Embed Size (px)
Citation preview
Cryptography
April 20, 2010
MIS 4600 – MBA 5880 - © Abdou Illia
Objectives
Describe symmetric and asymmetric cryptographic methods
Describe hashing and major hash functionsExplain public key infrastructure (PKI)
2
Cryptography?Traditionally, cryptography refers to
The practice and the study of encryptionTransforming information in order to prevent
unauthorized people to read it.
Today, cryptography goes beyond encryption/decryption to includeTechniques for making sure that encrypted
messages are not modified en routeTechniques for secure
identification/authentication of communication partners.
3
Question
2) Which of the following security issues is addressed by cryptographic systems?
a) Confidentiality; i.e. protection against eavesdroppingb) Authentication; i.e. assurance parties involved in a
communication are who they claim to bec) Message integrity; i.e. assurance that messages are not
altered en routed) Availability; i.e. making sure that communication systems
are not shut down by intruders.e) All of the above
4
Basic Terminology
Network
Plaintext“Hello”
Ciphertext “11011101”
Ciphertext “11011101”Plaintext“Hello”
DecryptionAlgorithm
Interceptor
Party A
Party B
Plaintext: original message to be sent. Could be text, audio, image, etc. Encryption/Decryption Algorithm: mathematical tool (software) used
to encrypt or decrypt Key: A string of bits used by to encrypt the plaintext or decrypt the
ciphertext Ciphertext: encrypted message. Looks like a random stream of bits
+ Decryption key
EncryptionAlgorithm
+ Encryption key
HelloHello
5
Basic Terminology (cont.) Encryption:
Converting plaintext into ciphertext using algorithms and keys The size of the ciphertext is proportional to the size of the plaintext Ciphertext is reversible to plaintext
Symmetric Key Encryption: Same key is used both for encryption and decryption Keys are usually identical or trivially identical*
Asymmetric Key Encryption: Also called Public/Private Key Encryption Two different keys are used: one for encryption, one for decryption
Party A Party B
Party AParty B
* Trivially identical means simple transformation could lead from one key to the another.
Flexcrypt: http://www.flexcrypt.com/flexcryptfree.html6
Questions3) Based on how symmetric encryption
systems work, which of the following is the worst thing to happen?
a) An attacker gets a copy of the encryption and decryption algorithms
b) An attacker gets the decryption keyc) a and b are equally damaging
4) Which of the following presents more challenge for exchanging keys between partners?a) Asymmetric encryptionb) Symmetric encryptionc) A and b are equally challenging
7
Symmetric Key Encryption methods
Two categories of methods Stream cipher: algorithm operates on individual bits (or bytes); one at a time Block cipher: operates on fixed-length groups of bits called blocks
Only a few methods are used today
Methods Year approved
Comments
Data Encryption Standard - DES 1977 1998: Electronic Frontier Foundation’s Deep Crack breaks a DES key in 56 hours
DES-Cipher Block Chaining
Triple DES – TDES or 3DES 1999
Advanced Encryption Standard – AES 2001 Most used today
Other symmetric encryption methods
IDEA (International Data Encryption Algorithm), RC5 (Rivest Cipher 5), CAST (Carlisle Adams Stafford Tavares), Blowfish
8
Data Encryption Standard (DES)
DES EncryptionProcess
64-Bit CiphertextBlock
64-Bit DES Symmetric Key(56 bits + 8 redundant bits)64-Bit Plaintext
Block
DES is a block encryption method, i.e. uses block cipher DES uses a 64 bit key; actually 56 bits + 8 bits computable
from the other 56 bits Problem: same input plaintext gives same output ciphertext
9
DES-Cipher Block Chaining
First64-Bit Plaintext Block
DES EncryptionProcess
Second64-Bit Plaintext Block
First64-Bit Ciphertext Block
InitializationVector (IV)
DES EncryptionProcess
Second64-Bit Ciphertext Block
DES Key
DES Key
DES-CBC uses ciphertext from previous block as input making decryption by attackers even harder
An 64-bit initialization vector is used for first block
10
Public Key Encryption methods Asymmetric encryption methods are used both for
Encryption in order to provide confidentialityDigital signature in order to provide partners’ authentication
Methods Year proposed
Comments
RSA by Ron Rivest, Adi Shamir, and Leonard Adleman
1977 1995: First attack in lab conditions was reported
Elliptic Curve Cryptosystem - ECC 1985 Becoming widely used
Other symmetric encryption methods:
Dieffe-Hellman, El-Gamal
11
Hashing Hashing:
Mathematical process for converting inputs into fixed-length outputs
Hash function: Algorithm that does the hashing. Uses an input + a shared secret
or password. Example: MD5, Secure Hash Algorithm.
Hash: Fixed-length output of the hashing
12
Encryption Versus HashingEncryption
Uses a key as aninput to an encryption method
Output is similar inlength to input
Reversible; ciphertextcan be decryptedback to plaintext
Use of Key
Length of Result
Reversibility
Hashing
Password is usually addedto text; the two arecombined, and thecombination is hashed
Output is of a fixedshort length, regardless of input
One-way function; hashcannot be “de-hashed” back to the original string
14
Asymmetric methods in B2B
Phase 1:Initial Negotiation
of Security Parameters
Phase 2:Mutual Authentication
Client PCServer
Phase 3:Key Exchange orKey Agreement
Three Initial “Hand-Shaking” Phases
Phase 4:Ongoing Communication with
Message-by-MessageConfidentiality, Authentication,
and Message Integrity15
Hashing for Authentication
* Challenge Handshake Authentication Protocol
CHAP* is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients
1) After the completion of the link establishment phase, the server sends a "challenge" message to the client.
2) The client responds with a value calculated using a one-way hash function, such as an MD5 or SHA (Secure Hash Algorithm).
3) The server checks the response against its own calculation of the expected hash value. If the values match, the server acknowledges the authentication; otherwise it should terminate the connection.
4) At random intervals the server sends a new challenge to the peer and repeats steps 1 through 3.
Shared secret
Digital Signature for Message-by-Message Authentication
To Create the Digital Signature:
1. Hash the plaintext to create abrief Message Digest; this is NOT the Digital Signature.
2. Sign (encrypt) the messagedigest with the sender’s privatekey to create the Digital Signature.
3. Transmit the plaintext + digitalsignature, encrypted withsymmetric key encryption.
Plaintext
MD
DS
Hash
Sign (Encrypt)with Sender’sPrivate Key
4. Encrypted withSession Key
DS Plaintext
Sender Receiver
17
Digital Signature for Message-by-Message Authentication
To Test the Digital Signature
5. Hash the received plaintextwith the same hashing algorithm
the sender used. This givesthe message digest.
6. Decrypt the digital signaturewith the sender’s public key.
This also should give themessage digest.
7. If the two match, themessage is authenticated.
MD
Received Plaintext
MD
DS
5. 6.
HashDecrypt withTrue Party’sPublic Key
7.Are they equal?
Plaintext
MD
DS
Hash
Sign (Encrypt)with Sender’sPrivate Key
18
