Cryptography

A Tutorial on CryptographyBy: Er. Chetan GoyalContact for more tutorials on other topics of ethical hackingchetangoyal36@Hotmail.comchetangoyal36@gmail.comOr visitwww.windowwares.blogspot.com

Cryptography

• This module includes

Related terms

Symmetric key cryptography

Asymmetric Key cryptography

PKI and Digital signatures

Demonstration: how SSL works..

2

Cipher

• Cipher is the actual algorithm.

• We can use cipher and algorithm

interchangeably.

3

More definitions

• Cryptosystem

• Encompasses all of the necessary components of encryption and decryption

» Softwares

» Protocols

» Algorithms

• Plain text – readable data

• Cipher text – encrypted data

4

Caesar Cipher

• Julius Caesar, 49 BC

– Securely communicate with friends

• Simple Substitution cipher

– Shift alphabet 3 characters.

5

Caesar Cipher Example

• Substitution

6

Plaintext: ET TU BRUTE

Shift Algorithm

3 characters

Cipher text: HW WX EUXWH

Symmetric Encryption

• Single key

– - Shared secret

• ExamplesData Encryption Standard (DES)

– - Block Cipher, 56 bit key

– - Triple DES 112 bit key

Advanced Encryption Standard (AES)

- Rijndael Algorithm• Belgian cryptographers, Joan Daemen and

Vincent Rijmen.

- 128, 192, 256 bit keys

7

Symmetric Key Encryption

• Symmetric key encryption is based on

substitution and transposition

• Each algorithm consist many substitution

and transposition “rounds”

• Symmetric key encryption is mostly used

for bulk or mass encryption.

8

Key and Algorithm Relationship

• Algorithm consist many static equations (functions) or rounds these rounds are basically mathematical formulas –substitution and transposition.

• Key will decide which function/s or block/s, their order, values should be used to encrypt or decrypt data.

9

Key Size

• Does key size really matter ?

• Why and how

• Key space – total number of bits available for key generation

• So for 64 bits we have 2 power 64.

• For 128 bits we have 2 power 128

• So the larger the key space, the more values an attacker has to bruteforce.

10

Types of Symmetric Cipher

• Block Cipher – text is divided into blocks, and each block is encrypted individually

• Eg: AES, DES, 3DES etc.

• Stream cipher – stream is used instead of blocks, synchronization of encryption and decryption ends is needed

• Eg: RC4, RC5

11

Symmetric Encryption Example

12

Dear Bob:

How about comingover to my placeat 1:30?

Love, Alice

Dear Bob:

How about comingover to my placeat 1:30?

Love, Alice

Alice Bob

decryptencrypt011100111001001110011100111001001110000111111

ciphertext

Symmetric cipher downfalls

• Key management

• Does not provide non repudiation and digital signature facilities

13

Asymmetric Key Cryptography

• Two mathematically related keys– Unable to derive one from the other

– Encrypt with one – decrypt with other

• Public Key Cryptography– One (public) key published for all to see

– Other (private) key kept secret

• Algorithms– RSA - Integer Factorization (large primes)

– Diffie-Hellman - Discrete Logarithms

– ECES - Elliptic Curve Discrete Logarithm

14

Asymmetric Encryption Example

15

Dear Carol:

I think Alice ishaving an affairwith Bob. I need to see youright always.

Love, Ted

Dear Carol:

I think Alice ishaving an affairwith Bob. I need to see youright always.

Love, Ted

Mohan Jagmohan

encrypt decrypt

Jagmohan'sPrivate KeyJagmohan's

Public Key

011100111001001110011100111001001110000111111

ciphertext

Asymmetric Advantages

• No shared secret key

• Public key is public– Can be freely distributed or published

– Key management is much easier

• Private key known ONLY to owner– Less vulnerable, easier to keep secret

• Supports Non-repudiation– Sender can not deny sending message

16

Asymmetric Disadvantage

• 1000 times slower than Symmetric encryption so can’t use for bulk encryption.

17

Non-repudiation

• Since only the sender knows their private key, only the sender could have sent the message.

• Authentication mechanism

• Basis for Digital Signature

18

Hash Function

• Hash Function are like CRC functions but are more then CRC (mathematically)

• Hash provide integrity check

• Hash functions generate finger prints for a given data, a little change to data will result completely different fingerprint. (non guessable)

• When hash function generate same fingerprint for different data, known as collision or birthday attack

• Hash functions are one way functions19

Examples of Hash Functions

• MD5

• SHA - 1

• SHA - 256

20

Digital Signature

• Combines one-way secure hash functions with public key cryptography– Hash function generates fixed length value

– No two documents produce the same hash value

– Secure Hash Algorithm 1 (SHA-1)

• Characteristics– Data Integrity - hash value

– Non-repudiation – encrypted with private key

– Does NOT provide confidentiality

21

Digital Signature Creation

22

Dear Mr. Ted:

We have asked theCourt to issue a restraining order against you to stayaway from Carol.

Sincerely,

Sue YewDewey, Cheatam & Howe, Law Firm

Dear Mr. Ted:

We have asked theCourt to issue a restraining order against you to stayaway from Carol.

Sincerely,

Sue YewDewey, Cheatam & Howe, Law Firm

encrypt

Sue'sPrivate Key

HashFunction

Sue

0F47CEFFAE0317DBAA567C29

HashValue

01010111100001101011011110101111010111

DigitalSignature

Digital Signature Validation

23

Dear Mr. Ted:

We have asked theCourt to issue a restraining order against you to stayaway from Carol.

Sincerely,

Sue YewDewey, Cheatam & Howe, Law Firm

01010111100001101011011110101111010111

Sue'sPublic Key

decrypt0F47CEFFAE0317DBAA567C29

0F47CEFFAE0317DBAA567C29 Signature is valid

if the two hashesmatch

Source of Public Key

• Can be on a server (common server)

• With PGP - embedded into mail

24

But

• How do you know for sure who is the

owner of a public key?

25

Public Key Infrastructure

• Public Key Infrastructure (PKI) provides the means to bind public keys to their owners and helps in the distribution of reliable public keys in large heterogeneous networks. NIST

26

Public Key Certificates

• Digital Certificates

– Binds a public key to it's owner

– Issued and digitally signed by a trusted third party

– Like an electronic photo-id

• Follows X509 V3 standard – RFC 2459

27

X509 V3 Basic Fields

• Owner's X.500 distinguished name (DN)– C=US;O=GOV;O=NIH;OU=CIT;CN=Mark Silverman

• Owner's public key

• Validity period

• Issuer's X.500 distinguished name

28

PKI Components

• Certification Authority (CA)

• Registration Authority (RA)

• Repository

• Archive

• Users

29

Certification Authority (CA)

• TRUSTED third party• Issues Certificates

– Creates and signs them– Publishes current certificates

• Issues Certificate Revocation Lists (CRLs)– List of invalid (revoked) certificates– Online Certificate Status Protocol (OCSP)

• Maintains archives of status information• May retain copy of data encryption private

key, for purposes of key recovery– government requirement

30

Registration Authority (RA)

• Verify certificate contents for CA

– Identity proofing

– RA's public key known to CA

• A CA may have multiple RAs

31

Certificate Policy (CP)

• A high level document that describes the security policy for issuing certificates and maintaining certificate status information.

• Describes operation of the CA.

• Defines user's responsibilities for requesting, using and handling certificates and keys.

32

Certification Practice Statements (CPS)

• A highly detailed document that describes how a CA implements a specific CP.

• Specifies the mechanisms and procedures that are used to achieve the security policy.

• Effectively the CA's operations manual.

33

Conclusion

• Enabling technology for E-Gov– Data Confidentiality

– Data Integrity

– Non-repudiation

• Technology is complicated– But not unmanageable

• Difficulty is in establishing trust– 20% technology – 80% policy

34