

Other algorithms are built on appearance and similarity networks of SPN (Substitution-permutation-network). To the number such algorithms the new standard of the USA belongs, for example, - AES.

The most widespread method of construction of iterative block ciphers is a construction which carries the name of Feistel.

Chart of Feistel, or a network of Feistel is a variety of block cipher. At the decryption block of plaintext is divided into two equal parts - right and left. Thus, initial length of block of data must be even. In every loop one of parts is exposed to transformation through the F function and subkey - K1, got from the initial secret key - K. The result of operation is added up on the module 2 (operation of XOR) with other part. Then left and right parts switch places. The general view of one cycle of encipherement algorithm, built on the chart of Feistel, is presented on fig.1.

Transformations to every cycle are identical, but on the last cycle transposition is not executed. Procedure of decryption is analogical procedure of encryption, but the subkeys of Ki get out upside-down. If at encrypyion transposition was executed in the last loop, it is necessary to begin decryption with transposition of left and right part of data block.

Basic advantage of such structure of cipher is that procedures of encryption and decryption coincide, with that exception, that key information at a decryption is utillized upside-down. It allows during physical realization of block cipher to utillize identical blocks in the chains of encryption and decryption.

Lack is that on every iteretion only the half of block of the processed text changes. It results to necessity to increase the number of iteretion for achievement of a required firmness.

Crypanalitical firmness of algorithm of encipherement, built on the chart of Feistel depends from three basic parameters:

- numbers of rounds of cipherement;

- type of F function;

- algorithm of keys calculation.

It was already marked that to the cipherement algorithms, wich built on the Feistel chart are refer such as DES and ГОСТ 28147-89. Besides foregoing algorithms, there is quite a few other such, as, for example Lucifer, FEAL, Khufu, Khafre, LOKI, COST, Blowfish, wich also built on a chart of Feistel. A block algorithm of cipherement, utillizing the described construction, is convertible and guarantees possibility of renewal of input data of F function in every loop.

It is necessary also to mark that dividing of initial cipher by two parts can be transferable a division on four, eight and more than parts. Such algorithms of cipherement are named derivative from the chart of Feistel. Some modern ciphers have such structure. For example, algorithm of cipherement of CAST or algorithm of cipherement of Skipjack closed till recently.

3 General characteristic of DES

DES is a block encryption algorithm. When 64-bit blocks of plaintext go in, 64-bit blocks of ciphertext come out. It is also a symmetric algorithm, meaning the same key is used for encryption and decryption. It uses a 64-bit key, 56 bits make up the true key, and 8 bits are used for parity.

The DES system utillizes combinations from substitutions and transpositions of characters (numbers) and addition on the module 2.

The comfort of the applied algorithm is that operations of encryption and decryptions in DES are convertible. The generalized chart of process of encipherement in the DES algorithm has a next kind (Fig.3)

Key

Figure 3- The generalized chart of encipherement in the algorithm of DES

The structural chart of algorithm of DES, consisting of 16 steps, is presented on a fig. 4.

Figure 4 - Structural chart of algorithm DES

The algorithm of encipherement is carried out as follows.

From the file of input text the next 64-bit block of T is read. Process his encryption consists of initial transposition, sixteen cycles of encipherement and, finally, in final transposition of blocks.

By the matrix of initial transposition of IP, containing 8 columns and 8 lines transposition of characters of initial block is carried out.

Finishing transformation of algorithm - reverse transposition is carried out by the matrix of reverse transposition.

The 64-bit sequence got after the first transposition is broken up on two 32-bit blocks of L0 and R0 .

Then the iterative process of encipherement, which consists of 16-ti steps, is executed.

Let Ti is a result of i - iteration:

Ti = Li Ri

where Li = t1,t2,…,t32;Ri=t33,t34,…,t64... In this case the result of iteration is described the followings formulas:

Li = Ri-1, i =1,2,…,16;

Ri = Li-1 f (Ri-1, Ki ), i =1,2,…,16;

One cycle of DES-transformation is resulted on a figure 5.

DES works with the 64-bit blocks of plaintext. After primary transposition a block is broken up on right and left halves long for 32 bits. Then 16 transformations (function of F) in which information team up with the key are then executed. After the sixteenth cycle right and left halves unite and an algorithm is completed final transposition (reverse in relation to primary). On every cycle bits of key moved, and then 48 bits get out from 56 bits of the key. The right half of information is increased to 48 bits by transposition with expansion, unites by means of XOR with 48 bits of the displaced and moved key, passes through 8 S-blocks, forming 32 new bits, and moved again. These 4 operations are executed the function of F.

Then the result of function of F unites with a left half by other XOR. In the total these actions a new right half appears, and old right - becomes a new left half. These actions repeat 16 times, forming 16 cycles of DES.

4 Requirements to cryptosystems

1 Knowledge of encryption algorithm must not decrease cryptofirmness. Cryptofirmness of algorithm is based exceptionally on secrecy of the key.

2 A ciphered message must be able to be read only at knowledge of the key.

3 Cipher must be firm even when a disturber knows plenty of input data and cipher information corresponding to it.

4 Number of operations, necessary for deciphering of message by surplus of all of the possible keys must have a strict lower estimation. This number must either go outside the possibilities of modern computers or require creation of the expensive computer systems.

5 Insignificant change of the key or plaintext must cause the substantial change of ciphertext view.

6 Structural elements of encryption algorithm must be unchangable.

7 Length of ciphertext must be equal to length of plaintext.

8 Additional bits, entered in a message in the process of encipherement must be fully and reliably hidden in ciphertext.

9 There must not be simple and easily set dependences between the keys which are utillized in the process of encipherement.

10 Any key from the great number of the possible keys must provide a reliable information protection.

A necessity for storage and transmission of the keys, ciphered by other keys, results in conception of hierarchy of the keys. In the standard of ISO 8532 (Banking-key Management) the method of master/session keys is expounded in detail. Essence of method consists of that is entered hierarchy of the keys: master key (MK), key of cipherement of the keys (KK), key of cipherement of data (KD).

A hierarchy of the keys can be:

- two-level (KK / KD);

- three-level (MK / KK / KD).

A lowermost level are work or session KD, which are utillized for the cipherement of information, personal identification numbers (PIN) and authentification of message. When these keys are necessary to be ciphered for purpose of protection at a transmission or storage, utillize the keys of next level - keys of cipherement of the keys. The keys of cipherement of the keys never must be utillized as session (work) KD, and vice versa.

Such division of functions is needed for providing of maximal protection. A standard sets actually, that the different types of the work keys (for example, for the cipherement of information, for authentification et cetera) must be always ciphered by the different versions of the keys of cipherement of the keys.

In particular, keys the cipherements of the keys, in-use for sending of the keys between two nodes of network, are known also as keys of exchange between the nodes of network (cross domain keys). Usually in a channel two keys are utillized for an exchange between the nodes of network, one by one in every direction. Therefore every node of network will have the key of sending, for an exchange with the nodes of network and key of receipt for every channel, supported other node of network.

At top level of hierarchy of the keys a major key - master-key is disposed. This key is used for the cipherement of KK, when it is required to save them on a disk. Usually only one master-key is utillized in every computer.

Master-key spreads between the participants of exchange by an unelectronic method - at the personal contact, to eliminate his intercept and/or compromising. Opening of value of master - key by an opponent is fully destroys protection of computer.

A value is master-key fixed on great time (to a few weeks or months). Therefore generation and storage master-keys are the critical questions of cryptographic protection. In practice master- key of the computer is created by a random selection from all of possible values of the keys. Master-key is placed in a block which protects it from a read-out and record, and also from mechanical influences. However there must be a method of verification, whether a value of the key is correct.

A problem of authentification of master-key can be decided in various ways. One of methods of authentification is shoed on a figure 2.

Ekn (M)

Result

Figure 2 - Chart of authentification of master-key of khost-computer

An administrator, getting a new value of master-key Kn of khost-computer, ciphers some message M with the key Kn. A pair (a cryptogram and a message M) is placed in memory of computer. Every time, when authentification is required of master-key of khost-computer, message M undertakes from memory and given in the cryptographic system. The got cryptogram is compared to the cryptogram, kept in memory. If they coincide, it is considered that this key is correct.

The work keys (for example, session) are usually created by a pseudo-random generator, and can be kept in an unprotected place. It is possible, as such keys are generated in form the proper cryptograms, i.e. the generator of PRN gives out in place of the key Ks its cryptogram, got with a help master-key of computer. Decryption of such cryptogram is executed only before the use of the key Ks.

? Diffi-Hellman algorithm

Diffi and Hellman have offered for creation of cryptographic systems with an open key function of discrete exponentiation. Below is shown a description of this algorithm.

1. Both subscribers have same prime number P and common mantissa D<(P-1) before communication session start.

2. Every subscriber (1-st и 2-nd) chooses any natural number with conditions 1<X1<(P-1) and 1<X2<(P-1)

3. Every subscriber using own number X calculates and

4. Subscribers change with Y1 и Y2 values between themselves by open channel.

5. Every subscriber calculates session key for ciphering for symmetric algorithm by the next formulas:

Irreversibility of transformation in this case is ensured with next fact: it is enough easy to calculate an exponential function in a final field of Galois consisting of Р elements. (Р - either a prime number, or a prime number in any integer power). Calculation of logarithms in the such fields is much more labour-consuming operation.

If Y=Dx,, 1<x<p-1, where – fixed element of a field GF(p), then X=logDY over GF(P). Having X easy to calculate Y. For this needed 2 ln(X+Y) multiplexing operations.

The inverse problem of an evaluation X of Y will be enough complex as it is fulfilled by reboric search. If P it is chosen enough correctly then extraction of the logarithm will demand the evaluations proportional follow:

L(p) = exp { (ln p ln ln p)0.5 }

Without knowing X1 and X2, the violator can try to calculate K12, knowing only intercepted Y1 and Y2. Equivalence of this problem to a problem of an calculation of the discrete logarithm is a principal and open problem in the systems with an open key. A simple solution it is not discovered till now. So, if for direct transformation of 1000-bit prime numbers 2000 operations are required, for inverse transformation (an evaluation of the logarithm in the field of Galois) - it is required about 1030 operations.

At all simplicity of algorithm Diffi-Hellman, its second lake in comparison with system RSA is lack of the guaranteed lower estimation of labour input of disclosing of a key.

Besides, though the described algorithm allows bypassing a problem of the latent transmission of a key, necessity of authenticity remains. Without the additional means, one of users cannot be assured that it has exchanged keys with that user who is necessary to it. Danger of imitation in this case remains.

As generalisation of told about distribution of the keys< it is necessary to tell the following. The problem of control is reduced by keys to search of such report of distribution of the keys which would ensure:

• Possibility of refusal from the centre of the keys distribution;

• Mutual confirmation of the authenticity of a session participants;

• Confirmation of a session reliability by the inquiry-answer mechanism, use for this purpose program or hardware;

• Use the minimum numbers of messages at the interchanging of keys.

An one-wave function as a function of encryption is inapplicable, because, if F(x) is a crypted message of х, nobody, including legal recipient, not able to recover х. Going round this problem is possible by an one-way function with a secret (one-way trapdoor function). Sometimes a term is yet used function with trap.

For example, function Ek: XY, has a reverse function Dk: YX, however it is impossible to know a reverse function only on Ek without knowledge of secret k.

Function Ek: XY, depending on a parameter k and possessing next three properties is named by an one-way function with a secret. There are following properties:

1) at any k there is a polinomical algorithm of calculation of values of Ek(x);

2) at unknown k there is not a polinomical algorithm of inverting of Ek;

3) at known k there is a polinomical algorithm of inverting of Ek;

The function of Ek can be utillized for encrypting of information, and reverse by it function of Dk - for decrypting, because at all х Х justly Dk (Ek(x)) = x.

Implied thus, that, who knows, how information to encrypt, quite not necessarily must know how to decrypt it. Similarly as well as in case with an one-way function, a question about existence of one-way trapdoor function is opened. For practical cryptography a few functions - candidates on the rank of one-way trapdoor function are found. For them the second property is not well-proven, however known it is, that the task of inverting is equivalent the decision of difficult mathematical task.

Application of one-way trapdoor function in cryptography allows:

- to organize an exchange the encrypted messages with the use of the only opened channels of connection, i.e. to turn down the secret channels of connection for a preliminary exchange by the keys;

- to include at dissection of cipher an complicated mathematical problem and the same to increase cipher firmness;

- to decide new cryptographic tasks, different from an encipherement (electronic digital signature and other).

Firmness of most modern asymmetric algorithms is based on mathematical problems which on this stage are an infeasible task:

1) factorization of large numbers (decomposition of large numbers on simple multipliers);

2) the discrete taking the logarithm in the eventual fields (a search of logarithm in the eventual fields);

3) search of roots of algebraic equalizations.

As to date there are not effective algorithms of decision of these tasks or their

decision requires bringing in of large calculable resources or temporal expenses, these mathematical tasks found a wideuse in the construction of asymmetric algorithms.

2 General description of ГОСТ 28147-89 algorithm

An algorithm is carried by the name ГОСТ 28147-89. It is intended for hardware and programmatic representation, suits, to produced for modern cryptosystems, and does not lay on limits on secrecy of transferable information.

As well as DES algorithm, the ГОСТ algorithm is built on the basis of Feystel network. On every stage the encoded report is broken up to left L0 and to right R0 parts which cipher by rule

Li = Ri-1

Ri = Li -1Е f(Ri-1 ,Ki),

Ki

f(Ri-1 ,Ki)

Realization of network of Feystel in an algorithm ГОСТ 28147-89

utillizing the intermediate value of the key Ki.

A difference consists of that in place of the 64-bit key 256-bit key is utilized.

An amount of the stages of encypherement is twice as much as compared to DES.

In addition, operation of replacement, carried out of S-blocks is not permanent, but can change as necessary and, in addition, it is assumed to keep it in secret, that equivalently to lengthening of the key, practically to 610 bits.

Finally, the ГОСТ algorithm is utillized nonlinear function fГОСТ , which substantially differs from the function of fDES , wich is applied in the DES algorithm.

Before to begin consideration of the modes of operations of ГОСТ algorithm, it is necessary to be stopped for the features of some operations, in-use at implementation of nonlinear function of f. It at first, adding up on the module 2 n and, secondly adding up on the module of 2 n - 1.

Operation of adding up of numbers a and b on the module of 2n supposes that

a + b (mod 2 n) = a + b, if a + b < 2 n

a + b (mod 2 n) = a + b - 2 n, if a + b > 2 n

In this algorithm these operations are executed above numbers, presented in a binary code. We will consider the example of addition of numbers 13 and 9 on the module of 2 n at n = 4.

Е 1101 13 + 9 = 22; 2 n = 16; 22 - 16 = 6

1001

---------------

10110

From this example evidently, that for the receipt of the sought result, from the result of addition it is necessary to cast away a most significant digit. Self addition must be carried out with the transfer of unit in a most significant digit.

Addition on the module 2 n - 1 carried out by rule.

a + b (mod 2 n - 1) = a + b, if a + b < 2 n - 1

a + b (mod 2 n - 1) = a + b - 2 n - 1, if a + b > 2 n - 1

We will consider the example of addition of numbers 13 and 9 on the module 2 n - 1 at n = 4.

Е 1101 13 + 9 = 22; 2 n - 1 = 15; 22 - 15 = 7; Е 0110

1001 0001

--------------- ------------

10110 0111

From this example evidently, that for the receipt of the sought result, from the result of addition it is necessary to cast away a most significant digit and add unit to the got remain.

This algorithm is entended a few modes of work. To their number behave, mode of simple replacements, mode of gamming, mode of gamming with a feed-back and mode of making of imito-insertion.

Mode of simple replacement are intended by dividing of the encoded sequence into blocks long in 64 digits and is component part of other modes of encipherement. This mode can be utillized only for the encipherement of blocks length of which is multiple 64th bits. On this account it is used only for the transmission of the next key.

The modes of gamming and gamming with a feed-back are ordinary operating modes and them, mainly, apply for the encipherement of dates.

The mode of forming of imito-insertion is intended for forming of signatury, necessary for the digital signature of electronic documents.

1 Management a key sequence

Any cryptographic system is based on the use of the cryptographic keys. In symmetric cryptosystem a sender and recipient of message utillize the same secret key. This key must be unknown all of other and must periodically brush up simultaneously for a sender and recipient. The process of distributing (deliveries) of the secret keys between the participants of informative exchange in symmetric cryptosystem has difficult character.

Asymmetric cryptosystem supposes the use of two keys - opened and personal (secret). The opened key can be know for anyone, and personal it is necessary to keep in secret. At an exchange by messages, it is necessary to send the only opened key. An important requirement is providing of authenticity of sender of mesage. It is arrived at by mutual authentification of participants of informative exchange.

Under key information understand the aggregate of all of the operating in the system keys. If a reliable management of key information is not ensured, then an user violator, when he took possession of it, he gets unlimited access to all of information.

A management the keys is an informative process, including realization of the followings basic functions, such as:

• generation of the keys;

• storage of the keys;

• distributing of the keys.

1 Passing of secret messages by asymmetric cryptosystems

Symmetric cryptosystems, in spite of great number of advantages, possess one serious failing which is related to the situation, when intercourse between itself is made by the not limited number of people, but hundreds and thousands of persons. In this case for every pair of users, writing to each other between itself, it is necessary to create the secret symmetric key. In the total results it leads to existence in the system N2/2 keys from N of users.

In addition, at violation of confidentiality of some work station a disturber (user violator) gets access to all of the keys of this user and can send messages from his name to all his subscribers.

For the decision of this problem on the base of results, got classic and modern algebra cryptosystems with the public key were offered.

In 1976 in-process “New Directions in Cryptography” Diffi and Khellman offered the principle new method of organization of secret connection without a preliminary exchange by the keys, so-called cipherement with the public key. Thus for encryption and decryption the different keys are utillized, and knowledge one of them does not give practical possibility to define the second. As a result the key of encryption can be opened without the loss of cipher firmness, and only the key of decryption must stick to a recipient in secret, therefore cryptosystem with the opened key are naming asymmetric (asymmetrical) cryptosystems.

On a figure 1 the structural chart of public key cryptosystem is resulted

Figure 1 – Structural chart of public key cryptosystem

Asymmetrical cryptosystems suppose the presence of two keys: opened, intended for encryption of transferrable message, and closed, by which a recipient decrypts the accepted cryptogram.

The unsecret key can be passed on the opened channel. It’s knowledge does not give the user violator of possibility to get access to information, to contained in a message.

The generator of key pair gives out the pair of the keys (К1, К2) depending on initial conditions (IC), known only to the recipient of message. The opened key К1 is passed to the sender on an unprotected communication channel. A sender encrypts message M, utillizing the key К1. Ciphertext C passed to the recipient on an unprotected communication channel.

A recipient decrypts a cryptogram (restoring an initial message), utillizing the secret key К2.

An unauthorized person (UP) has an access to the unprotected channels and can intercept a cryptogram C and the opened key К1. Moreover, it can own the algorithm of encipherement, because the algorithm of encipherement is published and accessible to any, who wants to send message to the addressee. Unique, what is not owned by a user violator - by the key of K2. And only a subscriber, owning the closed key, getting a message, makes with it transformation by key К2 known only to him and restores the text of message.

It is necessary to mark that if a message needs to be sent to opposite direction, already it is needed it will be to utillize other pair of the keys.

As we see, at first, in the asymmetric systems the amount of the existent keys is related to the amount of subscribers linearly (in the system from N of users utillized 2ґN keys), but not quadratically, as in the symmetric systems. Secondly, at violation of confidentiality of the work station k a user violator will know the key Кk only: it will allow him to read all of messages, which comings to subscriber ko, but does not allow to set up for him at the dispatch of letters.

In practice algorithms with the opened key do not replace symmetric algorithms. As a rule, they are utillized for the followings aims:

1. As an independent mean of protection of data, which are passed or saved.

2. For the encipherement of the keys or some other «auxiliary» informative blocks of relatively small length. It is caused the followings circumstances:

a) The productivity of algorithms with the opened key (speed of encipherement)

approximately in 1 thousand of one times yields to the productivity of symmetric algorithms, that places them at a disadvantage at the use for the encipherement of large volumes of information.

b) Cryptosystems with the opened key is vulnerable to the attacks on the basis of neat plaintext, especially when the number of variants of block of plaintext is limited and sorting of these variants are possible.

Therefore, most advantageous is protocol of secret connection with the use of hybrid cryptosystem, in which an asymmetric algorithm is utillized for secreting and distributing of the keys of connection, and an algorithm with the secret key of connection is utillized for the protection of data. In addition such protocol is assumed by elimination of the secret session key right after completion of session. It substantially reduces the danger of his compromising.

1. As a mean of authentification of users.

Most known systems with the opened key:

- knapsack cryptosystem of Merkle-Khellman;

- RSA cryptosystem;

- ElGamal Cryptosystem;

- Diffi-Khellman Cryptosystem;

- Cryptosystem, based on properties of elliptic curves (Elliptic Curve Cryptosystem);

- electronic-digital signature.

3 Storage of the keys

Under the function of storage of the keys understand organization of their safe storage, account and delete.

The key is the most attractive object for a user violator, opening to him a way to confidential information. Therefore it follows to spare the special attention for the questions of safe storage of the keys.

The secret keys never must be written down in an obvious kind on a medium which can be counted or copied. Any information about the in-use keys must be protected, in particular kept, in an in cipher kind.

A necessity for storage and transmission of the keys, ciphered by other keys, results in conception of hierarchy of the keys. In the standard of ISO 8532 (Banking-key Management) the method of master/session keys is expounded in detail. Essence of method consists of that is entered hierarchy of the keys: master key (MK), key of cipherement of the keys (KK), key of cipherement of data (KD).

A hierarchy of the keys can be:

- two-level (KK / KD);

- three-level (MK / KK / KD).

A lowermost level are work or session KD, which are utillized for the cipherement of information, personal identification numbers (PIN) and authentification of message. When these keys are necessary to be ciphered for purpose of protection at a transmission or storage, utillize the keys of next level - keys of cipherement of the keys. The keys of cipherement of the keys never must be utillized as session (work) KD, and vice versa.

Such division of functions is needed for providing of maximal protection. A standard sets actually, that the different types of the work keys (for example, for the cipherement of information, for authentification et cetera) must be always ciphered by the different versions of the keys of cipherement of the keys.

In particular, keys the cipherements of the keys, in-use for sending of the keys between two nodes of network, are known also as keys of exchange between the nodes of network (cross domain keys). Usually in a channel two keys are utillized for an exchange between the nodes of network, one by one in every direction. Therefore every node of network will have the key of sending, for an exchange with the nodes of network and key of receipt for every channel, supported other node of network.

At top level of hierarchy of the keys a major key - master-key is disposed. This key is used for the cipherement of KK, when it is required to save them on a disk. Usually only one master-key is utillized in every computer.

Master-key spreads between the participants of exchange by an unelectronic method - at the personal contact, to eliminate his intercept and/or compromising. Opening of value of master - key by an opponent is fully destroys protection of computer.

A value is master-key fixed on great time (to a few weeks or months). Therefore generation and storage master-keys are the critical questions of cryptographic protection. In practice master- key of the computer is created by a random selection from all of possible values of the keys. Master-key is placed in a block which protects it from a read-out and record, and also from mechanical influences. However there must be a method of verification, whether a value of the key is correct.

A problem of authentification of master-key can be decided in various ways. One of methods of authentification is shoed on a figure 2.

Ekn (M)

Result

Figure 2 - Chart of authentification of master-key of khost-computer

An administrator, getting a new value of master-key Kn of khost-computer, ciphers some message M with the key Kn. A pair (a cryptogram and a message M) is placed in memory of computer. Every time, when authentification is required of master-key of khost-computer, message M undertakes from memory and given in the cryptographic system. The got cryptogram is compared to the cryptogram, kept in memory. If they coincide, it is considered that this key is correct.

The work keys (for example, session) are usually created by a pseudo-random generator, and can be kept in an unprotected place. It is possible, as such keys are generated in form the proper cryptograms, i.e. the generator of PRN gives out in place of the key Ks its cryptogram, got with a help master-key of computer. Decryption of such cryptogram is executed only before the use of the key Ks.

Thus, safety of the session keys depends on safety of the cryptographic system. A cryptographic block can be projected as a single system and placed in the physically protected place.

If on some reasons the key is lost, for example, a key carrier is physically destroyed, for renewal of capacity of cryptosystem it is necessary to foresee the mechanism of renewal of the lost key. For this purpose it is possible to take advantage of depositing of the key - storage of key copy (better in an in cipher kind) at the trusted person. Reliability of this method rises, if a few trusted persons and chart of division of secret are used. In this case for depositing of the keys it is possible to use smart cards, kept at the trusted person.

Time of «life» of the key must be limited. What the more durational use of the key, then the higher probability of his compromising and anymore temptation for a cryptanalysist to engage in its opening, because opening of the key will allow to expose all of messages, ciphered this key. Especially as the presence of large number of messages, ciphered one key, gives for cryptanalysist an additional chance.

Elimination of the keys must carry irreversible character, to eliminate possibility of renewal of the keys fully.

Archiving of the keys - conservation of copies of the keys which during some temporal period can be claimed is used.

4 Electronic-digital signature

The most essential application of public key cryptography domain are digital signatures. During many ages at the conduct of business correspondence, conclusion of contracts and registration of any other important papers a signature of responsible person or performer was the necessary condition of confession of his status or undeniable certificate his importance. A similar act pursued two purposes:

- guaranteing truth of letter by collation of signature with a present standard;

- guaranteing of authorship of document (from the legal point of view).

Implementation of these requirements is based on the followings properties of signature:

- a signature is authentic, i.e. it is possible to prove with its help the recipient of document, that it belongs to signing (in practice it is determined graphology examination);

- signature is unforged, i.e. serves as proof, what only a that man, whose autograph stands on a document, could sign this document and nobody other would be able it to do;

- signature are noncarred, i.e. it is of part of document and carrying it on other document is impossible;

- a document with a signature is unalterable, i.e. it is impossible to change of its after signing, leaving this fact unnoticed;

- a signature is unquestionable, i.e. man, signing a document, in the case of confession examination, that exactly he witnessed this document, can not contest the fact of signing;

- any person, having a standard of signature, can make sure of that this document is signed the proprietor of signature.

With passing to the nonpapered methods of transmission and storage of data, and also with development of the electronic translation of money facilities systems, in basis of which is an electronic analogue of paper payment, the problem of virtual confirmation of authenticness of document purchased the special sharpness.

Development of any similar systems now unthinkable without existence of electronic signatures under electronic documents. However much application and wide distribution of electronic-digital signatures (EDS) entailed a number of legal problems. So, EDS can be used on the basis of agreements into some group of users of the system of communication of data and, in accordance with an agreement into this group, must have legal force. But will there be an electronic signature to have evidential force in a court, for example at challenging of fact of transmission of payment? Yes, because in 2003 laws are accepted in Ukraine: “About electronic documents and electronic circulation of documens”, “About electronic-digital signature”.

Although EDS saved practically all of basic properties of ordinary signature, all the same some features of realization of electronic autograph do its separate class of signatures. Therefore the legal, legal and methodological aspects of application of EDS must take into account its specific.

There are a few methods of construction of charts of EDS, namely:

1 Cipherement of electronic document (ED) on the basis of symmetric algorithms. This chart foresees a presence in the system of the third person (arbiter), enjoying the confidence of participants of exchange by the electronic documents signed in like manner. Co-operation of users this system is made on the following algorithm:

- participant A encrypts a message on the secret key kА, knowledge of which parts with an arbiter, the after ciphered message is passed to the arbiter with pointing of addressee of this message (information, identifying an addressee, is passed also in an in cipher kind);

- an arbiter decrypts received a message on the key kА, makes necessary verifications and then encrypts on the secret key a participant В (kв). An in further cipher message is sent a participant B together with information, that it came from a participant A;

- participant B decrypts this message and makes sure in that a sender is a participant A.

In this chart a fact of encryption ED by the secret key and transmission ciphered ED to the arbiter will be considered by authorizing of document. Basic advantage of this chart is a presence of the third party, eliminating some vexed questions between the participants of informative exchange, i.e. the additional system of arbitration of EDS is not required in this case. The lack of chart is a presence of the third party and use of symmetric algorithms of cipherement.

2 Cipherement ED with the use of asymmetric algorithms of cipherement. The fact of signing of document in this chart is encrypting of document on the secret key of his sender. This chart is also utillized enough rarely because of that length ED can appear critical. Application of asymmetric algorithms for the cipherement of messages of large length uneffective from point of speed descriptions. The presence of the third party is not required in this case, although it can play the role of certification organ of the opened keys of users.

3 Development of previous idea was become by the most widespread chart of EDs, namely: cipherement of final result of treatment ED by a hash-function through an asymmetric algorithm. The structure chart of such variant of construction of EDS is presented on a fig. 2.

Picture 2- Structure chart of construction of EDS

The generation of signature takes a place as follows:

1 Participant A calculates a hash-code from ED. The got hash-code passes procedure of transformation with the use of the secret key, whereupon got value (which is EDS) together with ED lea with EDS and certificated opened key of participant A, and then to make decryption on its ECP, ED is exposed to the operation of randomizing, whereupon results are compared and, if they coincide, EDS is acknowledged true, otherwise - false.

Firmness of this type of EDS is based on firmness of asymmetric algorithms of cipherement and applied hash-functions.

Except for considered there are “exotic” variants of construction of charts of EDS (group signature, uncontested signature, trusted signature and others). Appearance of these varieties is conditioned the variety of tasks, decided by electronic technologies of transmission and treatment ED.

In general case signed ED looks as a pair, consisting of binary lines (M, S), where M is ED, and S is a decision of equalization Ek(S) = М, where Ek is a function with a secret.

In connection with foregoing determination of EDS, it is possible to select followings its properties:

- it is uncounterfeited, as to decide equalization Ek(S) = М can only possessor of secret k;

- simply identifies an author, i.e. man, signing this document;

- verification of signature is made on the basis of knowledge of function Ek;

- it is unbearable on other ED; an exception is made by a case, when for an in-use hash-function found out collisions;

ED with EDS can be passed on the opened channals, as ED will bring any change over to that procedure of verification of EDS will expose this fact.

3 Encipherement in the mode of simple replacements

Chart of device, realizing the mode of simple replacement resulted on a picture.

T0 Tш

1 32 1

КЗУ

32 1

32 1

32 1

Encipherement in the mode of simple replacement

The opened report, subject to the encipherement, is broken up on 64-bit blocks of Т0. Procedure of encipherement includes 32 cycles ( j=1,…,32 ).

Before the beginning of encipherement in key storages (KS) enter the 256-bit key, divided into blocks long in 32 digits each. Thus, unlike an algorithm, forming the additional keys is not required and, consequently, there is not a necessity for the additional generator of the keys.

К = К7 К6 К5 К4 К3 К2 К1 К0.

Thus an entrance sequence is broken up in half on blocks

Т0 = a1(0), a2(0),…, a32(0), b1(0), b2(0),…, b32(0).

Bits b(0) - senior, standings on the left, and a(0) are junior bits, standings on the right.

Sequence

a(0) = a32(0), a31(0) ,…, a0(0)

enter in the store of N 1, sequence

b(0) = b32(0), b31(0) ,…, b0(0)

enter in the store of N 2.

The first cycle of procedure can be described as follows

a(1) = (a(0), + K0 ) Е b(0)

b(1) = a(0)

In this expression, filling of N 1 is after the first cycle of encipherement; b(1) filling of N 2 after the first cycle of encipherement; it is a function of encipherement.

The argument of function of f is a sum on the module 32 numbers a(0) and numbers of b(0). This function includes two operations above got 32th a bit sum (a(0), + K0 ).

The first operation is a substitution (by replacement) and executed the block of substitution of S.

A block consists of eight knots of replacement S1 ё S8 with memory of 64 bits everybody. Acting from the summator 32-bit block is broken up on eight four bit groups, each of which is replaced other fourdigit group. The order of replacement, producible a block replacement of S, is contained in secret and changes relatively rarely.

Let, for example, numbers are written in S of -blok replacement

7, 10, 2, 4, 15, 9, 0, 3, 6, 12, 5, 13, 1, 8, 11

It means that if on an entrance 0000 combination acts, on an output there will be 0111combination and if on an entrance 0001combination acts, on an output there will be 1010 combination.

The second operation is a circular shift of 32-bit vector to the left (on 11 digits). This operation is executed through an ordinary register of shift R.

On the next stage adding up is carried out on the module two results of calculation of function of f and content of store of N 1. The got result is written down in the store of N 1, and in a store N 2 rewrite the previous value of vector, contained in N 1. The first cycle of encipherement is there on closed.

The last cycles are executed like. A difference consists of that, since a 25th cycle, the keys are given from the block of KS upside-down K7 ё K0.

Thus, during all of 32th cycles, the giving of the keys is carried out in the following order:

K0 , K1 , K2 , K3 , K4 , K5 , K6 , K7 , K0 , K1 , K2 , K3 , K4 , K5 , K6 , K7,

K0 , K1 , K2 , K3 , K4 , K5 , K6 , K7 , K7 , K6 , K5 , K4 , K3 , K2 , K1 , K0 ,

In the 32th cycle a result from a summator on the module is entered in the store of N 2, and his former content is saved in the store of N 1. Thus content of both stores of N 1 and N 2 is a block of in cipher data of Tc, proper the block of the opened data of T0.

In a general view, equalizations, describing the process of encipherement can be presented in the following kind:

a(j) = f [(a( j - 1), + K j-1(mod 8) ] Е b( j - 1)

at j = 1, … , 24

b(j) = a( j - 1),

a(j) = f [(a( j - 1), + K 32 - j ] Е b( j - 1)

at j = 25, … , 31

b(j) = a( j - 1),

a(32) = a(31)

at j = 32

b(j) = f [(a(31) + K 0 ] Е b( 31)

where a(j) = a32(j), a32(j), … , a1(j) is filling of N 1 after j -th cycle of encipherement, and b(j) = b32(j), b32(j), … , b 1(j), - is filling N 2 after j -th cycle of encipherement; j = 1,2, … , 31.

The block of ciphered data hatches from both stores in a next order.

Тш = [a1(32), a2(32), … , a32(32) b1(32), b2(32), … , b32(32)] , (1)

Procedure of decoding has a that kind, what at an encipherement. Block of Tc of kind (1) accepted from a communication channel, write down in the stores of N 1 and N 2 so that the initial value of content of store of N 1 looked like

[a32(32), a31(32) ,…, a2(32), a1(32)] ,

and content of store of N 2, looked like

[b32(32), b31(32) ,…, b2(32), b1(32)] .

Decoding is carried out by a that method, what encipherement, however carried out an order of giving of the 32th bit keys is in the following order:

K0 , K1 , K2 , K3 , K4 , K5 , K6 , K7 , K7 , K6 , K5 , K4 , K3 , K2 , K1 , K0 ,

K7 , K6 , K5 , K4 , K3 , K2 , K1 , K0 , K7 , K6 , K5 , K4 , K3 , K2 , K1 , K0 .

Equalizations of decoding look like here:

a(32 - j) = f [(a( 32 - j + 1), + K j-1] Е b(32 - j + 1)

at j = 1, … , 8;

b(32 - j) = a( 32 - j + 1),

a(32 - j) = f [(a( 32 - j + 1), + K 32 - j(mod 8)] Е b(32 - j + 1)

at j = 9, … , 31;

b(32 - j) = a(32 - j + 1),

a(0) = a(1)

at j = 32.

b(0) = f [(a(1) + K 0 ] Е b( 1)

Fillings of stores of N 1 and N 2 got after the 32th cycles of work form the block of the opened data.

Т0 = [a1(0), a2(0), … , a32(0) b1(0), b2(0), … , b32(0)] .

Other blocks of in cipher data are like decrypted.

## Добавить комментарий