security systems for digital data - paper

Bernhard Hofer CIST 3100 03/10/08

Presentation Assignment of 17

University of Nebraska at Omaha

Management Information Systems Spring 2008

Bernhard Hofer

Individual Presentation – Security Systems for Digital Data

CIST 3100 – Organizations, Applications & Technology

Instructor: Victoria Badura

Date: 03/10/08



Table of Contents

Introduction .................................................................................................................... 3

A Brief history about cryptography ................................................................................. 4

Terminology of cryptography.......................................................................................... 6

Encrypting Digital Data................................................................................................... 7

General Information .................................................................................................... 7

Symmetric key system (private key)............................................................................ 8

Block ciphers........................................................................................................... 8

Stream cipher .......................................................................................................... 9

Asymmetric key system (public key)......................................................................... 10

Problems with one way asymmetric encryption ..................................................... 11

The solution .......................................................................................................... 11

The Internet – Big Brother is watching YOU................................................................. 13

Requirements for secure interaction........................................................................... 14

Useful applications.................................................................................................... 15

Protect Your Password .............................................................................................. 16

The Future: Quantum Cryptography.............................................................................. 16



Introduction Nowadays, nobody would send important information over the Internet without securing

them properly. Nobody? That is the big question of this paper. The Internet is grown to

the largest information network in the world and that nearly over night, in the last

century. A lot of people use it and don’t think about the consequences it has to send

important and/or confidential information over the public network Internet. This paper

and the corresponding slides should give an insight into how data could be secured, in

particular, how data could be encrypted to use the Internet as an information channel for

important data.

This document is a combination of the slides and a description of the mentioned topics in

more detail. Every information provided in this document is related to a slide of the

presentation to show the connection. Furthermore, this presentation is not held for IT

specialists and contains no detailed information about the algorithms and background

knowledge about ciphering systems. Again, the main purpose of this document is to give

an overview of the bandwidth of the field cryptography and how everybody, even for

private purposes, could use technology to secure data. To take a single example, the goal

is to tell people how to send an encrypted email to other people. By this way, I hope I

could galvanize the audience and give some basic information about the most common

cipher methods used in the modern information world, the Internet.



A Brief history about cryptography

From the beginning people always want to share information private. Ronald Rivest, the

founder of RSA, describes it that way “Encryption is the standard means of rendering a

communication private” (R. Rivest, A. Shamir, L. Adleman. A Method for Obtaining

Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, Vol. 21

(2), pp.120–126. 1978). This matter of fact has not changed over the times. One of the

first documented use of a form of cryptography was in Egypt’s Old Kingdom over 4.500

years ago. It was a very easy system, but definitely efficient. They used non-standard

hieroglyphs to communicate in privacy with each other. As nearly every technological

development was made by the military, also this method was used for military purposes.

The Greeks of Classical times enhanced cryptography and were the first people, who

used a key to encrypt and decrypt messages also known as transcription cipher

(Wikipedia, http://en.wikipedia.org/wiki/Transposition_cipher, 03/10/08 9:45am). They



had a wood stock and wrapped a piece of paper around it. Then a message was written on

this piece of paper and after unwrapping it, the message was delivered to the receiver.

The receiver had the same wood stick and by wrapping the piece of paper on his stick, the

receiver could decrypt the message.

The important thing is the usage of a key, which produces a message, which is not

readable for anybody without the key. The key in this case is the diameter of the wood

stick.

Another common technique was to replace a text letter by letter with some fixed number

of positions further down the alphabet. This method was called Caesar cipher, because

the emperor used it so sent encrypted messages to his generals on the battlefield. For

instance, if there is the world “hello”, Caesar replaced each letter with three further down

the alphabet. “hello” becomes “khoor” (regarding David Kahn, The Codebreakers — The

Story of Secret Writing, 1967).

After this early development the next big steps were done during World War I and World

War II. Cryptography became a hard science and a lot of new technologies got

developed. For example the Enigma machine of the Germans, which was an elaborate

system to encrypt and decrypt messages. But the big problem with all these developments

was that if the adversary gets the wood stick, knows the number of shifts in the alphabet

or has an Enigma machine every message could be decrypted and, of course, wrong

messages can be encrypted to confuse the other party.

It was not until 1976, however, that in a groundbreaking paper, Whitfield Diffie and

Martin Hellman proposed the notion of public-key (also, more generally, called

asymmetric key) cryptography in which two different but mathematically related keys are

used — a public key and a private key. From this time on, the world of cryptography

changed a lot from it’s beginnings and opened the door for a whole bunch of new

technologies (Whitfield Diffie and Martin Hellman, “Multi-user cryptographic

techniques", AFIPS Proceedings 45, pp109–112, 1976).



Terminology of cryptography The word cryptography or cryptology derived from Greek κρύπτω kryptó "hidden" and

the verb γράφω gráfo "to write" or λέγειν legein "to speak". Which has a combined

meaning of “secret writing” (Liddell and Scott's Greek-English Lexicon, Oxford

University Press, 1984).

There are some other important terms provided on this slide above. “Until modern times,

cryptography referred almost exclusively to encryption, the process of converting

ordinary information (plaintext) into unintelligible gibberish (ciphertext)” (David Kahn,

The Codebreakers — The Story of Secret Writing, 1967). Decryption is the reverse,

moving from unintelligible ciphertext to plaintext. A cipher is a pair of algorithms, which

creates the encryption and the reversing decryption. The detailed operation of a cipher is

controlled both by the algorithm and, in each instance, by a key. This is a secret

parameter (ideally, known only to the communicants) for a specific message exchange



context. Keys are important, as ciphers without variable keys are trivially breakable and

therefore less than useful for most purposes. Historically, ciphers were often used directly

for encryption or decryption, without additional procedures such as authentication or

integrity checks (regarding Wikipedia, http://en.wikipedia.org/wiki/Cryptography,

03/10/08 10:23am).

Encrypting Digital Data

General Information

Again I would like to cite Ronald Rivest, who said that “Cryptography is about

communication in the presence of adversaries” (Ronald Rivest, "Cryptography" From the

Handbook of Theoretical Computer Science, edited by J. van Leeuwen, Elsevier Science

Publishers B.V., 1990).

Modern cryptography is spliced into two big parts of how to encrypt data. At the one

hand there are symmetric methods. By this method both, the sender and the receiver,

share the same key to encrypt and decrypt a message. “This was the only kind of

encryption publicly known until June 1976” (Whitfield Diffie and Martin Hellman, "New

Directions in Cryptography", IEEE Transactions on Information Theory, vol. IT-22, Nov.

1976, pp: 644–654). On the other hand there are the asymmetric methods, which consists

of two different keys. These two different keys are mathematically related to each other,

but you can’t encrypt and decrypt a message with only one of them. On the following

pages, these two methods are described in more detail.



Symmetric key system (private key)

As mentioned before, the sender and the receiver share the same key. The big advantage

of this method is that it is very fast and don’t need a lot of hardware resources. On the

other side the really big disadvantage is that if the key get lost or fall into the wrong

hands, this method is not secure any more.

There are two methods how to encrypt/decrypt a message with symmetric key systems, in

particular block and stream ciphers.

Block ciphers

A block cipher is a symmetric key cipher, which operates on fixed-length groups of bits,

with an unvarying transformation. When encrypting, a block cipher might take a (for

instance) 128-bit block of plaintext as input, and output a corresponding 128-bit block of



cipher text. The exact transformation is controlled using a second input — the secret key.

The decryption process is similar, the decryption algorithm takes, in this example, a 128-

bit block of cipher text together with the secret key, and yields the original 128-bit block

of plaintext. To encrypt messages longer than the block size (128 bits in the above

example), a mode of operation is used (regarding Wikipedia,

http://en.wikipedia.org/wiki/Block_ciphers, 03/10/08 11:43am).

The most common block cipher systems are DES, AES, IDEA, Camellia and Twofish.

Stream cipher

A stream cipher is a symmetric cipher where plaintext bits are combined with a

pseudorandom cipher bit stream (keystream), typically by an exclusive-or (xor)

operation. In a stream cipher the plaintext digits are encrypted one at a time, and the

transformation of successive digits varies during the encryption. An alternative name is a

state cipher, as the encryption of each digit is dependent on the current state. In practice,

the digits are typically single bits or bytes (regarding Wikipedia,

http://en.wikipedia.org/wiki/Stream_cipher, 03/10/08 11:43am).

An example is the following:

Plaintext: H e l l o

Cipher: c i s t

Cipher text: K n e f r

The really big problem with stream cipher is that if you have the plaintext and the cipher

text it is very easy to find out the cipher algorithm and/or the key, which is used. This

problem is very relevant on WEP encryption standard for Wireless LAN.

The most common stream cipher systems are RC4, SEAL, A5 and Bluetooth-Standard

E0.



Asymmetric key system (public key)

As mentioned before, the Asymmetric key system was founded by Diffie and Hellman in

1976 an opened a completely knew understanding how to encrypt data. This system uses

two different keys, which are mathematically related to each other. There is the so-called

public key and the private key. This method is deeply based on mathematic and needs a

lot of more hardware resources than the symmetric key system. By this matter of fact,

asymmetric key systems are very slow in comparison to symmetric key systems.

There are two ways how a message could be encrypted. On the one hand the sender could

encrypt the message with his private key and the receiver decrypt the message with the

public key of the sender. Or on the other hand, the sender encrypt the message with the

public key of the receiver and the receiver decrypt the message with his private key.



Problems with one way asymmetric encryption

There is one big problem for each of the mentioned methods how to encrypt data with an

asymmetric system above. Firstly there is a confidentiality problem, because everybody

with the public key of the sender could encrypt the message. The receiver knows who

sent the message, because just the sender could have the private key. But for the sender it

is not really secure. Secondly there is an authentication problem, because the sender

encrypts the message with the public key of the receiver and so the receiver doesn’t

exactly know, from whom the message is. It is guaranteed that the message could just

read by the receiver, but the problem here lies in the hands of the receiver, because there

is no authentication of the sender possible.

The solution



If the process is repeated twice, every disadvantage of each run could be suspended by

the other run. Which means that the sender and the receiver use a double handshake

process to verify their authentications and, of course, the confidentiality of their

messages.

In practical use now message is encrypted by asymmetric systems, because it takes too

long and the process needs too much hardware resources as well. The logical solution is

that the asymmetric system is used to share a symmetric key between the sender and the

receiver. If both know the key, they could communicate secure with a symmetric system.

The big problem of symmetric key methods is to share the key, which is eliminated by

using the asymmetric key system to share just the symmetric key.

A really good example for this combination of the two methods is the Secure Socket

Layer (or SSL) protocol, which is used over the Internet to guarantee secure data

exchange. The browser and the server, for example of a on-line banking system,

exchange a symmetric key by using an asymmetric key system. This happens every day

in hour life in the background and works very well.



The Internet – Big Brother is watching YOU

Know the only question is, why are this encryption technologies so important for

everybody? The answer is very easy, because the Internet is a big public and local

structure. With other words, the Internet is a none secure and open information system for

everybody like private people, the public authorities and, of course, economic player.

Cryptography is the only way for privacy and protection of personal data over the World

Wide Web. This matter of fact makes the whole encryption topic so important for

everybody of us.



Requirements for secure interaction

This slide shows the five big points of the prerequisites, which must be accomplished for

a secure interaction (Andreas Pfitzmann, “Security in IT Networks: Multilateral Security

in Distributed and by Distributed Systems”, 2001).



Useful applications

This is just a short overview of technologies, which enables us to communicate secure

over the Internet. One of the most common applications is PGP, which was founded by

Phil Zimmermann in 1991. PGP stands for Pretty Good Privacy (Zimmerman, Phil,

“Why I Wrote PGP”, 1991). One of the advantages of PGP is that it encrypts emails

automatically and shares a key with the receiver of the message. It uses an asymmetric

key system (RSA and IDEA) and is also very common for the usage of Digital Signature.

Digital Signature is nothing else than a certificate, which guarantees the receiver of a

message that the message was sent from the person he expects. It is also part of an

asymmetric system. The Secure Socket Layer (SSL) protocol mentioned before one of

the big applications, which helps us to communicate in a secure way over unsecured

networks as well.



Protect Your Password

The biggest problem is not to hack an encryption method; it is that people use very easy

passwords, which are wide opened for Brute-Force-Attacks. There is a whole bunch of

other methods to steal passwords from people, which would break the mold of this paper.

Just to mention a few of them like Fishing, Sniffing, Cross Side Attacks, etc.

The Future: Quantum Cryptography

I would like to give a short overview about the upcoming technologies in this area. One

of the biggest developments was the use of quantum physics to encrypt data. Basically

Quantum cryptography, or quantum key distribution (QKD), uses quantum mechanics to

guarantee secure communication. It enables two parties to produce a shared random bit

string known only to them, which can be used as a key to encrypt and decrypt messages

(H. Chau, Physical Review A 66, 60302, 2002).



The really cool thing is that if somebody interferes or tries to wiretap the encrypted

message, the message itself get destroyed or modified so that the receiver of a message

knows, if somebody tried to read it.

The Austrian researcher Anton Zeilinger first implemented this technology between BA

CA bank and the Vienna City-Hall over a 1,500m FDDA cable in April 2004. This

experiment first showed the versatility of this technology in the daily business life and

was a forecast for future developments (Will Knight, “Entangled photons secure money

transfer”, NewScientist, April 2004).