Cryptography (One Day Cryptography Tutorial) - PowerPoint PPT Presentation

1 / 81
About This Presentation
Title:

Cryptography (One Day Cryptography Tutorial)

Description:

(One Day Cryptography Tutorial) By Dr. Mohsen M. Tantawy Definitions Plaintext: easy to understand form (original message) Ciphertext: difficult to understand form ... – PowerPoint PPT presentation

Number of Views:637
Avg rating:3.0/5.0
Slides: 82
Provided by: ituIntIT
Category:

less

Transcript and Presenter's Notes

Title: Cryptography (One Day Cryptography Tutorial)


1
Cryptography(One Day Cryptography Tutorial)
  • By
  • Dr. Mohsen M. Tantawy

2
Definitions
3
Definitions
  • Plaintext easy to understand form(original
    message)
  • Ciphertext difficult to understand form
  • Encryption encoding (plaintext -gt ciphertext)
  • Decryption decoding(ciphertext -gt plaintext)
  • Cryptology study of encryption
  • Cryptography use of encryption
  • Cryptanalysis breaking encryption

4
Definitions
Group of individuals
  • AliceShe is an end user/computer without
    malicious intentions, one of the main users of
    cryptography.
  • BobHe is Alices friend and is also a main user
    of cryptography, without malicious intentions.
  • CathyAnother user of cryptography she does not
    usually have a large roll nor malicious
    intentions.
  • EveA malicious user that does not interfere with
    communications. She simply wants to eavesdrop on
    the conversation between two other characters,
    typically Alice and Bob, but does not actively
    try to attack the communication.
  • MalloryThe malicious user. Always trying to
    thwart attempts by other characters to
    communicate securely.
  • TrentHe is a trusted third party. He only
    communicates with Alice, Bob, or Cathy when they
    ask for his help. He can always be trusted to do
    what he says he will do.

5
Group of individuals
  • Hacker is a general term that has historically
    been used to describe a computer programming
    expert. More recently, this term is commonly used
    in a negative way to describe an individual that
    attempts to gain unauthorized access to network
    resources with malicious intent.
  • Cracker is the term that is generally regarded
    as the more accurate word that is used to
    describe an individual that attempts to gain
    unauthorized access to network resources with
    malicious intent.

6
Group of individuals
  • Phreaker is an individual that manipulates the
    phone network in order to cause it to perform a
    function that is normally not allowed. A common
    goal of phreaking is breaking into the phone
    network, usually through a payphone, to make free
    long distance calls.
  • Spammer is an individual that sends large
    quantities of unsolicited email messages.
    Spammers often use viruses to take control of
    home computers in order to use these computers to
    send out their bulk messages.
  • Fisher uses email or other means in an attempt
    to trick others into providing sensitive
    information, such as credit card numbers or
    passwords. The Phisher will masquerade as a
    trusted party that would have a legitimate need
    for the sensitive information.

7
Group of individuals
  • White hat is a term used to describe
    individuals that use their abilities to find
    vulnerabilities in systems or networks, and then
    report these vulnerabilities to the owners of the
    system so that they can be fixed.
  • Black hat is another term for individuals that
    use their knowledge of computer systems to break
    into systems or networks that they are not
    authorized to use.

8
Definitions
  • KeyA random piece of data used with encryption
    and decryption. Encryption and decryption
    algorithms require a key and plain text or cipher
    text to produce cipher text or plain text,
    respectively.
  • Security Association A set of information that
    describes how the communicating entities will
    utilize security.

9
Modern Cryptography
10
Types of Cryptographic Systems
  • Symmetric-key cryptosystems
  • Asymmetric-key or Public-key cryptosystems
  • Hybrid (Symmetric-key and Asymmetric-key)
    cryptosystems

11
Symmetric Encryption
  • Uses conventional / secret-key / single-key
  • Sender and recipient share a common key
  • All classical encryption algorithms are
    private-key
  • The only type prior to invention of public-key in
    1970s

12
Symmetric Cipher Model
13
Requirements
  • Two requirements for secure use of symmetric
    encryption
  • Strong encryption algorithm
  • Secret key known only to sender / receiver
  • Y EK(X)
  • X DK(Y)
  • Assume encryption algorithm is known
  • Implies a secure channel to distribute key

14
Block ciphers and Stream ciphers
  • Each secret-key cryptography algorithm or cipher
    typically works in two phases
  • key set-up phase
  • ciphering or encrypt and decrypt phase.
  • There are two major classes of these algorithms
    block ciphers and stream ciphers.
  • Block ciphers encrypt plaintext in units of
    blocks and likewise decrypt cipher text in units
    of blocks.
  • Stream ciphers encrypt plaintext in one stream
    and decrypt cipher text likewise.

15
Block cipher operation
16
Stream cipher operation
17
Mode of Operation
  • There are three important block cipher modes
  • Electronic Code Book (ECB)
  • Cipher Block Chaining (CBC)
  • Cipher Feedback Mode (CFB)

18
Electronic Codebook Book (ECB)
19
Cipher Block Chaining (CBC)
20
Cipher FeedBack (CFB)
21
Output FeedBack (OFB)
22
Symmetric-key cryptosystems
  • Examples of symmetric key algorithms are as
    follows
  • Data Encryption Standard (DES) (56bits)
  • Triple DES (3DES) (168 bits)
  • Advanced Encryption Standard (AES)
  • International Data Encryption Algorithm (IDEA)
    (128 bits)
  • Rivets Cipher 4 (RC4) (variable length key)

23
DES Encryption
24
Initial Permutation IP
  • first step of the data computation
  • IP reorders the input data bits
  • even bits to LH half, odd bits to RH half
  • quite regular in structure (easy in h/w)

25
DES Round Structure
  • uses two 32-bit L R halves
  • as for any Feistel cipher can describe as
  • Li Ri1
  • Ri Li1 xor F(Ri1, Ki)
  • takes 32-bit R half and 48-bit subkey and
  • expands R to 48-bits using perm E
  • adds to subkey
  • passes through 8 S-boxes to get 32-bit result
  • finally permutes this using 32-bit perm P

26
DES Round Structure
27
Substitution Boxes S
  • have eight S-boxes which map 6 to 4 bits
  • each S-box is actually 4 little 4 bit boxes
  • outer bits 1 6 (row bits) select one rows
  • inner bits 2-5 (col bits) are substituted
  • result is 8 lots of 4 bits, or 32 bits
  • row selection depends on both data key
  • feature known as autokeying

28
Triple DES
  • clear a replacement for DES was needed
  • theoretical attacks that can break it
  • demonstrated exhaustive key search attacks
  • AES is a new cipher alternative
  • prior to this alternative was to use multiple
    encryption with DES implementations
  • Triple-DES is the chosen form

29
Triple-DES with Two-Keys
  • hence must use 3 encryptions
  • would seem to need 3 distinct keys
  • but can use 2 keys with E-D-E sequence
  • C EK1DK2EK1P
  • if K1K2 then can work with single DES
  • standardized in ANSI X9.17 ISO8732
  • no current known practical attacks

30
Triple-DES with Three-Keys
  • although are no practical attacks on two-key
    Triple-DES have some indications
  • can use Triple-DES with Three-Keys to avoid even
    these
  • C EK3DK2EK1P
  • has been adopted by some Internet applications,
    eg PGP, S/MIME

31
Triple DES (3DES)
  • The technique used by 3DES is known as EDE
    (Encrypt-Decrypt-Encrypt).
  • The plaintext message is encrypted using the
    first 8 bytes of the 3DES.
  • Then the message is decrypted using the middle 8
    bytes of the key.
  • Finally, the message is encrypted using the last
    8 bytes of the key to produce an 8-byte block.

32
Triple DES (3DES)
33
AES Requirements
  • private key symmetric block cipher
  • 128-bit data, 128/192/256-bit keys
  • stronger faster than Triple-DES
  • active life of 20-30 years ( archival use)
  • provide full specification design details
  • both C Java implementations

34
Rijndael
  • data block of 4 columns of 4 bytes is state
  • key is expanded to array of words
  • has 9/11/13 rounds in which state undergoes
  • byte substitution (1 S-box used on every byte)
  • shift rows (permute bytes between groups/columns)
  • mix columns (subs using matrix multipy of groups)
  • add round key (XOR state with key material)
  • view as alternating XOR key scramble data bytes
  • initial XOR key material incomplete last round
  • with fast XOR table lookup implementation

35
Rijndael
36
Byte Substitution
37
Shift Rows
38
Mix Columns
39
Add Round Key
40
AES Decryption
41
Asymmetric-key or Public Key Encryption
  • Based on mathematical algorithms
  • Asymmetric
  • Use two separate keys
  • Public Key issues
  • Plain text
  • Encryption algorithm
  • Public and private key
  • Cipher text
  • Decryption algorithm

42
Public Key Encryption Encryption
43
Public Key Encryption Authentication
44
Public Key Encryption - Operation
  • One key made public
  • Used for encryption
  • Other kept private
  • Used for decryption
  • Infeasible to determine decryption key given
    encryption key and algorithm
  • Either key can be used for encryption, the other
    for decryption

45
Steps
  • User generates pair of keys
  • User places one key in public domain
  • To send a message to this user, encrypt using
    public key
  • User decrypts using private key

46
Digital Signature
  • Sender encrypts message with their private key
  • Receiver can decrypt using senders public key
  • This authenticates sender, who is only person who
    has the matching key
  • Does not give privacy of data
  • Decrypt key is public

47
Asymmetric-key or Public-key Cryptosystems
  • There are many examples of commonly used
    public-key systems including
  • Diffie-Hellman
  • Rivest, Shamir, Adleman (RSA)
  • Digital Signature Algorithm (DSA) /
  • Al Gamal
  • Elliptic Curve Cryptosystem (ECC)

48
Diffie-Hellman Key Exchange
  • first public-key type scheme proposed
  • by Diffie Hellman in 1976 along with the
    exposition of public key concepts
  • note now know that James Ellis (UK CESG)
    secretly proposed the concept in 1970
  • is a practical method for public exchange of a
    secret key

49
Diffie-Hellman Key Exchange
50
RSA Algorithm
  • Were using Big Integers here
  • Choose large secret prime numbers p and q
  • Calculate N p q
  • Choose exponent e such that
  • gcd(e, (p-1)(q-1)) 1
  • Normally choose 3, 17 or 65537
  • Public key is pair N and e
  • Choose d so that
  • e d 1 (mod (p-1)(q-1))
  • Private key is d (for efficiency d, p, q)
  • Encryption c me (mod N)
  • Decryption m cd (mod N)
  • Baby example
  • p7, q11
  • N77
  • 37
  • gcd (37,(7-1)(11-1)) 1
  • 77, 37
  • 13
  • 37134811(mod 60)
  • 13
  • 237 mod 77 51
  • 5113 mod 77 2

51
Public Key Certificate Use
52
Digital certificates
53
Digital certificates
  • Digital certificates include
  • A public key
  • An individual or organisations details
  • A digital signature from a certifying authority
    (CA)
  • This states that the CA has seen proof of
    identity
  • Common certifying authorities
  • VeriSign, Thawte, Equifax Secure, British Telecom
  • CAs are themselves certified by other CAs
  • A few root CAs are usually trusted

54
Message Authentication
55
Message Authentication Code
  • Generate authentication code based on shared key
    and message
  • Common key shared between A and B
  • If only sender and receiver know key and code
    matches
  • Receiver assured message has not altered
  • Receiver assured message is from alleged sender
  • If message has sequence number, receiver assured
    of proper sequence

56
Hash Functions vs. MAC
57
Hash Functions
Message M
  • Hash Function
  • Generate a fixed length Fingerprint for an
    arbitrary length message
  • No Key involved
  • Must be at least One-way to be useful
  • Constructions
  • Iterated hash functions (MD4-family hash
    functions) MD5, SHA1,
  • Hash functions based on block ciphers
    MDC(Manipulation Detection Code)

H
Message Digest D D H(M)
58
Message Authentication Codes (MACs)
  • MAC
  • Generate a fixed length MAC for an arbitrary
    length message
  • A keyed hash function
  • Message origin authentication
  • Message integrity
  • Entity authentication
  • Transaction authentication

Shared Secret Key
MAC
MAC
SEND
MAC
59
Comparison of Hash Function MAC
Arbitrary length
Arbitrary length
message
message
Hash function
MAC function
Secret key
Hash
MAC
fixed length
fixed length
  • Easy to compute
  • Compression arbitrary length input to fixed
    length output
  • Unkeyed function vs. Keyed function

60
Symmetric Authentication (MAC)
Bob
Alice
Message
Message
MAC
MAC
transmit
Secret key algorithm
Secret key algorithm
KAB
KAB
Shared Secret key between Alice and Bob
Shared Secret key between Alice and Bob
MAC?
no
yes
61
Digital Signature
Bob
Alice
Message
Signature
Message
Signature
transmit
Hash function
Hash function
Hash value
Hash value 1
Alices Public key
Public key algorithm
no
yes
Hash value 2
Alices Private key
Public key algorithm
62
Hashing
  • A hashing algorithm refers to a mathematical
    function that takes a variable- size string as
    input and transforms (hashes) it into a
    fixed-size string, which is called the hash
    value.
  • One of the most common uses of hashing in network
    security is to produce condensed representations
    of messages or fingerprints, often known as
    message digests, by applying a hashing
    algorithm to an arbitrary amount of data the
    message.
  • The two most commonly used hashing algorithms are
    MD5 and SHA1 (part of the secure hash standard
    SHS).

63
Using One Way Hash
64
Secure Hash Functions
  • Hash function must have following properties
  • Can be applied to any size data block
  • Produce fixed length output
  • Easy to compute
  • Not feasible to reverse
  • Not feasible to find two message that give the
    same hash

65
SHA-1
  • Secure Hash Algorithm 1
  • Input message less than 264 bits
  • Processed in 512 bit blocks
  • Output 160 bit digest

66
Message Digest GenerationUsing SHA-1
67
Key Management
68
ISAKMP
  • The Internet Security Association and Key
    Management Protocol (ISAKMP) is defined
    primarily as a very comprehensive framework for
    key management offering maximum flexibility
  • OAKLEY is defined based on the DiffieHellman
    key-exchange algorithm.
  • IKE, on the other hand, is defined primarily to
    be the key management for the IPSec Architecture
    and makes use of parts of the ISAKMP and OAKLEY
    definitions.

69
ISAKMP
  • ISAKMP defines procedures and packet formats to
    establish, negotiate, modify, and delete SAs.
  • ISAKMP only describes the procedures, i.e., how
    something is done.
  • ISAKMP is independent of the security protocols,
    cryptographic algorithms, and key-generation and
    key-exchange techniques that are actually used.

70
ISAKMP phases
  • ISAKMP offers two phases of negotiation.
  • In the first phase, the two entities agree on how
    to protect further negotiation traffic between
    themselves, establishing an ISAKMP SA.
  • The second phase of negotiation is used to
    establish security associations for other
    security protocols. The security associations
    established by ISAKMP during this phase can be
    used by a security protocol to protect many
    message or data exchanges.

71
ISAKMP and TCP/IP
72
OAKLEY
  • The OAKLEY protocol allows two authenticated
    entities to exchange and establish secret keying
    material.
  • It is designed to be a compatible component of
    ISAKMP.
  • The two communicating entities negotiate methods
    for encryption, key derivation, and
    authentication.
  • The basic mechanism of OAKLEY is the
    DiffieHellman key-exchange algorithm, which
    establishes a shared key without transmitting
    this key.

73
OAKLEY Key Exchange
  • An OAKLEY key exchange is made up of a sequence
    of message exchanges.
  • The goal of key-exchange processing is the secure
    establishment of a common keying information
    state in the two communicating entities.
  • This state information consists of a key name,
    secret keying material, the identities of the two
    parties, and three algorithms for use during
    authentication
  • encryption
  • hashing, and
  • authentication

74
IKE
  • IKE is the protocol that performs mutual
    authentication and establishes SAs between two
    parties for IPSec.
  • IKE uses parts of ISAKMP, OAKLEY, and SKEME to
    provide management of keys and security
    associations.

75
Key ISAKMP, OAKLEY, AND SKEME concept in IKE
76
Digital CertificatesDigital Signatures (Data
Origin Authentication, Data Integrity, and
Non-repudiation)
Digital Signature
77
Digital Signature with Hash Function
78
Pretty good privacy (PGP)
  • PGP Encryption (Pretty Good Privacy) is a
    computer program that provides cryptographic
    privacy and authentication.
  • Public key cryptography, also known as asymmetric
    cryptography, is a form of cryptography in which
    a user has a pair of cryptographic keys - a
    public key and a private key
  • It was originally created by Philip Zimmermann in
    1991.

79
Pretty Good Privacy
PGP encryption
80
Pretty Good Privacy
PGP decryption
81
Applications of Cryptosystems
  • Automatic Teller Machines
  • Phone Cards
  • Cellular Phone Networks
  • Remote System Access
  • Credit Cards
  • Electronic Cash
  • Medical Records
Write a Comment
User Comments (0)
About PowerShow.com