cryptography
TRANSCRIPT
Cryptography
A Tutorial on CryptographyBy: Er. Chetan GoyalContact for more tutorials on other topics of ethical [email protected]@gmail.comOr visitwww.windowwares.blogspot.com
Cryptography
• This module includes
Related terms
Symmetric key cryptography
Asymmetric Key cryptography
PKI and Digital signatures
Demonstration: how SSL works..
2
More definitions
• Cryptosystem
• Encompasses all of the necessary components of encryption and decryption
» Softwares
» Protocols
» Algorithms
• Plain text – readable data
• Cipher text – encrypted data
4
Caesar Cipher
• Julius Caesar, 49 BC
– Securely communicate with friends
• Simple Substitution cipher
– Shift alphabet 3 characters.
5
Caesar Cipher Example
• Substitution
6
Plaintext: ET TU BRUTE
Shift Algorithm
3 characters
Cipher text: HW WX EUXWH
Symmetric Encryption
• Single key
– - Shared secret
• ExamplesData Encryption Standard (DES)
– - Block Cipher, 56 bit key
– - Triple DES 112 bit key
Advanced Encryption Standard (AES)
- Rijndael Algorithm• Belgian cryptographers, Joan Daemen and
Vincent Rijmen.
- 128, 192, 256 bit keys
7
Symmetric Key Encryption
• Symmetric key encryption is based on
substitution and transposition
• Each algorithm consist many substitution
and transposition “rounds”
• Symmetric key encryption is mostly used
for bulk or mass encryption.
8
Key and Algorithm Relationship
• Algorithm consist many static equations (functions) or rounds these rounds are basically mathematical formulas –substitution and transposition.
• Key will decide which function/s or block/s, their order, values should be used to encrypt or decrypt data.
9
Key Size
• Does key size really matter ?
• Why and how
• Key space – total number of bits available for key generation
• So for 64 bits we have 2 power 64.
• For 128 bits we have 2 power 128
• So the larger the key space, the more values an attacker has to bruteforce.
10
Types of Symmetric Cipher
• Block Cipher – text is divided into blocks, and each block is encrypted individually
• Eg: AES, DES, 3DES etc.
• Stream cipher – stream is used instead of blocks, synchronization of encryption and decryption ends is needed
• Eg: RC4, RC5
11
Symmetric Encryption Example
12
Dear Bob:
How about comingover to my placeat 1:30?
Love, Alice
Dear Bob:
How about comingover to my placeat 1:30?
Love, Alice
Alice Bob
decryptencrypt011100111001001110011100111001001110000111111
ciphertext
Symmetric cipher downfalls
• Key management
• Does not provide non repudiation and digital signature facilities
13
Asymmetric Key Cryptography
• Two mathematically related keys– Unable to derive one from the other
– Encrypt with one – decrypt with other
• Public Key Cryptography– One (public) key published for all to see
– Other (private) key kept secret
• Algorithms– RSA - Integer Factorization (large primes)
– Diffie-Hellman - Discrete Logarithms
– ECES - Elliptic Curve Discrete Logarithm
14
Asymmetric Encryption Example
15
Dear Carol:
I think Alice ishaving an affairwith Bob. I need to see youright always.
Love, Ted
Dear Carol:
I think Alice ishaving an affairwith Bob. I need to see youright always.
Love, Ted
Mohan Jagmohan
encrypt decrypt
Jagmohan'sPrivate KeyJagmohan's
Public Key
011100111001001110011100111001001110000111111
ciphertext
Asymmetric Advantages
• No shared secret key
• Public key is public– Can be freely distributed or published
– Key management is much easier
• Private key known ONLY to owner– Less vulnerable, easier to keep secret
• Supports Non-repudiation– Sender can not deny sending message
16
Asymmetric Disadvantage
• 1000 times slower than Symmetric encryption so can’t use for bulk encryption.
17
Non-repudiation
• Since only the sender knows their private key, only the sender could have sent the message.
• Authentication mechanism
• Basis for Digital Signature
18
Hash Function
• Hash Function are like CRC functions but are more then CRC (mathematically)
• Hash provide integrity check
• Hash functions generate finger prints for a given data, a little change to data will result completely different fingerprint. (non guessable)
• When hash function generate same fingerprint for different data, known as collision or birthday attack
• Hash functions are one way functions19
Digital Signature
• Combines one-way secure hash functions with public key cryptography– Hash function generates fixed length value
– No two documents produce the same hash value
– Secure Hash Algorithm 1 (SHA-1)
• Characteristics– Data Integrity - hash value
– Non-repudiation – encrypted with private key
– Does NOT provide confidentiality
21
Digital Signature Creation
22
Dear Mr. Ted:
We have asked theCourt to issue a restraining order against you to stayaway from Carol.
Sincerely,
Sue YewDewey, Cheatam & Howe, Law Firm
Dear Mr. Ted:
We have asked theCourt to issue a restraining order against you to stayaway from Carol.
Sincerely,
Sue YewDewey, Cheatam & Howe, Law Firm
encrypt
Sue'sPrivate Key
HashFunction
Sue
0F47CEFFAE0317DBAA567C29
HashValue
01010111100001101011011110101111010111
DigitalSignature
Digital Signature Validation
23
Dear Mr. Ted:
We have asked theCourt to issue a restraining order against you to stayaway from Carol.
Sincerely,
Sue YewDewey, Cheatam & Howe, Law Firm
01010111100001101011011110101111010111
Sue'sPublic Key
decrypt0F47CEFFAE0317DBAA567C29
0F47CEFFAE0317DBAA567C29 Signature is valid
if the two hashesmatch
Public Key Infrastructure
• Public Key Infrastructure (PKI) provides the means to bind public keys to their owners and helps in the distribution of reliable public keys in large heterogeneous networks. NIST
26
Public Key Certificates
• Digital Certificates
– Binds a public key to it's owner
– Issued and digitally signed by a trusted third party
– Like an electronic photo-id
• Follows X509 V3 standard – RFC 2459
27
X509 V3 Basic Fields
• Owner's X.500 distinguished name (DN)– C=US;O=GOV;O=NIH;OU=CIT;CN=Mark Silverman
• Owner's public key
• Validity period
• Issuer's X.500 distinguished name
28
PKI Components
• Certification Authority (CA)
• Registration Authority (RA)
• Repository
• Archive
• Users
29
Certification Authority (CA)
• TRUSTED third party• Issues Certificates
– Creates and signs them– Publishes current certificates
• Issues Certificate Revocation Lists (CRLs)– List of invalid (revoked) certificates– Online Certificate Status Protocol (OCSP)
• Maintains archives of status information• May retain copy of data encryption private
key, for purposes of key recovery– government requirement
30
Registration Authority (RA)
• Verify certificate contents for CA
– Identity proofing
– RA's public key known to CA
• A CA may have multiple RAs
31
Certificate Policy (CP)
• A high level document that describes the security policy for issuing certificates and maintaining certificate status information.
• Describes operation of the CA.
• Defines user's responsibilities for requesting, using and handling certificates and keys.
32
Certification Practice Statements (CPS)
• A highly detailed document that describes how a CA implements a specific CP.
• Specifies the mechanisms and procedures that are used to achieve the security policy.
• Effectively the CA's operations manual.
33