Public Key Encryption

EncryptionEncryption

IntroductionIntroduction

The incredible growth of the The incredible growth of the InternetInternet has excited businesses and has excited businesses and consumers alike with its promise of consumers alike with its promise of changing the way we live and work. changing the way we live and work. But a major concern has been just But a major concern has been just how secure the Internet is, especially how secure the Internet is, especially when you're sending sensitive when you're sending sensitive information through it. information through it.

IntroductionIntroduction

Let's face it, there's a whole lot of Let's face it, there's a whole lot of information that we don't want other information that we don't want other people to see, such as: people to see, such as: Credit-card information Credit-card information Social Security numbers Social Security numbers Private correspondence Private correspondence Personal details Personal details Sensitive company information Sensitive company information Bank-account information Bank-account information

IntroductionIntroduction

Information security is provided on computers Information security is provided on computers and over the Internet by a variety of methods. and over the Internet by a variety of methods. A simple but straightforward security method A simple but straightforward security method is to only keep sensitive information on is to only keep sensitive information on removable storageremovable storage media like media like floppy disksfloppy disks. .

But the most popular forms of security all rely But the most popular forms of security all rely on on encryptionencryption, the process of encoding , the process of encoding information in such a way that only the person information in such a way that only the person (or computer) with the (or computer) with the keykey can decode it. can decode it.

In the Key of... In the Key of...

Computer encryption is based on the Computer encryption is based on the science of science of cryptographycryptography, which has been , which has been used throughout history. used throughout history.

Before the digital age, the biggest users of Before the digital age, the biggest users of cryptography were governments, cryptography were governments, particularly for military purposes. particularly for military purposes.

The existence of coded messages has been The existence of coded messages has been verified as far back as the Roman Empire. verified as far back as the Roman Empire. But most forms of cryptography in use But most forms of cryptography in use these days rely on computers, simply these days rely on computers, simply because a human-based code is too easy because a human-based code is too easy for a computer to crack. for a computer to crack.

In the Key of... In the Key of...

Most computer encryption systems Most computer encryption systems belong in one of two categories: belong in one of two categories: Symmetric-key encryption Symmetric-key encryption Public-key encryption Public-key encryption

Symmetric KeySymmetric Key

In In symmetric-key encryptionsymmetric-key encryption, each , each computer has a secret key (code) that it can computer has a secret key (code) that it can use to encrypt a packet of information before use to encrypt a packet of information before it is sent over the network to another it is sent over the network to another computer. computer.

Symmetric-key requires that you know which Symmetric-key requires that you know which computers will be talking to each other so computers will be talking to each other so you can install the key on each one. you can install the key on each one.

Symmetric-key encryption is essentially the Symmetric-key encryption is essentially the same as a secret code that each of the two same as a secret code that each of the two computers must know in order to decode the computers must know in order to decode the information. information.

Symmetric KeySymmetric Key

The code provides the key to decoding the The code provides the key to decoding the message. Think of it like this: You create a message. Think of it like this: You create a coded message to send to a friend in which coded message to send to a friend in which each letter is substituted with the letter that each letter is substituted with the letter that is two down from it in the alphabet.is two down from it in the alphabet.

So "A" becomes "C," and "B" becomes "D". So "A" becomes "C," and "B" becomes "D". You have already told a trusted friend that You have already told a trusted friend that the code is "Shift by 2". Your friend gets the the code is "Shift by 2". Your friend gets the message and decodes it. Anyone else who message and decodes it. Anyone else who sees the message will see only nonsense. sees the message will see only nonsense.

Symmetric EncryptionSymmetric EncryptionSAME KEY USED FORBOTH ENRCYPTIONAND DECRYPTION

SENDER AND RECIPIENT MUSTBOTH KNOW THE KEYTHIS IS A WEAKNESS

SOURCE: STEIN, WEB SECURITY

Public KeyPublic Key Public-key encryptionPublic-key encryption uses a combination of a uses a combination of a

private key and a public key. private key and a public key. The private key is known only to your computer, The private key is known only to your computer,

while the public key is given by your computer to while the public key is given by your computer to any computer that wants to communicate securely any computer that wants to communicate securely with it. with it.

To decode an encrypted message, a computer must To decode an encrypted message, a computer must use the public key, provided by the originating use the public key, provided by the originating computer, and its own private key. computer, and its own private key.

A very popular public-key encryption utility is called A very popular public-key encryption utility is called Pretty Good PrivacyPretty Good Privacy (PGP), which allows you to (PGP), which allows you to encrypt almost anything. encrypt almost anything.

Public KeyPublic Key

To implement public-key encryption on a large scale, To implement public-key encryption on a large scale, such as a secure Web server might need, requires a such as a secure Web server might need, requires a different approach. This is where different approach. This is where digital certificatesdigital certificates come in. come in.

A digital certificate is basically a bit of information A digital certificate is basically a bit of information that says that the Web server is trusted by an that says that the Web server is trusted by an independent source known as a independent source known as a certificate certificate authorityauthority. .

The certificate authority acts as a middleman that The certificate authority acts as a middleman that both computers trust. It confirms that each computer both computers trust. It confirms that each computer is in fact who it says it is, and then provides the is in fact who it says it is, and then provides the public keys of each computer to the other. public keys of each computer to the other.

Public KeyPublic Key

A popular implementation of public-key A popular implementation of public-key encryption is the encryption is the Secure Sockets LayerSecure Sockets Layer (SSL). (SSL).

Originally developed by Netscape, SSL is an Originally developed by Netscape, SSL is an Internet security protocol used by Internet Internet security protocol used by Internet browsers and browsers and Web serversWeb servers to transmit to transmit sensitive information. sensitive information.

SSL recently became part of an overall SSL recently became part of an overall security protocol known as security protocol known as Transport Layer Transport Layer SecuritySecurity (TLS). (TLS).

Public-Key (Asymmetric) Public-Key (Asymmetric) EncryptionEncryption

1. USERS WANT TO SEND PLAINTEXT TO RECIPIENT WEBSITE

2. SENDERS USE SITE’S PUBLIC KEY FOR ENCRYPTION

3. SITE USES ITS PRIVATE KEY FOR DECRYPTION

4. ONLY WEBSITE CAN DECRYPT THE CIPHERTEXT. NO ONE ELSE KNOWS HOW

SOURCE: STEIN, WEB SECURITY

Public-Key EncryptionPublic-Key Encryption Alice wants to send Bob a secure message M.Alice wants to send Bob a secure message M. Alice uses Bob’s public key to encrypt M.Alice uses Bob’s public key to encrypt M. Bob uses his private key to decrypt M.Bob uses his private key to decrypt M. Bob is the ONLY ONE who can do this,Bob is the ONLY ONE who can do this,

so M is secure.so M is secure. Problem: Anyone could have sent it. Was it Problem: Anyone could have sent it. Was it

really Alice?really Alice?

ALICE’SCLEARTEXT

ALICE’SCODEDTEXT

ALICE’SCODEDTEXT

ALICE’SCLEARTEXT

TRANSM ISSION

BOB DECRYPTS WITHHIS PRIVATE KEY

ALICE ENCRYPTS WITHBOB’S PUBLIC KEY

BOB’SPUBLIC

KEY

BOB’SPRIVATE

KEY

Hash This! Hash This!

The key in public-key encryption is based The key in public-key encryption is based on a on a hash valuehash value. This is a value that is . This is a value that is computed from a base input number using computed from a base input number using a a hashing algorithmhashing algorithm. .

Essentially, the hash value is a summary Essentially, the hash value is a summary of the original value. of the original value.

The important thing about a hash value is The important thing about a hash value is that it is nearly impossible to derive the that it is nearly impossible to derive the original input number without knowing the original input number without knowing the data used to create the hash value. data used to create the hash value.

Hash This! Hash This!

Here's a simple example: Here's a simple example:

Input number Hashing algorithm Hash value

10,667 Input # x 143 1,525,381

Hash This! Hash This!

You can see how hard it would be to You can see how hard it would be to determine that the value 1,525,381 came determine that the value 1,525,381 came from the multiplication of 10,667 and 143. from the multiplication of 10,667 and 143.

But if you knew that the multiplier was But if you knew that the multiplier was 143, then it would be very easy to 143, then it would be very easy to calculate the value 10,667. calculate the value 10,667.

Public-key encryption is actually much Public-key encryption is actually much more complex than this example, but that more complex than this example, but that is the basic idea is the basic idea

Hash This! Hash This!

Public keys generally use complex algorithms Public keys generally use complex algorithms and very large hash values for encrypting, and very large hash values for encrypting, including 40-bit or even 128-bit numbers. including 40-bit or even 128-bit numbers.

A 128-bit number has a possible 2128 or A 128-bit number has a possible 2128 or 3,402,823,669,209,384,634,633,746,074,303,402,823,669,209,384,634,633,746,074,300,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 different combinations! 0,000,000 different combinations!

This would be like trying to find one This would be like trying to find one particular grain of sand in the Sahara Desert. particular grain of sand in the Sahara Desert.

Are You Authentic? Are You Authentic?

As stated earlier, encryption is the process As stated earlier, encryption is the process of taking all of the data that one computer of taking all of the data that one computer is sending to another and encoding it into is sending to another and encoding it into a form that only the other computer will be a form that only the other computer will be able to decode. able to decode.

Another process, Another process, authenticationauthentication, is used , is used to verify that the information comes from to verify that the information comes from a trusted source. Basically, if information a trusted source. Basically, if information is "authentic," you know who created it is "authentic," you know who created it and you know that it has not been altered and you know that it has not been altered in any way since that person created it. in any way since that person created it.

Are You Authentic? Are You Authentic?

These two processes, encryption and These two processes, encryption and authentication, work hand-in-hand to authentication, work hand-in-hand to create a secure environment. create a secure environment.

There are several ways to There are several ways to authenticate a person or information authenticate a person or information on a computer: on a computer: PasswordPassword Pass cardsPass cards Digital signaturesDigital signatures

Are You Authentic? Are You Authentic?

Recently, more sophisticated forms of Recently, more sophisticated forms of authentication have begun to show up on authentication have begun to show up on home and office computer systems. Most home and office computer systems. Most of these new systems use some form of of these new systems use some form of biometricsbiometrics for authentication. for authentication.

Biometrics uses biological information to Biometrics uses biological information to verify identity. Biometric authentication verify identity. Biometric authentication methods include: methods include: Fingerprint scan Fingerprint scan Retina scan Retina scan Face scan Face scan Voice identification Voice identification

Are You Authentic? Are You Authentic?

Another secure-computing need is to ensure Another secure-computing need is to ensure that the data has not been corrupted during that the data has not been corrupted during transmission or encryption. There are a couple transmission or encryption. There are a couple of popular ways to do this: of popular ways to do this:

ChecksumChecksum - Probably one of the oldest - Probably one of the oldest methods of ensuring that data is correct, methods of ensuring that data is correct, checksums also provide a form of checksums also provide a form of authentication because an invalid checksum authentication because an invalid checksum suggests that the data has been compromised suggests that the data has been compromised in some fashion. in some fashion.

Are You Authentic? Are You Authentic?

A checksum is determined in one of two A checksum is determined in one of two ways. Let's say the checksum of a packet is ways. Let's say the checksum of a packet is 1 1 bytebyte long. A byte is made up of 8 bits, and long. A byte is made up of 8 bits, and each bit can be in one of two states, leading each bit can be in one of two states, leading to a total of 256 (28 ) possible combinations. to a total of 256 (28 ) possible combinations. Since the first combination equals zero, a Since the first combination equals zero, a byte can have a maximum value of 255. byte can have a maximum value of 255. If the sum of the other bytes in the packet is 255 If the sum of the other bytes in the packet is 255

or less, then the checksum contains that exact or less, then the checksum contains that exact value. value.

Digital AuthenticationDigital Authentication Alice wants to send Bob a message M so that Alice wants to send Bob a message M so that

Bob is sure Alice is the sender.Bob is sure Alice is the sender. Alice uses her own private key to encrypt M.Alice uses her own private key to encrypt M. Bob uses Alice’s public key to decrypt M.Bob uses Alice’s public key to decrypt M. Alice is the ONLY ONE who could have sent it.Alice is the ONLY ONE who could have sent it. Problem 1: Anyone can read it! Problem 2: Problem 1: Anyone can read it! Problem 2:

Replay attack!Replay attack!

ALICE’SCLEARTEXT

ALICE’SCODEDTEXT

ALICE’SCODEDTEXT

ALICE’SCLEARTEXT

TRANSM ISSION

BOB DECRYPTS WITHALICE’S PUBLIC KEY

ALICE ENCRYPTS WITHHER PRIVATE KEY

ALICE’SPRIVATE

KEY

ALICE’SPUBLIC

KEY

Secure Authenticated Secure Authenticated MessagesMessages

Alice must send Bob a Alice must send Bob a secretsecret & & authenticatedauthenticated message M so Bob is sure it was sent by Alice. message M so Bob is sure it was sent by Alice. Use Use bothboth encryption and signature. encryption and signature.

ALICE’SCODEDTEXT

ALICE’SCODEDTEXT

(AUTHENTICATED)

ALICE’SCLEARTEXT

BOB DECRYPTS WITHALICE’S PUBLIC KEY

ALICE ENCRYPTS WITHHER PRIVATE KEY

ALICE ENCRYPTS WITHBOB’S PUBLIC KEY

ALICE’SCODED AND

SIGNED TEXT

ALICE’SCODED AND

SIGNED TEXT

T R A NSMI

T

ALICE’SCLEAR TEXT

(DECRYPTED ANDAUTHENTICATED)

BOB DECRYPTS WITHHIS PRIVATE KEY

BOB’S PUBLIC

ALICE’S PUBLIC

BOB’S PRIVATE

ALICE’S PRIVATE

4 KEYSNEEDED: