Professional Documents
Culture Documents
2. Cryptographic Techniques
Cryptography
Encryption Key, KE
Input to encryption Output from encryption
Assumed in other
Plaintext, P Encryption Ciphertext, C similar diagrams
if not shown
explicitly
Attacks Networks
Decryption Key, KD occur here.
P Encryption, E C = E(KAB, P)
Alice
P = D(KAB, C) Decryption, D C
Stream cipher
Input to a stream cipher is usually a smaller number of bits,
e.g. a byte, one by one
Cipher
P PN ... P1 (Encrypt)
Cipher ... CN
P1 ... PN C1
(Decrypt)
K
P
P= P1 P2 C= C1 C2
C1 C2 P1 P2
C0 = IV
... Ci-2 Ci-1 Ci-1 Ci
is exclusive OR Pi-1 Pi
© 2020.2 WSU Lecture No. 2-11
Network Security: Lecture 2
Public-Key Ciphertext, C =
Plaintext, P
Encryption, E E(KBob_Public, P)
Alice
Public Key,
KBob_Public
Plaintext, P = Public-Key
Ciphertext, C
D(KBob_Private, C) Decryption, D
XA is a XB is a
Two number and q accessible to A and B secret.
secret.
• and q have some mathematical properties
Choose XA < q Choose XB < q
YA
YA α XA YB α X B
Alice Bob
YB
XA XB
K AB α X BX A YB K AB α X A X B YA
K AB α X A X B mod q
Hash …
… Hash
Secure and
M may be modified reliable
here by an attacker. channel
Entity B
M Hash Function hash(M) =? hash(M)
Authentications
• (End entity) authentication
To verify the ID of a remote user or machine
• Message or data (origin) authentication.
To verify if a message does come from an authenticated origin
Message integrity is also and usually checked at the same time.
• Authentication methods include:
Address-based
password- or secret-based
• Message authentication includes the use of
MAC (Message authentication code) or keyed-hash
The result of hashing a secret key and the message together.
Digital signature
The result of encrypting a hash of the message (often referred
to as signing the message) using a private key.
Address-Based Authentication
Secret-Based Authentication
• Authentication: to show the other side that you have the
secret, by a number of secure handshake messages.
• Three-message authentication:
N is usually a nonce, Pre-arranged securely beforehand,
(NumberONCE) both sides have the same (copies of
the) shared secret, KAB
Hello
Entity A Entity B
(1) B creates a
N challenge N and sends
A a copy.
(3) B creates hash(KAB,N) from his
hash(KAB,N) copies of KAB and N, and compare it
(2) A uses the shared to the received hash from A.
secret, KAB and the
received N to create a If they are the same, that means:
keyed-hash • A has the same shared secret,
hash(KAB,N) and • the received hash(KAB,N) is not a
sends it to B. replay if N is unique w.r.t. time.
Mutual Authentication
A Hello, NA B
A hash(KAB, NA), NB B
A hash(KAB, NB) B
• Reflection attack:
• The above handshake is vulnerable to a reflection
attack.
• An attacker can successfully authenticate him/herself to
B without the shared secret, KAB.
• More details will be discussed in tutorial exercises.
Hello
Entity B
Entity A
N
(1) B creates a
challenge N and
encrypt(KA_Private, N) sends A a copy.
(2) A encrypts
the received N
with her private • (3) B uses a copy of A’s trusted public key KA_Public to decrypt
key and sends it encrypt(KA_Private, N) to recover the copy of N
to B.
• Matches the copy with the one he has.
• If they match, this proves that
• A is the owner of the trusted public key.
• the received encrypt(KA_Private, N) is not a replay if N is
unique w.r.t. time.
Entity B M
Hash Function hash(KAB, M) =? hash(KAB, M)
KAB
Modification or masquerade
attacks may occur here.
Digital Certificate …
• [Figure 4.4 Public-Key Certificate Use]
• Digital certificate is also called public-key certificate (in
the text)
• It is used to distribute an owner’s public key on the Internet
securely, i.e., integrity and origin of the key can be verified
by the user of the key.
On the Internet this is usually carried out by a Certificate Authority
(CA).
A user usually has at least a trust public key from a CA, i.e.,
KCA_Public, which usually comes with the OS of the user’s computing
device.
• The trusted public key can be used to verify the CA’s
signature in a digital certificate issued by the CA directly,
Or indirectly, using a PKI, which is outside the scope of this unit.
… Digital Certificate …
Note that a public key should only be used either for encryption or
for decrypting/verifying a digital signature.
Public key crypto algorithm, E2/D2 KCA_Public The user must have a
trusted copy of this key
to do the verifying.