1 Cryptography Basics. 2 Cryptography Basic terminologies Symmetric key encryption Asymmetric key encryption Public Key Infrastructure Digital Certificates.

1

Cryptography Basics

2

Cryptography

• Basic terminologies

• Symmetric key encryption

• Asymmetric key encryption

• Public Key Infrastructure

• Digital Certificates

• Digital Signature

3

TYPES OF CRYPTOGRAPHIC ALGORITHMS

• There are several ways of classifying cryptographic algorithms. For purposes of this lesson, they will be categorized based on the number of keys that are employed for encryption and decryption, and further defined by their application and use. The three types of algorithms that will be discussed are (Figure 1): – Secret Key Cryptography (SKC): Uses a single key for both encryption

and decryption

– Public Key Cryptography (PKC): Uses one key for encryption and another for decryption

– Hash Functions: Uses a mathematical transformation to irreversibly "encrypt" information

4

TYPES OF CRYPTOGRAPHIC ALGORITHMS

5

Secret Key Cryptography

•With secret key cryptography, a single key is used for both encryption and decryption. As shown in Figure 1A, the sender uses the key (or some set of rules) to encrypt the plaintext and sends the ciphertext to the receiver. The receiver applies the same key (or ruleset) to decrypt the message and recover the plaintext. Because a single key is used for both functions, secret key cryptography is also called symmetric encryption.

•With this form of cryptography, it is obvious that the key must be known to both the sender and the receiver; that, in fact, is the secret. The biggest difficulty with this approach, of course, is the distribution of the key.

6

Secret Key Cryptography

Secret key cryptography algorithms that are in use today include

•Rivest Ciphers (aka Ron's Code): Named for Ron Rivest, a series of SKC algorithms. (RC1, RC2 , RC3 , RC4, RC5, RC6)

7

Public-Key Cryptography

•Generic PKC employs two keys that are mathematically related although knowledge of one key does not allow someone to easily determine the other key. One key is used to encrypt the plaintext and the other key is used to decrypt the ciphertext. The important point here is that it does not matter which key is applied first, but that both keys are required for the process to work (Figure 1B). Because a pair of keys are required, this approach is also called asymmetric cryptography.

•In PKC, one of the keys is designated the public key and may be advertised as widely as the owner wants. The other key is designated the private key and is never revealed to another party. It is straight forward to send messages under this scheme. Suppose Alice wants to send Bob a message. Alice encrypts some information using Bob's public key; Bob decrypts the ciphertext using his private key. This method could be also used to prove who sent a message; Alice, for example, could encrypt some plaintext with her private key; when Bob decrypts using Alice's public key, he knows that Alice sent the message and Alice cannot deny having sent the message (non-repudiation).

8

Public-Key Cryptography

Public-key cryptography algorithms that are in use today for key exchange or digital signatures include:

•RSA: The first, and still most common, PKC implementation, named for the three MIT mathematicians who developed it — Ronald Rivest, Adi Shamir, and Leonard Adleman. RSA today is used in hundreds of software products and can be used for key exchange, digital signatures, or encryption of small blocks of data.

9

Hash Functions

•Hash functions, also called message digests and one-way encryption, are algorithms that, in some sense, use no key (Figure 1C). Instead, a fixed-length hash value is computed based upon the plaintext that makes it impossible for either the contents or length of the plaintext to be recovered. Hash algorithms are typically used to provide a digital fingerprint of a file's contents, often used to ensure that the file has not been altered by an intruder or virus. Hash functions are also commonly employed by many operating systems to encrypt passwords. Hash functions, then, provide a measure of the integrity of a file.

10

Hash Functions

•Hash algorithms that are in common use today include:

•Message Digest (MD) algorithms: A series of byte-oriented algorithms that produce a 128-bit hash value from an arbitrary-length message.

•MD2 (RFC 1319): Designed for systems with limited memory, such as smart cards. (MD2 has been relegated to historical status, per RFC 6149.)

•MD4 (RFC 1320): Developed by Rivest, similar to MD2 but designed specifically for fast processing in software. (MD4 has been relegated to historical status, per RFC 6150.)

•MD5 (RFC 1321): Also developed by Rivest after potential weaknesses were reported in MD4; this scheme is similar to MD4 but is slower because more manipulation is made to the original data. MD5 has been implemented in a large number of products although several weaknesses in the algorithm were demonstrated by German cryptographer Hans Dobbertin in 1996 ("Cryptanalysis of MD5 Compress").

11

Basic Terminologies

• Cryptography deals with creating documents that can be shared secretly over public communication channels

• Cryptographic documents are decrypted with the key associated with encryption, with the knowledge of the encryptor

• The word cryptography comes from the Greek words: Krypto (secret) and graphein (write)

• Cryptanalysis deals with finding the encryption key without the knowledge of the encryptor

• Cryptology deals with cryptography and cryptanalysis• Cryptosystems are computer systems used to encrypt data

for secure transmission and storage

12

Basic Terminologies

• Keys are rules used in algorithms to convert a document into a secret document

• Keys are of two types:– Symmetric– Asymmetric

• A key is symmetric if the same key is used both for encryption and decryption

• A key is asymmetric if different keys are used for encryption and decryption

13

Basic Terminologies

• Examples:– Symmetric key methods

• DES 56-bit• Triple DES 128-bit • AES 128-bit and higher• Blowfish 128-bit and higher

– Asymmetric key methods• RSA (Rivest-Shamir-Adleman of MIT)• PGP (Phil Zimmerman of MIT)

14

Basic Terminologies

• Plaintext is text that is in readable form• Ciphertext results from plaintext by applying the

encryption key• Notations:

– M message, C ciphertext, E encryption, D decryption, k key

– E(M) = C

– E(M, k) = C

• Fact: D(C) = M, D(C, k) = M

15

Basic Terminologies

• Hash algorithms take an arbitrary length message and create a fixed length digest known as Message Digest

• Well-known hash algorithms are MD-4 and MD-5

16

PKI• Public Key Infrastructure (PKI) is a government

initiative to protect computer systems• Developed in the 1970s but has not been widely

accepted. However, parts of the system are in extensive use today. These are Digital Certificates and Digital Signatures.

• Digital Certificates are given by trusted third parties, known as Certificate Authorities (CAs). Verisign (an offshoot of RSA) is a CA. Any organization can be a CA as long as there are people willing to believe their assessment of authenticity.

17

Digital Certificates• Issued by trusted third parties known as Certificate

Authorities (CAs)• Verisign is a trusted third party• Used to authenticate an individual or an

organization• Digital Certificates are usually given for a period

of one year• They can be revoked• It is given at various security levels. Higher the

security level, the CA verifies the authenticity of the certificate seeker more.

18

Digital Certificates

• Digital Certificates can be issued by any one as long as there are people willing to believe them

• Major CAs are:– Verisign– GeoTrust– BeTrusted– Thawte

19

Digital Certificates

• Digital Certificates are part of the authentication mechanism. The other part is Digital Signature.

• When a user uses the digital signature, the user starts with their private key and encrypts the message and sends it. The receiver uses the sender’s public key and decrypts the message

• In traditional encryption, the sender uses the public key of the receiver and encrypts the message and sends it and the receiver decrypts the message with their private key

•DIGITAL SIGNATURE

•Let us begin by looking at the differences between Let us begin by looking at the differences between conventional signatures and digital signatures.conventional signatures and digital signatures.

•A conventional signature is included in the document; it is part of the document. But when we sign a document digitally, we send the signature as a separate document.

•For a conventional signature, when the recipient receives a document, she compares the signature on the document with the signature on file. For a digital signature, the recipient receives the message and the signature. The recipient needs to apply a verification technique to the combination of the message and the signature to verify the authenticity.

Verification Method

•For a conventional signature, there is normally a one-to-many relationship between a signature and documents. For a digital signature, there is a one-to-one relationship between a signature and a message.

•Relationship

13.24

•In conventional signature, a copy of the signed document can be distinguished from the original one on file. In digital signature, there is no such distinction unless there is a factor of time on the document.

•Duplicity

•PROCESS

•Figure 13.1 shows the digital signature process. The Figure 13.1 shows the digital signature process. The sender uses a signing algorithm to sign the message. sender uses a signing algorithm to sign the message. The message and the signature are sent to the receiver. The message and the signature are sent to the receiver. The receiver receives the message and the signature The receiver receives the message and the signature and applies the verifying algorithm to the combination. and applies the verifying algorithm to the combination. If the result is true, the message is accepted; otherwise, If the result is true, the message is accepted; otherwise, it is rejected.it is rejected.

•13-2 13-2 Continued

•Figure 13.1 Digital signature process

13.27

•13.2.1 Need for Keys

•Figure 13.2 Adding key to the digital signature process

•A digital signature needs a public-key system.•The signer signs with her private key; the verifier

verifies with the signer’s public key.

•Note

13.28

•13.2.2 Signing the Digest

•Figure 13.3 Signing the digest

29

30

13.31

•WHY?

A digital signature can directly provide :A digital signature can directly provide :

Message Authentication

Message Integrity

Nonrepudiation

13.32

•A secure digital signature scheme, like a secure conventional signature can provide message authentication.

•13.3.1 Message Authentication

•A digital signature provides message authentication.

•Note

13.33

•The integrity of the message is preserved even if we sign the whole message because we cannot get the same signature if the message is changed.

•13.3.2 Message Integrity

•A digital signature provides message integrity.

•Note