Key distribution protocol A key establishment protocol is a cryptographic protocol in which a shared secret becomes available to two or more parties for subsequent use for cryptographic purposes.

Key distribution protocols are divided into two classes:

Key transportation protocols;

Key exchange protocols.

Key transport protocols(key transport) are key distribution protocols in which one participant creates or otherwise acquires a secret and transmits it securely to other participants.

Key exchange protocols(key agreement, key exchange) are key distribution protocols in which a shared secret is worked out by two or more participants as a function of the information contributed by (or associated with) each of them in such a way that (ideally) no other party can predetermine their common secret.

There are two additional forms of key distribution protocols. A protocol is said to perform a key update if the protocol generates a completely new key that is independent of the keys generated in previous sessions of the protocol. The protocol generates derivative keys (key derivation) if a new key is “derived” from those already existing among participants in the cryptosystem.

The main properties of key distribution protocols include the properties of key authentication, key confirmation and explicit key authentication.

(Implicit) key authentication(implicit key authentication) - a property by which one participant in a protocol ensures that no other party other than a specifically identified second participant in the protocol (and possibly a trust authority) can access the secret keys obtained in the protocol. There is no guarantee that the second participant actually gained access to the key, but no one else but him could get it. Implicit key authentication is independent of the other party's actual ownership of the key and does not require any action from the other party.

Key confirmation(key confirmation) - a property by which one participant in the protocol is convinced that another participant (possibly unidentified) actually possesses the secret keys obtained in the protocol.

Explicit Key Authentication(explicit key authentication) - a property that is executed when (implicit) key authentication and key confirmation take place simultaneously.

1. Needham-Schroeder protocol on symmetric keys

This protocol underlies a large number of key distribution protocols that use trusted centers. There are two types of this protocol:

Needham-Schroeder protocol on symmetric keys;

Needham-Schroeder protocol on asymmetric keys.

The symmetric key protocol works as follows:

Preliminary stage:

Key distribution is the most critical process in key management. There are two requirements for it:

1.Efficiency and accuracy of distribution

2. Secrecy of distributed keys.

Recently, there has been a noticeable shift towards the use of public key cryptosystems, in which the problem of key distribution is eliminated. Nevertheless, the distribution of key information in the information system requires new effective solutions.

The distribution of keys between users is implemented by two different approaches:

1.By creating one or several key distribution centers. The disadvantage of this approach is that the distribution center knows who is assigned what keys and this makes it possible to read all messages circulating in the IS. Possible abuses have a significant impact on protection.

2.Direct exchange of keys between users of the information system.

The challenge then is to reliably authenticate the subjects.

In both cases, the authenticity of the communication session must be guaranteed. This can be achieved in two ways:

1. The request-response mechanism, which consists of the following. If user A wants to be sure that the messages he receives from B are not false, he includes an unpredictable element (request) in the message he sends to B. When responding, user B must perform some operation on this element (for example, add 1). This cannot be done in advance, since it is not known what random number will come in the request. After receiving a response with the results of the actions, User A can be sure that the session is genuine. The disadvantage of this method is the possibility of establishing an albeit complex pattern between the request and the response.

2. Time stamp mechanism ("time stamp"). It involves recording the time for each message. In this case, each IS user can know how “old” the incoming message is.

In both cases, encryption should be used to ensure that the response was not sent by an attacker and that the timestamp has not been altered.

When using timestamps, there is a problem with the acceptable delay time interval for verifying the authenticity of a session. After all, a message with a “time stamp” cannot, in principle, be transmitted instantly. In addition, the computer clocks of the recipient and the sender cannot be absolutely synchronized. What delay in the “stamp” is considered suspicious?

Therefore, in real information systems, for example, in credit card payment systems, it is the second mechanism for establishing authenticity and protecting against counterfeiting that is used. The interval used is from one to several minutes. Big number known methods theft electronic money, is based on “wedging” into this gap with false requests to withdraw money.

Public key cryptosystems can be used to exchange keys using the same RSA algorithm, but the Diffie-Hellman algorithm has proven to be very effective, allowing two users to exchange a key without intermediaries, which can then be used for symmetric encryption. Despite the simplicity of the Diffie-Hellman algorithm, its disadvantage compared to the RSA system is the lack of a guaranteed lower bound for the complexity of key discovery.

In addition, although the described algorithm circumvents the problem of hidden key transfer, the need for authentication remains. Without additional funds, one of the users cannot be sure that he exchanged keys with exactly the user he needs. The danger of imitation in this case remains.

Original solutions to the problem of “wandering keys” are being actively developed by specialists. These systems are a compromise between public key systems and conventional algorithms, which require the sender and recipient to have the same key.

The idea of ​​the method is quite simple. After the key is used in one session, according to some rule, it is replaced by another.

This rule must be known to both the sender and the recipient. Knowing the rule, after receiving the next message, the recipient also changes the key. If the rule for changing keys is carefully followed by both the sender and the recipient, then at each moment of time they have the same key. Constantly changing the key makes it difficult for an attacker to disclose information.

The main task in implementing this method is choosing an effective key change rule. The easiest way is to generate a random list of keys. Keys are changed in list order. However, obviously the list will have to be transmitted somehow.

Another option is to use mathematical algorithms based on so-called iterative sequences. On a set of keys, the same operation on an element produces another element. The sequence of these operations allows you to move from one element to another until the entire set has been iterated.

The most accessible is the use of Galois fields. By raising the generating element to a power, you can sequentially move from one number to another. These numbers are accepted as keys.

The key information in this case is the source element, which must be known to both the sender and the recipient before commencing communication.

The reliability of such methods must be ensured taking into account the attacker's knowledge of the key change rule being used.

The management of secret keys is linked through protocols for their distribution between key installation and key management systems. The key installation system defines the algorithms and procedures for generating, distributing, transmitting and verifying keys.
The key management system determines the procedure for using, changing, storing, removing compromised keys from circulation and destroying old keys.

Pre-distribution of keys

Cryptographic security methods are used to reliably protect information transmitted over an open communication channel. To use these methods, you must complete the initial selection and installation of keys. Typically, a secure communication channel is needed for the initial distribution of keys.
Most reliable way initial distribution of keys - personal meeting of all interacting parties, courier communication. With a large number of users, preliminary distribution of a significant amount of key information and its further storage are required.
In practice, special systems for pre-distribution of keys are used. These systems provide for the distribution and storage not of the keys themselves, but of some smaller information on the basis of which each party can calculate the session key.
There are two algorithms for pre-key distribution:

• information is transmitted, including an open part, which can be placed on a public server, as well as secret parts intended for each party;
• The current key value for interaction between subscribers is calculated using the secret and common open part of the original key information available to subscribers.

There are two requirements for a key pre-distribution system:

• she must be sustainable , i.e. take into account the possibility of disclosing part of the keys in the event of compromise, deception or collusion of subscribers;
• she must be flexible - allow for the possibility of quick recovery by excluding compromised subscribers and connecting new subscribers.

Forwarding keys

After pre-key distribution, specific session keys must be transferred. The transfer of these keys is carried out using encryption using previously obtained keys.
When transferring secret keys over an open communication channel between subscribers who do not trust each other, it is necessary to use the entire range of authentication tasks.
To centrally manage the transfer of keys, special trusted centers have been created that serve as centers for distribution or re-encryption of keys. In the first case, keys are generated at the distribution center itself, and in the second case, the keys are generated by the subscribers themselves.

Public key distribution

Due to the large number of network subscribers, the key distribution approaches mentioned above become very inconvenient. Diffie and Hellman solved this problem using an unsecured communication channel.
In the public key distribution system they proposed, each party initially has its own secret parameter. The interaction protocol is carried out over an open communication channel.
The parties exchange some messages formed using their secret parameters. Based on the results of the exchange, subscribers calculate a shared secret communication key. Such protocols are not associated with the distribution and forwarding of keys, since initially none of the subscribers has a key.
In its improved form, the Diffie-Hellman system allows you to obtain a shared key, check and confirm the correctness of calculations, and authenticate the parties.

Secret sharing scheme

The secret sharing scheme is that each subscriber is allocated a share of the secret and is determined by two algorithms that satisfy the condition that no user has the full group key.
The first algorithm determines the order of calculating the values ​​of shares based on a given value of the secret key, the second is designed to restore the secret from known shares.
A generalization of the secret sharing scheme is related to:

• with the introduction of an access structure, when a decision can be made not by one, but by several different groups, and some participants may be given the right of “veto”;
• introducing a mechanism to detect fraud or collusion among participants;
• with the introduction of a special protocol for the distribution of shares between participants with confirmation of the correctness of the information received and authentication of the parties.

Certificates

The problem with digital signature certification is the following. Before using a public key, the subscriber must be sure that the public key belongs to the recipient. Public keys are stored on a public server and the attacker has the ability to replace the public key of one of the subscribers and act on his behalf.
To protect public keys, special certification centers have been created, which play the role of a third party and certify the public keys of each subscriber with their digital signatures.
The certificate is a set of data certified by a digital signature of the center, and includes a public key and a list of attributes belonging to the subscriber. This list includes attributes:

• username and certificate authority;
• certificate number;
• validity period of the certificate;
• assignment of a public key (encryption, digital signature), etc.

The international standard ISO X.509 defines the general structure of public key certificates and protocols for their use for authentication in networks.

Certification Authorities

The certification center is designed to register subscribers, produce public key certificates, store produced certificates, maintain a directory of valid certificates, and issue a list of early revoked certificates.
For networks with a large number of subscribers, several certification authorities are created in a hierarchical structure. The main certification authority issues certificates to its subordinate industry centers, confirming trust in the public keys of these centers.
Knowing the hierarchy and subordination of certification authorities to each other, it is possible to determine whether the subscriber is the owner of a given public key.
The main difficulty in creating certification centers is their legal status and potential financial ability to pay compensation for damage due to failure to comply with digitally signed certificates issued by the center, agreements and contracts disrupted by refusal of a digital signature or its forgery.

This approach creates a kind of vicious circle: in order to share a secret (the transmitted message), the sender and recipient must already have a common secret (the encryption key). Earlier this problem was solved using a non-cryptographic method - transferring the key over physically protected communication channels from eavesdropping (Fig. 1). However, creating such a channel and maintaining it in operational readiness in case of an emergency need to transfer a key is quite labor-intensive and costly.

Rice. 1.

The problem was successfully resolved within the framework of modern cryptography, which arose a little more than a quarter of a century ago, so called in contrast to “traditional cryptography” already known by that time. The solution is to use asymmetric (two-key) ciphers or key distribution schemes over open communication channels.

In the first case, the encryption and decryption procedures are performed on different keys, so there is no need to keep the encryption key secret. However, due to extremely low efficiency characteristics and susceptibility to certain special types of attacks, such ciphers turned out to be of little use for hiding directly user information. Instead, asymmetric ciphers are used as part of combined schemes, when a data array is encrypted with a symmetric cipher on a one-time key, which in turn is encrypted with a two-key cipher and in this form is transmitted along with the data.

Schemes for distributing keys over open communication channels solve the same problem in a slightly different way: during an interaction session, two correspondents develop a common secret key, which is then used to encrypt the transmitted data with a symmetric cipher. Moreover, intercepting information in the channel during a session of generating such a key does not give the enemy the opportunity to obtain the key itself: K=K(X,Y) is incomputable (Fig. 2).

Rice. 2.

Problems of asymmetric cryptography

Today, asymmetric cryptography quite successfully solves the problem of distributing keys over open communication channels. However, there are several problems that cause some concern for its future. The strength of all asymmetric cryptography schemes is based on the impossibility of an efficient computational solution to a number of mathematical problems (so-called NP problems), such as factorization (factorization) of large numbers and logarithm in large discrete fields. But this impossibility is just an assumption that can be refuted at any time if the opposite hypothesis is proven, namely NP=P. This would lead to the collapse of all modern cryptography, since the problems on which it is based on the unsolvability are quite closely related, and breaking even one cryptosystem would mean breaking most others. Intensive research is being conducted in this direction, but the problem still remains open.

Another threat to modern cryptosystems comes from so-called quantum computers - information processing devices built on the principles of quantum mechanics, the idea of ​​which was first proposed by the famous American physicist R. Feynman. In 1994, P. Shor proposed a factorization algorithm for a quantum computer, which allows you to factor a number in a time that depends polynomial on the size of the number. And in 2001, this algorithm was successfully implemented on the first working prototype of a quantum computer created by specialists from IBM and Stanford University.

According to experts, a quantum computer capable of breaking the RSA cryptosystem can be created in about 15-25 years.

Another unfortunate fact about asymmetric cryptosystems is that the minimum “secure size” of keys is constantly growing due to progress in the field. Over the entire quarter-century history of such systems, it has already grown approximately 10 times, while over the same period for traditional symmetric ciphers, the key size has changed less than twice.

All of the above makes the long-term prospects of asymmetric cryptography systems not entirely reliable and forces us to look for alternative ways solving the same problems. Some of them can be solved within the framework of so-called quantum cryptography, or quantum communication.

Key distribution is the most critical process in key management. The following requirements apply to it:

· efficiency and accuracy of distribution;

· secrecy of distributed keys.

Distribution of keys between users of a computer network is implemented in two ways:

1) using one or more key distribution centers;

2) direct exchange of session keys between network users.

The disadvantage of the first approach is that the key distribution center knows which keys are distributed to whom, and this allows all messages transmitted over the network to be read. Possible abuses have a significant impact on protection. In the second approach, the challenge is to reliably authenticate the identity of network entities.

In both cases, the authenticity of the communication session must be ensured. This can be done using a request-response mechanism or a timestamp mechanism.

Request-response mechanism is as follows. User A includes an unpredictable element (for example, a random number) in the message (request) sent to user B. When responding, user B must perform some operation with this element (for example, add one), which cannot be done in advance, since it is not known what random number will come in the request. After receiving the result of User B's actions (response), User A can be confident that the session is genuine.

Time stamp mechanism involves recording the time for each message. This allows each network entity to determine how old an incoming message is and reject it if there is doubt about its authenticity. When using timestamps, you must set an acceptable delay time interval.

In both cases, encryption is used to protect the control to ensure that the response was not sent by an attacker and that the timestamp has not been tampered with.

The key distribution problem comes down to constructing a key distribution protocol that provides:

· mutual confirmation of the authenticity of session participants;

· confirmation of the authenticity of the session by a request-response or timestamp mechanism;

· use of a minimum number of messages when exchanging keys;

· the possibility of eliminating abuse on the part of the key distribution center (up to and including abandoning it).

It is advisable to base the solution to the problem of key distribution on the principle of separating the procedure for confirming the authenticity of partners from the procedure for distributing keys itself. The purpose of this approach is to create a method in which, after authentication, the participants themselves generate a session key without the participation of a key distribution center, so that the key distributor has no way of revealing the contents of messages.

Key distribution with the participation of the key distribution center. When distributing keys between participants in the upcoming information exchange, the authenticity of the communication session must be guaranteed. Acceptable for mutual authentication of partners handshake pattern. In this case, none of the participants will receive any sensitive information during the authentication procedure.

Mutual authentication ensures that the correct entity is called with a high degree of confidence that the connection has been established with the required recipient and that no spoofing attempts have been made. The actual procedure for organizing a connection between participants in an information exchange includes both the distribution stage and the stage of confirming the authenticity of partners.

When a key distribution center (KDC) is included in the key distribution process, it interacts with one or both session participants in order to distribute secret or public keys for use in subsequent communication sessions.

The next stage, verification of the authenticity of participants, involves the exchange of authentication messages in order to be able to detect any substitution or repetition of one of the previous calls.

Let's consider protocols for symmetric cryptosystems with secret keys and for asymmetric cryptosystems with public keys. The caller (source object) is denoted by A, and the callee (destination object) by B. Session participants A and B have unique identifiers Id A and Id B, respectively.

5.6.4. Authentication and distribution protocol
keys for symmetric cryptosystems

Let's consider as an example the authentication and key distribution protocol Kerberos (in Russian - Cerberus). The Kerberos protocol is designed to operate over TCP/IP networks and involves a trusted third party in authentication and key distribution. Kerberos provides strong network authentication by allowing a legitimate user access to various machines on the network. The Kerberos protocol is based on symmetric ciphers (the DES algorithm is implemented, although other symmetric cryptographic algorithms can be used). Kerberos generates a separate secret key for each network entity, and knowledge of such a secret key is tantamount to proving the identity of the network entity.

The core Kerberos protocol is a variant of the Needham-Schroeder authentication and key distribution protocol. Version 5 of the core Kerberos protocol involves two communicating parties, A and B, and a trusted server, KS (Kerberos Server). Parties A and B, each separately, share their secret key with the KS server. The trusted KS server acts as a distribution center for the key distribution center.

Let party A want to receive a session key for information exchange with party B.

Party A initiates the key distribution phase by sending the identifiers Id A and Id B over the network to the KS server:

(1) A ® KS: Id A, Id B.

The KS server generates a message with a timestamp T, expiration date L, random session key K and identifier Id A. He encrypts this message with a secret key that he shares with Party B.

The KS server then takes the timestamp T, the expiration date L, the session key K, the Id B of party B, and encrypts it all with the secret key it shares with party A. It sends both of these encrypted messages to party A:

(2) KS ® A: E A (T, L, K, Id B), E B (T, L, K, Id A).

Party A decrypts the first message with its private key, checks the timestamp T to ensure that the message is not a repeat of the previous key distribution procedure.

Party A then generates a message with its Id A and timestamp T, encrypts it with K's session key and sends it to B. In addition, A sends B a message from KS, encrypted with B's key:

(3) A ® B: E K (Id A, T), E B (T, L, K, Id A).

Only Party B can decrypt messages (3). Party B receives a timestamp T, an expiration date L, a session key K, and an identifier Id A. Then party B decrypts the second part of the message (3) with session key K. The coincidence of the values ​​of T and Id A in the two parts of the message confirms the authenticity of A in relation to B.

For mutual authentication, party B creates a message consisting of a timestamp T plus 1, encrypts it with key K and sends it to party A:

(4) B ® A: E K (T+1).

If, after decrypting the message (4), party A receives the expected result, it knows that it is really B at the other end of the communication line.

This protocol works successfully provided that each participant's clock is synchronized with the clock of the KS server. It should be noted that this protocol requires an exchange with KS to obtain the session key each time A wants to communicate with B. The protocol provides reliable connection objects A and B, provided that none of the keys is compromised and the KS server is protected.

Kerberos protects the network from unauthorized access based solely on software solutions, and involves multiple encryption of control information transmitted over the network.

The Kerberos system has a client-server structure and consists of client parts C installed on all machines on the network (user workstations and servers), and a Kerberos server KS located on some (not necessarily dedicated) computer.

The Kerberos server, in turn, can be divided into two parts: the AS identification server (Authentication Server) and the TGS (Ticket Granting Server) permission server. The information resources needed by C clients are managed by the server information resources RS (see next figure).

The scope of the Kerberos system extends to that part of the network in which all users are registered with their names and passwords in the Kerberos server database.

Rice. 41. Scheme and steps of the Kerberos protocol.

Designations:

KS – Kerberos system server;

AS – identification server;

TGS – permit issuance server;

RS – information resource server;

C – Kerberos system client;

1: C ® AS: – request permission to contact TGS;

2: AS ® C: – permission to contact TGS;

3: C ® TGS: – request for access to RS;

4: TGS ® C: – permission for admission to RS;

5: C ® RS: – request to receive an information resource from RS;

6: RS ® C: – confirming the authenticity of the RS server and providing

information resource.

In general, the process of identifying and authenticating a user in a Kerberos system can be described as follows. User (client) C, wanting to access a network resource, sends a request to the identification server AS. The latter identifies the user using his name and password and grants permission to access the permission server TGS, which in turn, at the request of client C, authorizes the use of the necessary network resources using the target information resource server RS.

This model of client interaction with servers can only function if the confidentiality and integrity of the transmitted control information is ensured. Without strict security information security the client cannot send requests to the AS, TGS and RS servers and receive permission to access services on the network. To avoid the possibility of interception and unauthorized use of information, Kerberos is used when transmitting any control information on the network complex system multiple encryption using a set of secret keys (client secret key, server secret key, secret session keys, client-server).

5.6.5. Protocol for asymmetric cryptosystems
using public key certificates

This protocol uses the idea of ​​public key certificates.

Public key certificate C is a message from a key distribution center (KDC) that certifies the integrity of some public key of an object. For example, a public key certificate for user A, denoted C A, contains a timestamp T, identifier Id A and a public key K A, encrypted with the secret key DKK k DKK, i.e.

C A = (T, Id A, K A).

The T timestamp is used to confirm that a certificate is current and thereby prevents duplicates of older certificates that contain public keys and for which the corresponding private keys are invalid.

The secret key k of the CRC is known only to the CRC manager. The public key K of the DRC is known to participants A and B. The DRC maintains a table of public keys of all network objects that it serves.

Caller A initiates the key establishment stage by requesting a certificate from the DRC for its public key and the public key of party B:

(1) A ® TsK: Id A, Id B, ´Send certificates of keys A and B´. Here Id A and Id B are unique identifiers of participants A and B, respectively.

The CRC manager responds with a message

(2) TsRK ® A: (T, Id A, K A), (T, Id B, K B).

Participant A, using the public key of the DRC To the DRC, decrypts the DRC response and verifies both certificates. Id B assures A that the identity of the called party is correctly recorded in the DRC and K B is indeed the public key of participant B, since both are encrypted with the DRC key k.

Although public keys are assumed to be known to everyone, the mediation of the CRC makes it possible to confirm their integrity. Without such mediation, an attacker can provide A with his public key, which A will consider to be the key of participant B.
Then the attacker can replace himself with B and establish a connection with A, and no one will be able to detect him.

The next step of the protocol involves establishing communication between A and B:

(3) A ® B: C A, (T), (r 1).

Here C A is the public key certificate of user A;

(T) is a timestamp encrypted with the private key of participant A and is the signature of participant A, since no one else can create such a signature;

r 1 is a random number generated by A and used for exchange with B during the authentication procedure.

If certificate C A and signature A are correct, then participant B is confident that the message came from A. Part of the message (r 1) can only be decrypted by B, since no one else knows the private key k B corresponding to the public key K B. Participant B decrypts the value of the number r 1 and, to confirm its authenticity, sends a message to participant A

(4) B ® A: (r 1).

Participant A recovers the value of r 1 by decrypting this message using A's private key k. If this is the expected value of r 1 , then A receives confirmation that the called participant is indeed B.

A protocol based on symmetric encryption is faster than a protocol based on public key cryptosystems. However, the ability of public key systems to generate digital signatures that provide various functions protection, compensates for the redundancy of required calculations.

Direct key exchange between users. When using a cryptosystem with a symmetric secret key for information exchange, two users who want to exchange cryptographically protected information must have a common secret key. Users must exchange a shared key over a communication channel in a secure manner. If users change the key often enough, key delivery becomes a serious problem.

To solve this problem, two methods are used:

1) use of a public key cryptosystem for encryption and transmission

secret key of a symmetric cryptosystem;

2) use of the Diffie-Hellman public key distribution system

(see section 5.4.2).

5.6.6. Using a public key cryptosystem for encryption and transmission
secret key of a symmetric cryptosystem

The algorithms underlying public key cryptosystems have the following

flaws:

· generation of new secret and public keys is based on the generation of new large prime numbers, and checking the primality of numbers takes a lot of CPU time;

· encryption and decryption procedures associated with raising a multi-digit number to a power are quite cumbersome.

Therefore, the performance of public key cryptosystems is usually hundreds or more times lower than the performance of symmetric cryptosystems with a secret key.

A hybrid encryption method combines the high secrecy benefits of asymmetric public key cryptosystems with the high speed benefits of symmetric private key cryptosystems. In this approach, a public key cryptosystem is used to encrypt, transmit, and then decrypt only the private key of the symmetric cryptosystem. A symmetric cryptosystem is used to encrypt and transmit the original plaintext. As a result, a public key cryptosystem does not replace a symmetric secret key cryptosystem, but only complements it, making it possible to increase the overall security of transmitted information. If user A wants to transmit a message M encrypted using a combined method to user B, then the order of his actions will be as follows.

1. Create (for example, randomly generate) a symmetric key, called in this method the session key K S .

2. Encrypt the message M using the session key K S.

3. Encrypt the session key K S on the public key K B of user B.

4. Transmit an encrypted message along with an encrypted session key to user B over an open communication channel.

User B's actions upon receiving an encrypted message and an encrypted session key should be the opposite:

5. Decrypt the session key K S using your secret key k B .

6. Using the received session key K S, decrypt and read message M.

When using a combined encryption method, you can be sure that only user B will be able to correctly decrypt the key K S and read the message M. Thus, when using a combined encryption method, cryptographic keys of both symmetric and asymmetric cryptosystems are used. Obviously, the choice of key lengths for each type of cryptosystem should be carried out in such a way that it would be equally difficult for an attacker to attack any security mechanism of the combined cryptosystem.

The following table shows common key lengths of symmetric and asymmetric cryptosystems, for which the difficulty of a brute-force attack is approximately equal to the difficulty of factoring the corresponding modules of asymmetric cryptosystems (Schneier B. Applied Cryptography. - John Wiley & Sons, Inc., 1996. - 758 p).