Introduction to Cryptography

Apr 20, 2023 www.fakengineer.com

Introduction to Cryptography


Outline

Function of Cryptography Crash Course in Cryptography Public Key Infrastructure (PKI) Example: SSL


Cryptography

Cryptography is the science or study of secret writing (cipher texts).

Cryptanalysis is the science or study of breaking cipher texts

Cryptology is the study of cryptography and cryptanalysis


Uses of Cryptography?

Private communications What else?

Electronic Information Has Unique Characteristics– Can be given away and still kept– Can be stolen and not missed – Can be owned and no one can tell– Can be distributed instantly to almost everyone– Cannot tell if it is “real” or not


Examples of Threats Bob wants to buy Alice’s car. He agrees to pay her $500 and transfer it to

her bank account via their online bank.

ALICE

BOB

For Sale: $500


Transfer $50 from Bob’s account 1234 to Alice’s account 5678


BOB BANK

Simple Transmission error?



BOB BANK

Transfer $50000 from Bob’s account 1234 to Hal’s account 5666

“Man in the Middle”“Session Hijack”



BOB BANK

ALICE



Transfer $500 from Bob’s account 1234 to Alice’s account 5678Transfer $500 from Bob’s account 1234 to Alice’s account 5678

Transfer $500 from Bob’s account 1234 to Alice’s account 5678Transfer $500 from Bob’s account 1234 to Alice’s account 5678Transfer $500 from Bob’s account 1234 to Alice’s account 5678Transfer $500 from Bob’s account 1234 to Alice’s account 5678





REPLAY ATTACK


BOB BANK


BOB

LATER….. I didn’t authorize that transaction!!!

Bob repudiates the transaction.


Functions of Cryptography

Integrity : Has the data changed since it was sent? Confidentiality : Can we keep an eavesdropper

from learning our message? Authentication : Can we identify the source of

the data? Non-Repudiation : Can we prove to a third party

the source of the data? Access Control : Can we control who accesses

data?


Tools

Hash Functions Encryption

– (Symmetric vs. Asymmetric)

Keyed Hash (MAC) Key Exchange Digital Signatures


Hash Functions

h should be chosen so that it is– Easy to compute h(x)– Given y=h(x) it is computationally infeasible to find x (pre-image

resistant)– It is computationally infeasible to find x, x’ such that h(x)=h(x’)

(collision resistant) Common Hash functions in cryptography:

– SHA-1– MD5

kh }1,0{}1,0{: * h maps strings of arbitrary lengths to a fixed length string:h(1101010000…….11001000111) = 100110011101


Hash Functions Hash Functions can be used for message

integrity

(M,h(M)) (M’,h(M)’)

Bank checks that h(M’)=h(M)’(eliminates transmission errors)

Problem: Still subject to man in middle (Hacker can Hash)

BANK


Hashing with Authentication: Message Authentication Codes (MACs) MACs are also known as keyed hashes. The sender and receiver share a key that is

hashed with the message: – MAC = Hash(M,Key)

A MAC can give integrity and authentication


MAC

(M,h(M,K)) (M’,h(M,K)’)

Bank checks that h(M’,K)=h(M,K)’

Hacker cannot change message because the MACwon’t verify!

BANK


Encryption/Decryption An encryption algorithm takes plaintext and transforms it

into ciphertext. The corresponding decryption algorithm transforms the

ciphertext back into the original plaintext. Cryptographic keys are used in both transformations:

There are two types of encryption/decryption algorithms – symmetric (key1=key2) and asymmetric (key1 key2)

E(key1,plaintext)=ciphertextD(key2,ciphertext)=plaintext


Encryption/DecryptionAlgorithm

CiphertextCiphertext



Private KeyPrivate KeyShared With Shared With

Trusted ChannelTrusted Channel

PlaintextPlaintext

PlaintextPlaintext

Encryption (symmetric)


Example of Symmetric Key CipherKey = Key1=Key2 = random string of zeros and onesPlaintext = 110010101000110101Key = 111000111000111000

000011010010100100

001110001110001110

001101011100101010

),(

CT

PTKeyPTKeyECTEncryption

001101011100101010

001110001110001110

000011010010100100

),(

PT

CTKeyCTKeyDPTDecryption

If key is as long as PT (& only used once): “one time pad”


Cryptography moves the information to be protected from the message to be sent into the key for the cryptosystem

The key must be protected!!! How easy is it for a cryptanalyst to

break the cipher - I.e., find the key?

Keys are the Key


What size key is secure enough?Number How long would it take to count to this

number from 0 - one count per second?_______________________________________________1=100 = 20 1 second1,000=103~ 210 17 minutes1,000,000=106 ~ 220 12 days1,000,000,000=109 ~ 230 32 years1,000,000,000,000=1012 ~ 240 32,000 years*1,000,000,000,000,000=1015 ~ 250 32 million years**1,000,000,000,000,000,000=1018 ~ 260 32 billion years***

* Longer than there has been civilization on earth** Longer than there have been humans on earth*** More than the age of the UniverseMass of earth: ~6*1027 ~ 6*290 grams

Nevertheless, your symmetric key size should be at least 80 bits!! (280)


BOB BANK

E(Key,Message)=101011101011000101

110111101011110011

D(Key,110111101011110011) = kdsaojriewj????

Encryption can give integrity, confidentiality, and authentication. May need to be combined with a keyed MAC.


BOB BANK

E(Message)=CT=101011101011000101

D(CT)=TransferMoney.

Non-repudiation?

BOB

I did not send that

message!!!

Prove he did!


New Directions

In 1976, Diffie and Hellman came out with a groundbreaking paper called:

“New Directions in Cryptography”

Introduced the idea of asymmetric cryptography based on hard mathematical problems


Public Key Exchange

MessageA

MessageB

???????

The key must be K!!!


Public Key (Asymmetric) Cryptography

Asymmetric algorithms are based on key pairs, a public key and a private key.

The keys are mathematically related such that one key performs an operation on data that only the other key can undo.

Knowledge of the public key reveals nothing about the private key


Public Key Cryptography

Public Key: Anyone canuse the public key to send a secret to the owner.

Private key: Only theprivate key can unlockthe secret. The privatekey cannot be deducedfrom the public key.


Public Key Cryptography for Encryption

Public Keyof

Receiver

Private Keyof Receiver





PlaintextPlaintext

PlaintextPlaintext


Public Key Cryptography - Digital Signatures Besides being used for encryption and

key exchange, public key systems can be used to provide “digital signatures”

The decryption algorithm is used to provide a signature (only the owner of the private key can decrypt or “sign”)

The encryption algorithm is used to “verify” the signature (since this key can be public anyone can verify)


Digital Signatures Digital Signatures can be used in a way similar to usual

signatures.

•Only the person with the private key can produce the signature.

Message +

SigM,k

Sign

atur

e

algo

rith

mPrivate key


Verifying Digital Signatures

• Anyone can verify that the signature is valid.

Message+

SigM,k

+ MessageValidityV

erifi

cation

algo

rith

m

Public key


Digital Signatures

Benefits:– Data authentication: The signature is unique

not only to the person who owns the key, but also to the message associated to it.

– Non-repudiation: The signer cannot deny signing the message.

BOB


Are we done? No.

Obviously we are not done. We still have a lot of work to do:– Proving systems/components are secure– Developing specialized solutions– Integrating crypto into the real world– Etc., etc. etc…


A partial solution: PKI

As a means of addressing these problems, the general idea of a Public Key Infrastructure was born.

PKI is essentially a way to “publish” public key values in a way that is almost (but not really) analogous to a telephone book.


How Does PKI Work?

PKI helps us by providing two things:– Certification: The binding of a public key to

something (person, place or thing…)– Validation: The ability to check if such a

binding is a valid one.


On-Line Validation

We could just ask the issuing CA if the certificate we are looking at is still good. This is a lot like credit card approval.

PRO:– Immediate notification of certificate revocation.

CON:– Do we really want to ask about every

certificate?– Can the CA handle the onslaught of queries?


How Much Protection Do We Really Get? What is stopping amazon.com from getting

a certificate and spoofing the amazon.com web site?

If they have a valid certificate, we might never notice.


What about the little guy?

PKI isn’t really set up to support individuals well.– Less stringent identity verification means less

trust in the certificate.– There are 11 Gilbert Bacas in Albuquerque

alone.– How well can you protect your personal key?


Public Key Cryptography for Encryption

Public Keyof

Receiver

Certification AuthorityCertification Authorityor Trusted Channelor Trusted Channel

Private Keyof Receiver





PlaintextPlaintext

PlaintextPlaintext


Example

SSL/TLS


SSL/TLS

BOB

The Bank


SSL (Simplified)

Hi, I’m the Bank

Prove it.

Here’s my certificate.

Verify Cert.

O.K., here’s a symmetric key encrypted with your public key

Encrypted Session

The Bank


The Bank



Tools/summaryIntegrity | Authentica- | Confiden-| Non- | tion | tiality | Repudiation

Hash

MAC

Symmetric

Encryption

Public key

Encryption


Introduction to Cryptography

Documents