Embed Size (px)
Citation preview
Module 3 – Cryptography
• Cryptography basics
• Ciphers
• Symmetric Key Algorithms
• Public Key Algorithms
• Message Digests
• Digital Signatures
• Definitions (Encryption, Decryption, Plaintext, Ciphertext)
• Symmetric Key Algorithms
• Public Key Cryptography
Cryptography Basics
Encryption DecryptionPlaintext Ciphertext
OriginalPlaintext
Encryption DecryptionPlaintext Ciphertext
OriginalPlaintext
Key
Encryption DecryptionPlaintext Ciphertext
OriginalPlaintext
EncryptionKey
DecryptionKey
Key
Types of cipher
• Stream cipher– Each bit (or byte) is encrypted or decrypted individually– Simple substitution ciphers (ROT13, XOR)
• Example - ROT13– abcdefghijklmnopqrstuvwxyz– nopqrstuvwxyzabcdefghijklm
• Block cipher– A sequence of bits (or bytes) is used at each step in the
encryption and decryption process (DES)
rot is insecureebg vf vafrpher
Symmetric Algorithms
• Substitution (ROT13, Cryptoquotes)• Transposition• XOR• One Time Pad• DES• IDEA• RC2, RC4, RC5
Not the mo
st secure
algorithm
in the wor
ld.
Nsail
otlnd
t g
sot.
terh
hcie
eut
rhw
memo
o rNot the most secure algorithm in the world.
Nsailotlndt g sot.terh hcie eut rhw memo o r
Digital Encryption Standard (DES)
• A block cipher with a 56-bit key length– Acutally a 64-bit number, but every 8th bit is ignored
• Operates on a 64-bit block of plain text at a time– 64 bits of plaintext come in --> 64 bits of ciphertext come out
• Performs 16 rounds, where in each round– the input bits are permuted– a key is applied to the resulting permutation
• The key is shifted before each round• The same algorithm and key are used for encryption
and decryption, with a different key schedule
Advanced Encryption Standard (AES)
• A block cipher with a 128-bit block size• Key lengths of 128, 192, and 256 bits supported• Operates on a 4x4 array of bytes• Each round has four steps:
– AddRoundKey (uses XOR operation with subkey)– SubBytes (Each byte is replaced based on a lookup table)– ShiftRows (bytes in each row are shifted to the left)– MixColumns (each column is multiplied by a fixed
polynomial)
Public Key Cryptography
• A public key - private key pair are used, one for encryption and the other for decryption
Public Key:n - product of two primes, p and q (p and q are secret)e - relatively prime to (p-1)(q-1)Private Key:d - e-1mod ((p-1)(q-1))Encrypting:c = me mod nDecrypting:m = cd mod n
• Let p=3, q=11• n=pq=33• e must be relatively prime to (p-1)(q-1)=20• choose e = 7, then d = 7-1 mod 20 = 3• Plaintext is 3,4,2 (m1=3, m2=4, m3=2)• c1=m1
e mod n = 37 mod 33 = 9• c2 = m2
e mod n = 47 mod 33 = 15• c3 = m3
e mod n = 27 mod 33 = 29• Ciphertext is 9,15,29• m1=c1
d mod n = 93 mod 33 = 3• m2=c2
d mod n = 153 mod 33 = 4• m3=c3
d mod n = 293 mod 33 = 2• Plaintext is 3,4,2
Message Digests
• A message digest is a one-way function which maps the information contained in a (small or large) file to a single large number, typically between 128 bits and 256 bits in length.
• A good message digest function should have the following properties:– Every bit of the output is influenced by every bit of the input– Changing a single bit in the input results in every output bit
having a 50% chance of changing– Given an input file, its corresponding digest, and the digest
function, it is computationally infeasible to produce another input file which maps to the same digest
Message
DigestAlgorithm
Hash
BlockCipher
Message Authentication
Code
MAC Message
Secret Key
Operation of a message digest function to produce a message authentication code
Message Digests (continued)
• HMAC• The Hashed Message Authentication Code uses a secret
key in combination with a message digest function to produce a secret message authentication code
• Since an attacker doesn’t know the secret, the attacker cannot produce a correct authentication code if they alter the message in an way
• SHA-1• Developed by the NSA for use with the Digital
Signature Standard
Private Key
MessageHash
Function
Digest
Encrypt
Signature
Message
Signature
Hash Function
Decrypt
Public Key
Message
ActualDigest
ExpectedDigest
If actual and expected match, the signature is verified
Originator RecipientTransmitted Message
RSA Digital Signature
Roles for Cryptography
• Authentication– Digital signatures
• Authorization– Distribution of lists of authorized users
• Confidentiality– Information is scrambled in transit or on disk
• Integrity– Digitally signed message digest codes
• Non-repudiation– Cryptographic receipts
Cryptography can’t:
• protect unencrypted documents• protect against stolen encryption keys• protect against DOS (denial of service)• protect against traffic analysis• protect against a passerby
SSL
• Resides above TCP/IP on the protocol stack• Adds numerous features to TCP, including
– Authentication to server (digital signature)– Authentication to client (digital signature)– Data confidentiality (encryption)– Data integrity (Message authentication codes)
