Use of Cryptography in Data Security over Computer Networks by TigerHATS

Use of Cryptography in Data Security over Computer

Networks

Presented by:

Monzur MorshedRezaur Rahman

TigerHATSwww.tigerhats.org

The International Research group dedicated to Theories, Simulation and Modeling, New Approaches, Applications, Experiences, Development, Evaluations, Education, Human, Cultural and Industrial Technology

Homepage: www.tigerhats.orgTwitter: www.twitter.com/tigerhats

TigerHATS - Information is power

Use of Cryptography in Data Security over Computer

Networks

Presented by

Monzur Morshed Rezaur Rahman (TigerHATS)

DefinitionsComputer Security: measures to protect data within acomputer and during its processing.

Network Security: measures to protect data (information)

within the network and during their transmission.

Internet Security: measures to protect data their

transmission over a collection of interconnected networks.

Vulnerability: It is a weakness that can be used to cause loss or harm to an information system. Vulnerable points of a system are used to attack the system to breach its security.

Threat: It can be seen as potential violation of security of a system. Of course violation of security will be done to cause harm or loss. Threats exist because of vulnerabilities in a system.

Preliminaries [Cont..]

• Interception

• Interruption

• Modification

• Fabrication

Types of Threats

Logical Control: It uses software and data tomonitor and control access to data (information) of asystem. As for example, password authenticationschemes, access control schemes, firewalls tonetwork, network intrusion detection systems, andencryption methods are types of logical controls.

Physical Control: It monitors and controls thesurrounding place i.e. the environment of thesystems. For example: doors and locks, cameras,barricades, fencing, security guards etc.

Preliminaries [Cont..]

• Encryption

• Authentication

• Authorization

• Auditing

Security Mechanisms

Focus of Control

Three approaches for protection against security threats

a) Protection against invalid operations

b) Protection against unauthorized invocations

c) Protection against unauthorized users

Basic Terminology of Cryptography

Plaintext: the original message or text that is used in an encryption process is called plaintext.

Cipher text: the coded message or the encrypted form of themessage that is found after encryption process has been completed.

Cipher: algorithm or process for transforming plaintext tocipher text.

Key: data (number) used in cipher known only to sender/ receiver.

Encipher (encrypt): Converting plaintext to cipher text.

Decipher (decrypt): Recovering cipher text from plaintext.

Cryptography: Study of encryption principles/methods.

Cryptanalysis (code breaking) : The study of principles/methods of deciphering cipher text without knowing key.

Cryptology : The field of both cryptography & cryptanalysis.

Terminology [Cont..]

Cryptosystem: The system that contains both encryptionand decryption processes. It includes key generation process, encryption and decryption algorithms.

Key Management: The process of generation, transmission and storage of key or keys.

Key generation process: The process or algorithm that generates the key for a cryptosystem is called key generation process. It may include one or more algorithms.

Terminology [Cont..]

Cryptography

Notation Description

KA, B Secret key shared by A and B

Public key of A

Private key of A

K A+

K A−

There two categories of cryptography or cryptosystem.One is symmetric cryptosystem and another isAsymmetric cryptosystem. Cryptography andcryptosystem are synonymous words. In future we shalluse word cryptosystem in case of cryptography.

Symmetric cryptosystem: Same key is used bothin encryption and decryption.

Asymmetric crypto system: One key is used forencryption and another separate key is used fordecryption.

Concept of Cryptography

Symmetric cryptosystem: Here only one key is used in both encryption and decryption processes.

C = EA(K, P) Where C-cipher text, EA- encryption algorithm,

K- key, P- plain text.

Basic Concepts of cryptography

Encryption Algorithm

K

PlaintextCipher text

Encryption Process

P = DA(K, C)Where DA- decryption algorithm.

In symmetric cryptosystem key must be kept secret.

Symmetric cryptosystem

Decryption Algorithm

K

Cipher textPlaintext

Decryption Process

Here two keys are used. One is for encryptionand another different one is for decryption.The key used for encryption is called publickey and published for general use. The keyused for decryption is called private or secretkey. The owner will possess this (private) keyand must be kept secret. In this system everyone who possesses public key can encrypt themessage, but only owner of the private key candecrypt the cipher text.

Asymmetric Cryptosystem

C = EA(Kpub, P)Where Kpub is the public key.

Asymmetric cryptosystem

Encryption Algorithm

Kpub

Plaintext

Cipher text

Encryption Process

P = DA(Kp, C)Where DA- decryption algorithm.

In asymmetric cryptosystem private key must be kept secret.

Asymmetric cryptosystem

Decryption Algorithm

Kp

Cipher textPlaintext

Decryption Process

Cryptography

Intruders and eavesdroppers in communication.

Define transformation as:a b c d e f g h i j k l m n o p q r s t u v w x y zD E F G H I J K L M N O P Q R S T U V W X Y Z A B C

Mathematically give each letter a numbera b c d e f g h i j k l m0 1 2 3 4 5 6 7 8 9 10 11 12n o p q r s t u v w x y Z13 14 15 16 17 18 19 20 21 22 23 24 25

Then have Caesar cipher as:C = E(p) = (p + k) mod (26)p = D(C) = (C – k) mod (26)

Caesar Cipher

Write message letters out diagonally over a number of rows

Then read off cipher row by row E.g.,”meet me after the party” write

message out as:m e m a t r h p r y

e t e f e t e a t

Giving ciphertextMEMATRHPRYETEFETEAT

Transposition cipher

RSA CryptosystemThis cryptosystem is invented by Rivest, Shamir and Adleman (RSA) in 1979.

It is a public key cryptosystem, which involves exponentiation modulo a number, n that is a product of two large prime numbers.

The 1024 bits key size is a typical key size for RSA cryptosystem.

1. Select at random two large prime numbers p and q. ( The primes p and q might be, say, 100 decimal digits each. )

2. Compute n by the equation n = pq.

3. Select a small odd integer e that is relatively prime to ϕ (n), where ϕ (n) = (p - 1) (q - 1).

4. Compute d as the multiplicative inverse of e, modulo ϕ (n), i.e., e*d mod ϕ (n) = 1 d = minv (e, ϕ (n))

5. Publish the pair p = (e, n) as RSA public key.

6. Keep secret the pair s = (d, n) as RSA secret key.

RSA Key Generation Process

The Data Encryption Standard (DES) was published in 1977. It is the primary standard and defines the Data Encryption Algorithm (DEA).

Original message is divided into block of 64 bits.

Each 64 bits block is encrypted using private or secret key.

Modern Symmetric Ciphers (DES)

Published in 1977, standardized in 1979. Key: Take 64 bit and drop the bits from

the positions 8, 16, 24, 32, 40, 48, 56, 64. So key= 64 – 8 = 56-bit.

64 bit input, 64 bit output.

DES (Data Encryption Standard)

DESEncryption

64 bit M 64 bit C

56 bits

DES Top View

27

Permutation

Permutation

Swap

Round 1

Round 2

Round 16

Generate keysInitial Permutation48-bit K1

48-bit K2

48-bit K16

Swap 32-bit halves

Final Permutation

64-bit Output

48-bit K164-bit Input56-bit Key

…...

Symmetric Cryptosystems: DES (2)

Details of per-round key generation in DES.

1. Each block of message will be 64 bits. Do initial permutation on 64 bits data and divide it in to two halves.

2. Left half 32 bits and Right half 32 bits.3. Expand right half up to 48 bits by expansion.4. Take 64 bits key (reduced to 56 bits by dropping bits at

positions 8, 16, 24, …, 64) and select 48 bits by permuted choice.

5. Do XOR of 48 bits right half and 48 bits key.6. Select 32 bits from step 5 by S-box substitution choice.

Steps of DES

7. Do P-box permutation (on 32-bits of step 6).8. Do XOR of 32 bits left half and 32 bits right half (from

step-7)9. Result from step 8 will be new right half.10. Old right half from step 2 will be the new left half.The above 10 steps make a cycle of DES.Step 1 to 10 is for one cycle. There will be 16 such cycles. After completion of 16 cycles, we have to do final permutation on data bits to get decrypted data.

Steps of DES [cont..]

MD5: Message Digest Version 5

input Message

Output 128 bits Digest

• Until recently the most widely used hash algorithm

Hash Functions : MD5

The structure of MD5

# Like a handwritten signature.# Cryptographic technique.# Public key cryptosystem is used in digital

signature method.# unforgivable: means only the originator

should be able to produce/ compute the signature value.

# Verifiable: means others should be able to check that the signature has come from the originator.

Digital signature

Message is encrypted using private key (Kp) of the creator or originator.

Simple digital signature

Messagem

Encryption algorithm

Digital signature

S

Kp

Signature creation process

Signature is decrypted using public key (Kpub) of the originator.

Signature verification

SignatureS

Decryption algorithm

Messagem

Kpub

Verification process

Digital signature at a glance

Encryption

Algorithm

Decryption

algorithm

m Kp, A Kpub, A

S S m

For A: For B:

Sending end: Receiving end:Signature creation Signature verification

Suppose that A sends message and B receives it.

1) A produces signature S:S = E(Kp, A, m).

2) Now A enciphers (encrypts) S using B’s public key:C = E(Kpub, B, S).

3) B receives C and deciphers it:S = D(Kp, B, C).

4) B verifies that A signed m:m = D(Kpub, A, S).

Encrypted signature

Encrypted signature at a glance

Encryption algorithm

Encryption algorithm

Decryption algorithm

Decryption algorithm

Sending endReceiving end

C

m Kp, A

S

For A:

Kpub,B

C

Kp, B

SKpub,A

For B:

m

In a secure networking system when a user on a client wants to get service from a server he or she must be authenticated.

A network with Kerberos authentication service grants access to the server if the user is authenticated by Kerberos.

That is, before getting service from a service server, the user must go through Kerberos.

39

Kerberos

It’s first report identified requirements as:• secure• reliable• transparent• Scalable

Implemented using an authentication protocol based on Needham-Schroeder

Kerberos Requirements

A basic third-party authentication scheme It has an Authentication Server (AS)

• users initially negotiate with AS to identify self • AS provides a non-corruptible authentication

credential (ticket granting ticket TGT)

It has a Ticket Granting server (TGS)• users subsequently request access to other

services from TGS on basis of users TGT

Kerberos v4 Overview

42

Kerberos

AS

TGS

KerberosAS –Authentication Server

TGS – Ticket Granting Server

43

Dialogue of Client and AS

Client (CL)

AS

Request (m1)

E-TGT

E-TGT: encrypted ticket granting ticket

44

Dialogue of Client and TGS

Client (CL)

TGS

Request (m2)

E-SGT

E-SGT: encrypted service granting ticket

m3 = idcl + SGTssSGTss = E (Kss, [adcl + idcl + TS2 + LT2])

45

Dialogue of Client and SS

Client (CL)

SS

Request (m3)

Accept or reject

Kerberos 4 Overview

Firewalls

A common implementation of a firewall.

Firewall is a program or hardware device that protects the resources of a private network from users of other networks.

Firewall blocks open ports through which an intruder can gain access to your system and the valuable data you have stored in it.

Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network.

As all information passes through firewall, user can know what is happening in the network.

Firewall allows to create rules or set privileges for the type of traffic that can pass through the firewall in both directions.

Firewall blocks malicious viruses from entering your system.

What does a firewall do?

Thank you

TigerHATSwww.tigerhats.org