www.novell.com

The Secrets of Keeping SecretsThe Secrets of Keeping Secrets

Gary J PorterSenior Network AnalystMindWorks, Inc. of Kentuckyporter@digitalme.com

Crypto—ASCII style

• ASCII represents 27 bits (128) which can represent all of the English alphabet plus punctuation

A = 1000001 a = 1100001

• Because ASCII uses bits to represent letters,

it’s a kind of cypher

Transposition Cipher

• One of the simplest transposition ciphers substitutes the first and second digits and the third and forth digits

• Megan ASCII— 1001101 1100101 1100111 1100001 1101110 Cypher— 0110101 0011101 0011111 0011001 0010110

• 5 ) 1 % “

Key-Based Algorithm

The security of key-based algorithms is based on

the secrecy of the algorithm, the key(s), or both

Private Key Cryptosystem(Symmetric)

Dear Cindy,

You are so

beautiful!

ANQR1DBw

4DokTETykx

LwQB/9JZe

7eCzXW

9iYVNOT

HWjioKOI

Dear Cindy,

You are so

beautiful!

ANQR1DBw

4DokTETykx

LwQB/9JZe

7eCzXW

9iYVNOT

HWjioKOI

Clear TextClear Text Clear TextClear TextCypher TextCypher Text Cypher TextCypher Text

Same Encryption KeySame Encryption Key

Modified Substitution Cipher

• Message = COOL

• In ASCII

• Key = MEGAN

• Ciphertext

1000010100111110011111001100

01101010011101001111100110010010110

1110111101001010100001010101

Key longer than message is okayKey longer than message is okay

Modified Substitution Cipher

• Can be broken with simple techniques• Not secure

SECURE

Whitfield Diffie

• Interested (obsessed!) with the key distribution problem

• Imagined two strangers meeting on the net—wondered how they would send secret messages

• Was reluctant to even talk to Diffie

• Eventually became Diffie’s crypto-partner

• Solved the key exchange problem

Martin Hellman

Cryptography: Algorithms and Keys

• A method of encryption and decryption is called a cipher

• Generally there are two related functions Encryption Decryption

• All modern algorithms use a key to control encryption and decryption

• Encryption key may be different from decryption key

From the Minds of Diffie/Hellman

• The postal problem...

Demonstration

Postman

To: Wilt Diffie

Wow! I can see inside. I think I’ll

take a look!

Got here safely.

Postman

I’ll lock it this time

Postman

Hummm!

I can’t see either—I’ll lock it too!

Postman

Postman

Postman

Postman

Postman

• Alice’s key abcdefghijklmnopqrstuvwxyz EDIRCTOYNUWAPFLMBGJZHKQXVS

• Bob’s key Abcdefghijklmnopqrstuvwxyz ZNAMSREVILYUCKOGJTBWDXQHPF

• Message lost my hotel key• Encrypted with Alice’s key ALJZ PV YLZCA WCV• Encrypted with Bob’s key UOBW CP VOWSU YSP• Decrypted with Alice’s key HLDQ IM KLQJH VJM• Decrypted with Bob’s key VUMJ IC YUJLV XLC

Why the Postal Example Won’t Work

One-Way Functions

• Diffie and Hellman were not interested in two-way functions, only solving the problem with one-way functions

• Because they could imagine the postal example, there MUST be a solution

sender receiver

Bob Alice

Enck

Types of Algorithms

Symmetric (Encryption)

M ciphertext ciphertext Mencryption decryption

Deck

kk

sender receiver

Bob Alice

One-Way Function

Demonstration

5 + 10 (mod 12) = 38 + 31 (mod 12) = 3

Diffie/Hellman Key Exchange Technique

Demonstration

2929292956565656

729 mod (98219) = 75149 756 mod (98219) = 67665

6766529 mod (98219)

40912

7514956 mod (98219)

40912

7N mod (98219)

75149

7N mod (98219)

67665

A Mathematical Genius?!

•Whitfield Diffie is best known for his 1975 discovery of the concept of Public Key Cryptography

Rivest Shamir Adleman

Types of AlgorithmsPublic Key (Asymmetric Encryption)

encryption decryption

M ciphertext ciphertext MEncpubkey Decprivkey

sender receiverprivkeyprivkeypubkeypubkey

encryption decryption

M ciphertext ciphertextEncpubkey Dec

privkeyprivkey

pubkey

pubkeypubkey

Types of AlgorithmsPublic Key (Asymmetric Encryption)

sender receiverpubkeypubkey

encryption

decryptionM ciphertext

ciphertext TRASH!TRASH!

Encpubkey

Dec

pubkeypubkey

pubkey

Types of AlgorithmsPublic Key (Asymmetric Encryption)

sender receiverpubkeypubkey privkeyprivkey

pubkeypubkey

Encryption and Decryption

The following identity must hold true

D(C) = M, where C = E(M)

M is the message, E is encryption, C is Ciphertext, D is decryption

Jna fq Jna fq

h5tunh5tun

b89d`b89d`

58jdf[58jdf[

835gj835gj

EE DDM

CCM

Secret Key Cryptography

K is the secret key shared by both the

sender (S) and receiver (R)

S R

Jna fq Jna fq

h5tunh5tun

b89d`b89d`

58jdf[58jdf[

835gj835gj

EE DDM

CCM

K K

Symmetric EncryptionSymmetric EncryptionSymmetric EncryptionSymmetric Encryption

Public Key Cryptography

KR(pub) is Receiver’s public key and KR(pri)

is Receiver’s private key

S R

Jna fq Jna fq

h5tunh5tun

b89d`b89d`

58jdf[58jdf[

835gj835gj

EE DDM

CCM

KR(pub) KR(pri)

Asymmetric EncryptionAsymmetric EncryptionAsymmetric EncryptionAsymmetric Encryption

• RSA works by using a mathematical function

that is (comparatively) easy to compute while encrypting, but very difficult to reverse without knowing the private key

• RSA works by selecting two large prime numbers

RSA Key Generation

• Pick large random primes p,q

• Let p*q = n and =(p-1)(q-1)

• Choose a random number e such that: 1<e< and gcd(e, )=1 (relative primes)

• Calculate the unique number d such that 1<d< and d*e 1 (mod ) (d is inverse of e)

• The public key is {e,n} and the private key is {d,n}

• The factors p and q may be kept private or destroyed

Pierre de Fermat

• Discovered that—if you use a prime number for the modulus, then raising a number to the power (prime-1) is always 1 m(p-1) mod p = 1 According to Fermat, this works with any prime

number p and any positive m that’s less than p, therefore 1 < m < p

• What is 710 mod 11

Leonhard Euler (pronounced “Oiler”)

• Discovered Fermat’s relationship held true when using the product of two primes as the modulus n = pq m(p-1)(q-1) mod n = 1 Works so long as p and q are relative prime to

one another

• If p = 11 and q=5, what is [m(p-1)(q-1) mod 55] ?

So...

Fermat: mFermat: m((pp-1)-1) mod mod pp = 1= 1

mm((pp-1)(-1)(qq-1)-1) mod mod nn = 1 = 1Euler:Euler:

So...

Fermat: Fermat: mm((pp-1)-1) mod mod pp = = 11

Euler: Euler: mm((pp-1)(-1)(qq-1)-1) mod mod nn = 1 = 1 mm((pp-1)-1) mod mod ppmm((pp-1)(-1)(qq-1)-1) mod mod nn

==

RSA Key Generation

• Pick large random primes p,q p = 5, q = 11

• Let p*q = n and =(p-1)(q-1) The encrypting modulus n = pq = 55

= (p-1)(q-1) = (4)(10) = 40

+ 1 = e * d (we’re looking for both e and d)

41 = e * d (but no two number multiplied together equal 41)

41 is prime but, using modular math — 41 becomes 1 mod 40

e * d = 1 mod 40

RSA Key Generation

• We’ll use 3 for e

• 3 * d = 1 mod 40 Using Extended Euclidian algorithm, d = 27

Encrypting Using RSA (Review)

• Step 1: generate two prime numbers, p and q

• Step 2: Combine the primes n=pq • Step 3: Combine the primes another way,

=(p-1)(q-1)• Step 4: Using , generate a key pair, e and d• Step 5: Using e, d, and n, encrypt and

decrypt

RSA Mechanical Overview

• Basically Alice: me mod n → c Bob: cd mod n → m

• Lets encrypt the letter “G” (for Gary) For simplicity sake, we’ll represent “g” as 7, the

7th letter of the alphabet

• So, 7public key * encrypting modulus 73 * mod 55 = 13

• To decrypt, 13private key * encrypting modulus 1327 * mod 55 = 7

Encrypting/Decrypting, Step—by—Step

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: PGP Personal Security 7.0.3

mQGiBDtsK/URBAD+OujjPRvMu22fq9T78fRA2ijOzzKH9HeXHZ81x8C3D/wJF7ea

1ToD42sk6kV6+fcI2JGV4YrApXkzu7TfmU8T5eUxPsk4YY7q4ZP7JCmTVwPWeROJ

ZH6QHjyBQUm792trCFbmuOl+t5PjY8TZwBBo4Hrm/kvgex+OfqzZEi4hlwCg/2YV

HCcvjAKa/tfDgaq9ei9NZW8D/0WiVnOqZUSqlBfG69oi0PGWtRXiJqIKsZj6Ljtw

qtxk3W5G+BqWOcI+Az3m2pGoaXzlz7z9n1iDx0ZufNzLu38/wh9FZe86817V9Y8X

jvSTf0UY/T7+BbMNF1OquUz9BaSis+a6tvsoF1Ya/657IkLhCO4CEHOc+eggFtkV

r+0eBACfHMZ4x5dxj+YtOV5eN5gxQcyjAB2NFBj+GFnBV2wezX3D6TaHpx3VwEZh

AHDeSLySoRs6bmhmd16mVdsgE/u5Em49Sc1Y59WzJGwfKAis6hHhDt4Htyhum281

impMbkEZAxIgbQplWoUivxk8LwuLjMfrfdq0+WWeLF4fJUGWBLQkR2FyeSBKIFBv

cnRlciA8cG9ydGVyQGRpZ2l0YWxtZS5jb20+iQBYBBARAgAYBQI7bCv1CAsDCQgH

AgEKAhkBBRsDAAAAAAoJENkIAq1B47uW7F8AoNfRgtp+9IYs/gpcLxT8XVlul54f

AKDH6bA2D4CR2l1sxW71RFIWEMX+CrkCDQQ7bCv1EAgA9kJXtwh/CBdyorrWqULz

Bej5UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHT

UPj1WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq

01uejaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O

9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcK

ctaGxAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TIL

OwACAggA7WTvMQ0WgywmeT2+ZdQTio1UvBtkLZTV5PBTWLnMXhSAL+JIY2D4xnP4

Coh+Mf2PuZ6c4IxpFVF/ywnekW2wX53qqWV0tjbTcbQ7lwkg276hQPUOfWU7UaZn

cyxFznRPc2OiO6SpzIpcVHY1nJ8uLOvhSTU67vTOonNri5zlR/ev91SPK1azTjtQ

W7jqb+v2z72Lxh/BgtDiFld8cXMmbHYdjZ9cPpW0JsKZ+tBwl2SsJXtopst4PYmw

2hoLYA0DS+Q0X8OIxROLxQXqinEaKhjP+s6XU+q9x85McR9mT8HaCdliE1W0yToL

2dLHnwEKBBDN5vLi8+SnHjTRNU/b7IkATAQYEQIADAUCO2wr9QUbDAAAAAAKCRDZ

CAKtQeO7luHBAJ45z2IW9D0g/2pZVSHFwzTsDOob3QCg+6rozdE+M57CTDNQE5Ay

uoxxTWE=

=DeGR

-----END PGP PUBLIC KEY BLOCK-----

Gary J Porter’s PGP Public Key

An eDirectory Public Key

An eDirectory Private Key

Novell International Cryptographic Infrastructure (NICI)

• NICI is a layered, hierarchical infrastructure which divides cryptographic functionality among three distinct layers

• NICI is a modular architecture that allows new cryptographic algorithms to be added without bringing the server down

• NICI modules are cryptographically signed for protection and for module authentication

• When government regulations concerning the use and exportation of cryptography change, only NICI needs to change to support the new regulations

• NICI provides an API set that offers a consistent interface for application developers to use and deploy cryptography within their applications

NICI Architecture

XIMXIM

XENGXENG

NICI—Novell International Cryptographic Infrastructure

XSUP – Cryptography Library XENG – Cryptography Manager XMGR – Cryptography Engine XLIB - Cryptography Engine Support

XIM - Cryptography Interface Manager

XSUPXSUPXMGRXMGR XLIBXLIB

CCS APICCS API