+

Basic Cryptography and Public Key Infrastructure

SIOCO.TUAZON

Learning Objectives
 

Use cryptographic terminologies Define the different types of cryptographic attacks Differentiate between types of cipher Discriminate between symmetric and asymmetric encryption Explain why hashing is used Describe the use of cryptographic standards and protocols Describe how cryptographic techniques are applied and integrated Discuss Public Key Infrastructure

 

 

Overview
 Cryptology

of codes and secret messages  Writing and deciphering

 Study  Cryptography

Science of writing secret codes  Hide messages  Achieve security goals and avoid serious IT security risks


Foundations of Cryptography


Cryptanalysis deciphering messages or codes

o o o o

Simple message / plaintext Secret key Algorithm Cipher text

Cryptosystems combination of algorithm, keys, cryptographic standards and protocols, and agreed technical methods

Strong cryptosystems, algorithms, and keys

 

Caesar cipher uses a simple algorithm Strong systems nowadays use algorithms consisting of a series of formulae Key space range of numbers from which the algorithm can choose the key Risks to avoid
 

Key clustering Using long keys

Cryptographic Attacks


Deliberate attempt is made to break cryptography Uses technology, guessing, frequency charts, frequency analysis, clues to context Can be carried out by:
 

Cipher text-only attack Plaintext attack

 

Known plaintext Chosen plaintext

Brute force attack

Types of Cipher
1.
o o o

Substitution ciphers
A character is replaced with another in a logical manner Caesar cipher Polyalphabetic ciphers extensions which use two or more simple alphabetical substitutions

Types of Cipher
2. Transposition ciphers
o o o

Accomplished in three steps Plaintext is written across in a predetermined number of columns Text is transposed by writing the vertical columns horizontally, and reconstructed Not as simple as substitution ciphers Needs special techniques for decryption

o o

Types of Cipher
3.
o o o o

Product ciphers
Formed by combining two other kinds of cipher Stronger form of cipher Words lengths are not the same as the original plaintext Characters have switched places

Types of Cipher
4.
o o

One-time pad
Consists of a stream of bits The value of the first bit of the plaintext is added to the value of the first bit of the plaintext message and then recorded Lengths of the one-time pad and the message are the same Strength = never used again No algorithm, no key = no brute force attack

o o o

Types of Cipher
5.
o o o

Running key ciphers

Also non-mathematical in nature Based on books or texts in a prearranged fashion Ex. using an ad to communicate the message

Types of Cipher
6.
o o o

Steganography
Another method of hiding data Does not depend on algorithms and keys Hides information in a container file and using least significant bits (LSB) to transport data Hidden in .mp3, .gif, or .jpeg files Very secure but complex method

o o

+
7.

Types of Cipher
Block and stream ciphers
Block ciphers compared to stream ciphers o stronger but slower o Errors may be propagated easily which damage the whole message

Symmetric Cryptography

Also known as Secret Key System assumes that key management is not a problem assumes that both parties developed secure techniques for sharing keys over long distances assumes the size of firm is small and does not wish to expand to develop a network with the other party

Symmetric Cryptography
  

Major advantage: Speed used to ensure authentication reduce risks of sharing secret data with a non-trusted party

Common Symmetric Algorithms

  

Data Encryption Standard (DES) Triple DES Advance Encryption Standard (AES)

Data Encryption Standard

Standard to which all block ciphers are compared replaced with Advance Encryption Standard sender and receiver must know the secret key used for a single-user encryption Works by iterating 16 cycles of transposition and substitution downfall was caused by increased computing power

Triple DES
 

there are three modes each modes provides a 112-bit effective key length with 48 rounds of substitution iterated within the algorithm proved to be a very strong algorithm

Advance Encryption Standard



Security goal: the best attack against it should be key exhaustion built on the Rijndael Algorithm Based on substitution and row transposition predicted to have a long life reduces the risk for costly implementations

   

Asymmetric Cryptography
  

Also known as Public Key Systems based on the use of two different keys mathematics is complex and processing time is slower than symmetric improved key management processes better scalability

 

Asymmetric Cryptography


use this form to provide authentication and non-repudiation as well as confidentiality Sender and receiver control a public key and a private key major benefit: security and convenience is provided

 

Common Asymmetric Algorithms

 -

Conditions: Generation of key pair must be easy encryption and decryption have to be straightforward operations the public key should be hard to compute from the corresponding secret key

Rivest-Shamir-Adleman (RSA) encryption



based mathematically on the fact that it is hard to determine the factors of prime nos. related to the assumption that factoring is difficult

Rivest-Shamir-Adleman (RSA) encryption

Steps:
-

Find the modulus Choose a number, e, less than n and relatively prime to (p1)(q-1) find another number, d, such that (ed-1) is divisible by (p1)(q-1) public key is pair (n,e) and private key is (n,d)

Elliptical Curve Cryptography

 

Based on elliptical curve theory Used to create faster, smaller and more efficient cryptographic keys Generates keys through the properties of elliptic curve equation Widely used for mobile applications Proposed in 1985 by neal koblitz and Victor Miller

 

Elliptical Curve Cryptography

 

elliptical curve- looping line intersecting two axes Based on properties of a particular type of equation created from the mathematical groups

Hashing
 

Hash: chop and mix Hashing is used, with or without cryptography:  to supply assurance that a message has not been altered or modified in transmission, and  to determine for us whether the number of bits of text received are the same in length and nature of those transmitted.

Hashing is important to ensure that risk to message integrity is reduced. NOTE WELL that hashing is not encryption in itself. It is just a means to guarantee the authenticity of the message

Hash Algorithms


A hash algorithm is a mathematical expression containing one or more hash functions. A hash function is a mathematical function that is easy to calculate but difficult to reverse engineer so as to get the inverse. A hash value is the result of applying hash function

Message Authentication Code or Digest



When combined with cryptography, hashing can be a powerful guarantee of message integrity. A cryptographic algorithm can be applied to a documents hash value. This is a message digest A message digest has to be cryptographically deciphered by the receiver and then put through the same function used by the sender and compare the two values
 

If they are the same, the message has not been modified. It is not necessary, in all circumstances to divulge the contents of a document to prove its integrity.

Digital Signature
 

Combine hash functions with PK cryptography to verify identity The purpose of a digital signature is to provide authentication so that the sender of the message can be sure that it has been sent to the correct person. Example: Message Digest + Digital Signature


  

Generate a message digest by using a hash function on message  Acts as a guarantee of message authenticity  If any part of the message were changed, so would the hash value Encrypt message digest with private encryption key (this serves as the digital signature) The receiver can only open the message if he/she has the senders public encryption key. Compare the hash values of the message digest sent and the that generated by the receiver using the decrpyted message digest.

Key Exchange Protocols



It is important to establish protocols by which cryptographic keys can be exchanged. We need to have a pre-established method for exchanging cryptographic keys so we can decipher each others email messages Popular protocols
  

Privacy Enhanced Mail Message Security Protocol Pretty Good Privacy

Key Exchange Protocols

Privacy Enhanced Mail Allows secure email over the internet and within large enterprises Based on both DES and RSA algorithms Its architecture resembles PKI and is a hierarchical trust model clustered around a central authority. Message Security Protocol Resembles Privacy Enhanced Mail. Used in secret and defence applications (not disclosed by US National Security Agency). Pretty Good Privacy Implemented within freeware. Allows users to develop key rings. Each user develops trust with others and collect their public keys. The structure resembles a web. You trust me and I trust you, then you will trust my friends, and I yours Can establish degree of trust with different groups of users

Cryptographic authentication techniques



Two common approaches are:

 

Challenge and response protocols Digital signatures

Identification is the process whereby a user asserts their identity. Authentication is when a user proves their identity to the system.
  

ID (identification) then password (authentication) Use of magnetic cards Recall of shared secret and PIN number

A cryptographic form of authentication can be used in a challenge response mechanism

Cryptographic Applications and a Public Key Infrastructure



Components that are assembled to produce a complete cryptographic framework to protect an enterprises data and electronic transactions
    

Software Hardware Algorithms Standards Protocols

This complete framework is called a Public Key Infrastructure

Certificates
 

The major item required by an individual is a certificate. It contains the public key linked to the personal ID of the certificate holder, and it could include other details, such as a validity period. Must by endorsed by the certification authority with a digital signature. Signed combination of personal data and public key becomes the certificate Exists to link a discrete public key and a specific identity.

Certificate authorities
 

Trusted third party who issues, manages and controls certificates An organization has the choice of implementing a complete PI internally or using the services of an external provider. Certificates do not have to be kept secure or confidential since the CA is a trusted third party and can be proved genuine and reliable via its own private key Can only guarantee confidential transaction of the link between the ID of the certificate holder and the ID of the public key holder. Does not guarantee the users professionalism, financial security, integrity or identity/authorization No guarantee that parties will commit in transactions

Registration authorities
 

A subsection of certification authorities Purpose: to check the ID of a certificate holder and manage the data in his part of the transaction. Provides secure communications between: individual, itself, and the CA Cannot issue certificate Might e an integral part of the same organization as the CA or can be totally separate

 

The PKI Process: certification

Obtain a private and public key pair Generate pair then give pub key to CA Ask CA to generate then get private key Apply to RA for certificate Prove identity via public documents RA verifies then send a request for a certificate from a CA Certificate is issued and bound to users public key and ID Version Serial number (unique) Signature and algorithm ID Name of C Validity period Username Public key CAs ID Users ID

The PKI Process: communication

User requests receivers certificate public key

From a trusted public certificate directory User uses the CAs public key to decipher the message digest of the certificate

He can then create a temporary session key

And encrypt it with the receivers public key And send it with his own public key and certificate

Receiver can use software to check

whether it trusts the CA Whether the senders certificate is still current Whether he has done suspicious transactions Whether it might be revoked

If the CA is trusted
The pair can trust each other within this business interaction PKI does not carry any kind of attached moral or ethical judgment