You are on page 1of 20

1

Principles of Cryptography
Section 8.2 Ali Erkan & John Barr Ithaca College

2

Chapter Outline
8.1: What is network security? 8.2: Principles of cyrptography 8.3: Message Integrity and End-Point Authentication 8.4: Securing e-mail 8.5: Securing TCP connections: SSL 8.6: Network layer security: IPsec and VPNs 8.7: Securing wireless LANs 8.8: Operational Security: Firewalls and Intrusion Detection Systems

3 What Is Network Security? Conventional use: Sender encrypts message. receiver decrypts message Confidentiality: A Authentication: A Message Integrity: A Access and Availability: Services must be accessible and available to users .

4 An Issue That Cuts Across The Protocol Stack Application Layer: A Transport Layer: A Network Layer: A Data-link Layer: A .

5 Who Might Alice And Bob Be? Data Control. data messages Secure sender Channel Secure receiver Data Alice Bob Trudy Web browser/server for electronic transactions On-line banking client/server Surveillance systems DNS servers Routers exchanging routing 02-068 table updates AW/Kurose and Ross Computer Networking KR 07.01 ar1 .

6 What Can Trudy Do? Just Look At That Face...01 ar1 . Data Control. data messages Secure sender Channel Secure receiver Data Alice Bob Trudy Eavesdrop: Inject: Impersonate: Hijack: Intercept messages Actively insert messages into connection Spoof source address (or any field in packet) in packet Take over ongoing connection by removing sender or receiver. inserting himself in place Overload: Prevent service from being02-068 used by others (DoS) AW/Kurose and Ross Computer Networking KR 07.

7 Notation And Variables Plaintext Encryption algorithm Ciphertext Channel Decryption algorithm Plaintext KA Alice Bob KB Key: Trudy Key m: KA : KA(m): KB : KB (KA(m)): A A A A A 02-068 AW/Kurose and Ross Computer Networking KR 07.02 ar1 .

8 Notation And Variables Plaintext Encryption algorithm Ciphertext Channel Decryption algorithm Plaintext KA Alice Bob KB Key: Trudy Key Symmetric key systems: • KA = KB . both are private Public key systems: • KA.02 ar1 .priv used to A • KA.public used to A 02-068 AW/Kurose and Ross Computer Networking KR 07.

C1 . C2 . Key Systems: The “Old” Ones Ceaser cipher. much easier to crack Polyalphabetic cipher: plaintext C1(k = 5) C2(k = 19) pattern a b c d e f g h i j k l m n o p q r s t u v w x y z f g h i j k l m n o p q r s t u v w x y z a b c d e t u v w x y z a b c d e f g h i j k l m n o p q r s C1 . it takes 26! tries to figure out mapping With statistical observations. C2 .9 Sym. C2 . it takes 26 tries to figure out mapping Monoalphabetic cipher: plaintext ciphertext a b c d e f g h i j k l m n o p q r s t u v w x y z m n b v c x z a s d f g h j k l p o i u y t r e w q With brute force. k=3: plaintext ciphertext a b c d e f g h i j k l m n o p q r s t u v w x y z d e f g h i j k l m n o p q r s t u v w x y z a b c With brute force.

there should be no correlation between the ciphertext and either the original data or key”. With a good algorithm.. . 64-bit plaintext input N IST S TATEMENT “The goal is completely scramble the data and key so that every bit of the ciphertext depends on every bit of the data and every bit of the key.. Key Systems: Data Encryption Standard DES: • US encryption standard [NIST 1993] • OK for commercial and non-classified use • 56-bit symmetric key.10 Sym.

XOR-ing with the leftmost 32 bits of the input. How does decryption work? By reversing the steps of the operation.11 Sym. 48-bit K16 L17 R17 permute 64-bit output .R1. Key Systems: Data Encryption Standard 64-bit input permute L1 R1 48-bit K1 56-bit key f(L1.R2. XOR-ing with the expanded 6-bit chunks of the 48-bit key Ki. a substitution.K2) L3 R3 What happens in f ()? The 64-bit input and the 48-bit key for the ith round are taken as input to f () that involves expansion of 4-bit input chunks into 6-bit chunks.K1) L2 R2 48-bit K2 f(L2.

Making DES more secure: • Use three keys sequentially (3-DES) on each datum Advanced Encryption Standard: • New (Nov. or 256 bit keys • Brute force decryption (try each key) taking 1 sec on DES. 192. replacing DES • Processes data in 128 bit blocks • 128. takes 149 trillion years for AES 1 “Strong cryptography makes the world a safer place” . 2001) symmetric-key NIST standard. Key Systems: Data Encryption Standard How secure is DES? • DES Challenge: 56-bit-key-encrypted phrase1 brute forcely decrypted 4 months (Google ‘des challange’) • No known “backdoor” decryption approach.12 Sym.

and sends it to Griffin • Griffin receives the box and opens it with his copy of the key • Griffin puts the money in the box and locks it with the padlock • Matt receives the box. locks its with the padlock. each keeping one of the two identical keys to open it • Matt puts the exam questions in a box. opens it with his copy of the key .13 Symmetric Key Cryptography Matt and Griffin need to exchange a number of secret messages: • Matt and Griffin buy a padlock.

14 Public Key Cryptography Matt and Griffin need to exchange a number of secret messages: • Griffin and Matt buy separate padlocks • Matt asks Griffin to send his open padlock through regular mail • Matt uses the received padlock to lock the box that will deliver the message to Griffin • Griffin receives the box and opens it with the key which only he has • Griffin asks Matt to send Matt’s open padlock through the regular mail • Griffin uses the received padlock to lock the box that will deliver the message to Matt • Matt receives the box and opens it with the key which only he has .

15 Public Key Encryption KB+ Public encryption key KB– Private decryption key Plaintext message.06 ar2 28p2 Wide x 12p10 Deep 2/c 05/15/02SC 6/04/02GM . m Ciphertext KB+ (m) Plaintext message. m Encryption algorithm Decryption algorithm m = KB– (KB+ (m)) 02-068 AW/Kurose and Ross Computer Networking KR 07.

. it should be impossible to compute KB . Why? A + − • KB (KB (m)) = m. Adelson) does exactly that. Why? A + − Given public key KB . • How is this possible? A The RSA algorithm (Rivest.16 Public Key Encryption Requirements + − Need KB and KB such that − + • KB (KB (m)) = m. Shamir.

z = (p − 1)(q − 1). Each might be 1024 bits. Choose e (e < n) that has no common factors with z . That is. e) − Private key KB is (n. d) What? . Compute d such that ed − 1 is exactly divisible by z .17 RSA Choice of Keys Choose two large prime numbers p and q . Compute n = pq . This means e and z are relatively prime. + Public key KB is (n. ed mod z = 1.

To decrypt received bit pattern c. Decryption To encrypt bit pattern m.18 RSA Encryption. compute m = cd mod n This is the remainder when cd is divided by n. somehow. compute c = me mod n This is the remainder when me is divided by n. This means that. m = (me mod n) mod n d .

Therefore. therefore e and z are relatively prime.19 RSA Example Bob chooses p = 5. Choose d so that ed − 1 is exactly divisible by z : ed − 1 = kz ed = kz + 1 kz + 1 d= e Let k = 6 6 × 24 + 1 d= = 29 5 . q = 7. n = 5 × 7 = 35 Therefore z = (5 − 1) × (7 − 1) = 24 Let e be 5.

e.20 RSA Example Transmit letter ‘l’ (i. lower case ‘L’): m = 12 me = 125 = 248832 me mod n = 125 mod 35 = 17 Receive 17: c = 17 cd = 1729 = 481968572106750915091411825223071697 cd mod n = 1729 mod 35 = 12 .