Cryptography (One Day Cryptography Tutorial)

1
Cryptography(One Day Cryptography Tutorial)

• By
• Dr. Mohsen M. Tantawy

2
Definitions
3
Definitions

• Plaintext easy to understand form(original
  message)
• Ciphertext difficult to understand form
• Encryption encoding (plaintext -gt ciphertext)
• Decryption decoding(ciphertext -gt plaintext)
• Cryptology study of encryption
• Cryptography use of encryption
• Cryptanalysis breaking encryption

4
Definitions
Group of individuals

• AliceShe is an end user/computer without
  malicious intentions, one of the main users of
  cryptography.
• BobHe is Alices friend and is also a main user
  of cryptography, without malicious intentions.
• CathyAnother user of cryptography she does not
  usually have a large roll nor malicious
  intentions.
• EveA malicious user that does not interfere with
  communications. She simply wants to eavesdrop on
  the conversation between two other characters,
  typically Alice and Bob, but does not actively
  try to attack the communication.
• MalloryThe malicious user. Always trying to
  thwart attempts by other characters to
  communicate securely.
• TrentHe is a trusted third party. He only
  communicates with Alice, Bob, or Cathy when they
  ask for his help. He can always be trusted to do
  what he says he will do.

5
Group of individuals

• Hacker is a general term that has historically
  been used to describe a computer programming
  expert. More recently, this term is commonly used
  in a negative way to describe an individual that
  attempts to gain unauthorized access to network
  resources with malicious intent.
• Cracker is the term that is generally regarded
  as the more accurate word that is used to
  describe an individual that attempts to gain
  unauthorized access to network resources with
  malicious intent.

6
Group of individuals

• Phreaker is an individual that manipulates the
  phone network in order to cause it to perform a
  function that is normally not allowed. A common
  goal of phreaking is breaking into the phone
  network, usually through a payphone, to make free
  long distance calls.
• Spammer is an individual that sends large
  quantities of unsolicited email messages.
  Spammers often use viruses to take control of
  home computers in order to use these computers to
  send out their bulk messages.
• Fisher uses email or other means in an attempt
  to trick others into providing sensitive
  information, such as credit card numbers or
  passwords. The Phisher will masquerade as a
  trusted party that would have a legitimate need
  for the sensitive information.

7
Group of individuals

• White hat is a term used to describe
  individuals that use their abilities to find
  vulnerabilities in systems or networks, and then
  report these vulnerabilities to the owners of the
  system so that they can be fixed.
• Black hat is another term for individuals that
  use their knowledge of computer systems to break
  into systems or networks that they are not
  authorized to use.

8
Definitions

• KeyA random piece of data used with encryption
  and decryption. Encryption and decryption
  algorithms require a key and plain text or cipher
  text to produce cipher text or plain text,
  respectively.
• Security Association A set of information that
  describes how the communicating entities will
  utilize security.

9
Modern Cryptography
10
Types of Cryptographic Systems

• Symmetric-key cryptosystems
• Asymmetric-key or Public-key cryptosystems
• Hybrid (Symmetric-key and Asymmetric-key)
  cryptosystems

11
Symmetric Encryption

• Uses conventional / secret-key / single-key
• Sender and recipient share a common key
• All classical encryption algorithms are
  private-key
• The only type prior to invention of public-key in
  1970s

12
Symmetric Cipher Model
13
Requirements

• Two requirements for secure use of symmetric
  encryption
• Strong encryption algorithm
• Secret key known only to sender / receiver
• Y EK(X)
• X DK(Y)
• Assume encryption algorithm is known
• Implies a secure channel to distribute key

14
Block ciphers and Stream ciphers

• Each secret-key cryptography algorithm or cipher
  typically works in two phases
• key set-up phase
• ciphering or encrypt and decrypt phase.
• There are two major classes of these algorithms
  block ciphers and stream ciphers.
• Block ciphers encrypt plaintext in units of
  blocks and likewise decrypt cipher text in units
  of blocks.
• Stream ciphers encrypt plaintext in one stream
  and decrypt cipher text likewise.

15
Block cipher operation
16
Stream cipher operation
17
Mode of Operation

• There are three important block cipher modes
• Electronic Code Book (ECB)
• Cipher Block Chaining (CBC)
• Cipher Feedback Mode (CFB)

18
Electronic Codebook Book (ECB)
19
Cipher Block Chaining (CBC)
20
Cipher FeedBack (CFB)
21
Output FeedBack (OFB)
22
Symmetric-key cryptosystems

• Examples of symmetric key algorithms are as
  follows
• Data Encryption Standard (DES) (56bits)
• Triple DES (3DES) (168 bits)
• Advanced Encryption Standard (AES)
• International Data Encryption Algorithm (IDEA)
  (128 bits)
• Rivets Cipher 4 (RC4) (variable length key)

23
DES Encryption
24
Initial Permutation IP

• first step of the data computation
• IP reorders the input data bits
• even bits to LH half, odd bits to RH half
• quite regular in structure (easy in h/w)

25
DES Round Structure

• uses two 32-bit L R halves
• as for any Feistel cipher can describe as
• Li Ri1
• Ri Li1 xor F(Ri1, Ki)
• takes 32-bit R half and 48-bit subkey and
• expands R to 48-bits using perm E
• adds to subkey
• passes through 8 S-boxes to get 32-bit result
• finally permutes this using 32-bit perm P

26
DES Round Structure
27
Substitution Boxes S

• have eight S-boxes which map 6 to 4 bits
• each S-box is actually 4 little 4 bit boxes
• outer bits 1 6 (row bits) select one rows
• inner bits 2-5 (col bits) are substituted
• result is 8 lots of 4 bits, or 32 bits
• row selection depends on both data key
• feature known as autokeying

28
Triple DES

• clear a replacement for DES was needed
• theoretical attacks that can break it
• demonstrated exhaustive key search attacks
• AES is a new cipher alternative
• prior to this alternative was to use multiple
  encryption with DES implementations
• Triple-DES is the chosen form

29
Triple-DES with Two-Keys

• hence must use 3 encryptions
• would seem to need 3 distinct keys
• but can use 2 keys with E-D-E sequence
• C EK1DK2EK1P
• if K1K2 then can work with single DES
• standardized in ANSI X9.17 ISO8732
• no current known practical attacks

30
Triple-DES with Three-Keys

• although are no practical attacks on two-key
  Triple-DES have some indications
• can use Triple-DES with Three-Keys to avoid even
  these
• C EK3DK2EK1P
• has been adopted by some Internet applications,
  eg PGP, S/MIME

31
Triple DES (3DES)

• The technique used by 3DES is known as EDE
  (Encrypt-Decrypt-Encrypt).
• The plaintext message is encrypted using the
  first 8 bytes of the 3DES.
• Then the message is decrypted using the middle 8
  bytes of the key.
• Finally, the message is encrypted using the last
  8 bytes of the key to produce an 8-byte block.

32
Triple DES (3DES)
33
AES Requirements

• private key symmetric block cipher
• 128-bit data, 128/192/256-bit keys
• stronger faster than Triple-DES
• active life of 20-30 years ( archival use)
• provide full specification design details
• both C Java implementations

34
Rijndael

• data block of 4 columns of 4 bytes is state
• key is expanded to array of words
• has 9/11/13 rounds in which state undergoes
• byte substitution (1 S-box used on every byte)
• shift rows (permute bytes between groups/columns)
  
• mix columns (subs using matrix multipy of groups)
  
• add round key (XOR state with key material)
• view as alternating XOR key scramble data bytes
• initial XOR key material incomplete last round
• with fast XOR table lookup implementation

35
Rijndael
36
Byte Substitution
37
Shift Rows
38
Mix Columns
39
Add Round Key
40
AES Decryption
41
Asymmetric-key or Public Key Encryption

• Based on mathematical algorithms
• Asymmetric
• Use two separate keys
• Public Key issues
• Plain text
• Encryption algorithm
• Public and private key
• Cipher text
• Decryption algorithm

42
Public Key Encryption Encryption
43
Public Key Encryption Authentication
44
Public Key Encryption - Operation

• One key made public
• Used for encryption
• Other kept private
• Used for decryption
• Infeasible to determine decryption key given
  encryption key and algorithm
• Either key can be used for encryption, the other
  for decryption

45
Steps

• User generates pair of keys
• User places one key in public domain
• To send a message to this user, encrypt using
  public key
• User decrypts using private key

46
Digital Signature

• Sender encrypts message with their private key
• Receiver can decrypt using senders public key
• This authenticates sender, who is only person who
  has the matching key
• Does not give privacy of data
• Decrypt key is public

47
Asymmetric-key or Public-key Cryptosystems

• There are many examples of commonly used
  public-key systems including
• Diffie-Hellman
• Rivest, Shamir, Adleman (RSA)
• Digital Signature Algorithm (DSA) /
• Al Gamal
• Elliptic Curve Cryptosystem (ECC)

48
Diffie-Hellman Key Exchange

• first public-key type scheme proposed
• by Diffie Hellman in 1976 along with the
  exposition of public key concepts
• note now know that James Ellis (UK CESG)
  secretly proposed the concept in 1970
• is a practical method for public exchange of a
  secret key

49
Diffie-Hellman Key Exchange
50
RSA Algorithm

• Were using Big Integers here
• Choose large secret prime numbers p and q
• Calculate N p q
• Choose exponent e such that
• gcd(e, (p-1)(q-1)) 1
• Normally choose 3, 17 or 65537
• Public key is pair N and e
• Choose d so that
• e d 1 (mod (p-1)(q-1))
• Private key is d (for efficiency d, p, q)
• Encryption c me (mod N)
• Decryption m cd (mod N)

• Baby example
• p7, q11
• N77
• 37
• gcd (37,(7-1)(11-1)) 1
• 77, 37
• 13
• 37134811(mod 60)
• 13
• 237 mod 77 51
• 5113 mod 77 2

51
Public Key Certificate Use
52
Digital certificates
53
Digital certificates

• Digital certificates include
• A public key
• An individual or organisations details
• A digital signature from a certifying authority
  (CA)
• This states that the CA has seen proof of
  identity
• Common certifying authorities
• VeriSign, Thawte, Equifax Secure, British Telecom
• CAs are themselves certified by other CAs
• A few root CAs are usually trusted

54
Message Authentication
55
Message Authentication Code

• Generate authentication code based on shared key
  and message
• Common key shared between A and B
• If only sender and receiver know key and code
  matches
• Receiver assured message has not altered
• Receiver assured message is from alleged sender
• If message has sequence number, receiver assured
  of proper sequence

56
Hash Functions vs. MAC
57
Hash Functions
Message M

• Hash Function
• Generate a fixed length Fingerprint for an
  arbitrary length message
• No Key involved
• Must be at least One-way to be useful
• Constructions
• Iterated hash functions (MD4-family hash
  functions) MD5, SHA1,
• Hash functions based on block ciphers
  MDC(Manipulation Detection Code)

H
Message Digest D D H(M)
58
Message Authentication Codes (MACs)

• MAC
• Generate a fixed length MAC for an arbitrary
  length message
• A keyed hash function
• Message origin authentication
• Message integrity
• Entity authentication
• Transaction authentication

Shared Secret Key
MAC
MAC
SEND
MAC
59
Comparison of Hash Function MAC
Arbitrary length
Arbitrary length
message
message
Hash function
MAC function
Secret key
Hash
MAC
fixed length
fixed length

• Easy to compute
• Compression arbitrary length input to fixed
  length output
• Unkeyed function vs. Keyed function

60
Symmetric Authentication (MAC)
Bob
Alice
Message
Message
MAC
MAC
transmit
Secret key algorithm
Secret key algorithm
KAB
KAB
Shared Secret key between Alice and Bob
Shared Secret key between Alice and Bob
MAC?
no
yes
61
Digital Signature
Bob
Alice
Message
Signature
Message
Signature
transmit
Hash function
Hash function
Hash value
Hash value 1
Alices Public key
Public key algorithm
no
yes
Hash value 2
Alices Private key
Public key algorithm
62
Hashing

• A hashing algorithm refers to a mathematical
  function that takes a variable- size string as
  input and transforms (hashes) it into a
  fixed-size string, which is called the hash
  value.
• One of the most common uses of hashing in network
  security is to produce condensed representations
  of messages or fingerprints, often known as
  message digests, by applying a hashing
  algorithm to an arbitrary amount of data the
  message.
• The two most commonly used hashing algorithms are
  MD5 and SHA1 (part of the secure hash standard
  SHS).

63
Using One Way Hash
64
Secure Hash Functions

• Hash function must have following properties
• Can be applied to any size data block
• Produce fixed length output
• Easy to compute
• Not feasible to reverse
• Not feasible to find two message that give the
  same hash

65
SHA-1

• Secure Hash Algorithm 1
• Input message less than 264 bits
• Processed in 512 bit blocks
• Output 160 bit digest

66
Message Digest GenerationUsing SHA-1
67
Key Management
68
ISAKMP

• The Internet Security Association and Key
  Management Protocol (ISAKMP) is defined
  primarily as a very comprehensive framework for
  key management offering maximum flexibility
• OAKLEY is defined based on the DiffieHellman
  key-exchange algorithm.
• IKE, on the other hand, is defined primarily to
  be the key management for the IPSec Architecture
  and makes use of parts of the ISAKMP and OAKLEY
  definitions.

69
ISAKMP

• ISAKMP defines procedures and packet formats to
  establish, negotiate, modify, and delete SAs.
• ISAKMP only describes the procedures, i.e., how
  something is done.
• ISAKMP is independent of the security protocols,
  cryptographic algorithms, and key-generation and
  key-exchange techniques that are actually used.

70
ISAKMP phases

• ISAKMP offers two phases of negotiation.
• In the first phase, the two entities agree on how
  to protect further negotiation traffic between
  themselves, establishing an ISAKMP SA.
• The second phase of negotiation is used to
  establish security associations for other
  security protocols. The security associations
  established by ISAKMP during this phase can be
  used by a security protocol to protect many
  message or data exchanges.

71
ISAKMP and TCP/IP
72
OAKLEY

• The OAKLEY protocol allows two authenticated
  entities to exchange and establish secret keying
  material.
• It is designed to be a compatible component of
  ISAKMP.
• The two communicating entities negotiate methods
  for encryption, key derivation, and
  authentication.
• The basic mechanism of OAKLEY is the
  DiffieHellman key-exchange algorithm, which
  establishes a shared key without transmitting
  this key.

73
OAKLEY Key Exchange

• An OAKLEY key exchange is made up of a sequence
  of message exchanges.
• The goal of key-exchange processing is the secure
  establishment of a common keying information
  state in the two communicating entities.
• This state information consists of a key name,
  secret keying material, the identities of the two
  parties, and three algorithms for use during
  authentication
• encryption
• hashing, and
• authentication

74
IKE

• IKE is the protocol that performs mutual
  authentication and establishes SAs between two
  parties for IPSec.
• IKE uses parts of ISAKMP, OAKLEY, and SKEME to
  provide management of keys and security
  associations.

75
Key ISAKMP, OAKLEY, AND SKEME concept in IKE
76
Digital CertificatesDigital Signatures (Data
Origin Authentication, Data Integrity, and
Non-repudiation)
Digital Signature
77
Digital Signature with Hash Function
78
Pretty good privacy (PGP)

• PGP Encryption (Pretty Good Privacy) is a
  computer program that provides cryptographic
  privacy and authentication.
• Public key cryptography, also known as asymmetric
  cryptography, is a form of cryptography in which
  a user has a pair of cryptographic keys - a
  public key and a private key
• It was originally created by Philip Zimmermann in
  1991.

79
Pretty Good Privacy
PGP encryption
80
Pretty Good Privacy
PGP decryption
81
Applications of Cryptosystems

• Automatic Teller Machines
• Phone Cards
• Cellular Phone Networks
• Remote System Access
• Credit Cards
• Electronic Cash
• Medical Records