Chapter 3 - Design Cryptography

Network Management and
Security
Chapter 3
Understanding Defenses, Cryptography and Public Key

Infrastructure (PKI)
Gebeyehu B. (Dr. of Eng.) Asct Professor
Ge.be09@yahoo.com
Network management and security Chapter 3

Chapter contents
Basic concepts
Defense Systems
Digital IDs, Intrusion Detection Systems and PC Card System Solutions
Encrypted Login, Reusable Passwords and Antivirus Software
Encrypted Files and Biometrics
Physical Security
Cryptography
Cryptography and Cryptanalysis
Symmetric and Asymmetric Key Algorithms
Hashing Algorithms and Key Management
Public Key Infrastructure
Public Key Distribution
Trusted Third Party
PKI Topology
Enrollment and Revocation Procedures Chapter 3
Basic concepts
Problem
Computer networks are typically a shared resource used by many
applications representing different interests.
The Internet is particularly widely shared, being used by
competing businesses, mutually antagonistic governments, and
opportunistic criminals.
Unless security measures are taken, a network conversation or a
distributed application may be compromised by an adversary.
Consider some threats to secure use of, for example, the World
Wide Web.
Suppose you are a customer using a credit card to order an item from a
website.
Knowing and understanding the techniques and network tools are vitally essential to
secure the unsecure matters.

Basic concepts
Understanding defenses, cryptography and Public Key Infrastructure (PKI)
are pertinent for all aspects of network design and operation, such as:
Component design
Protocol design
Provisioning
Management
Modeling and simulation
It is necessary to manage, these aspects for services, networks and network
elements. If these areas are not understood, commercial offering of network
services is very difficult .
Therefore, it needs to:
Ability to scale NMSs for large number of devices
Support for new technologies, equipment and services
Promote flexibility and system integration based on modularity and interoperability
Defining a common information model (i.e., an agent MIB)

Basic concepts
Understanding Defenses, Cryptography and Public Key Infrastructure
(PKI)
It is the process of curing network infrastructure to maximize

network service, efficiency and productivity
The overall goal of understanding of security and its component

is to ensure that data can go across it with maximum efficiency
and transparency to the users, which is free from any fear or
threat.
However, what is threat as the mater of defense system, is a good

question?

Basic concepts
Understanding Defenses....
Threat is:
An expression of an intention to inflict pain, injury, evil, or punishment.
An indication of impending danger or harm.
One that is regarded as a possible danger; a menace.
It is any network-based attempt to compromise information, system, or
network resources
They can originate from anywhere, any time
They take advantage of operating system, application, protocol, and
psychological vulnerabilities
They leverage all methods of entry to a system
The can steal information, destroy data, deny access to servers, shut down
embedded devices
They do not want to be found

Basic concepts
Understanding Defenses....
Evolution of security in general become more challenge
Target and Scope
of Damage
Rapidly Escalating Threat to Businesses
GLOBAL
Infrastructure
Impact Seconds
Next Gen
REGIONAL Flash
Networks
threats
Minutes
Massive
MULTIPLE Third Gen “bot”-
Networks Days Distributed driven
Second Gen Denial of DDoS
INDIVIDUAL Weeks Service
Networks Macro Damaging
First Gen viruses Blended payload
threats worms
INDIVIDUAL
Boot Denial of
Computer viruses Service
1980s 1990s Today Future
Defense system
Objectives
Measurement based classification of fundamental attack patterns
Timely Identification of emerging threats
Active components: state of the art
Honeynets and Honeyfarms (iSink, Honeyd, VMware, Potemkin)
NIDS signature generation (Nemean, Autograph, Polygraph etc.)
Challenges: Accuracy, Scalability and Vulnerability
Research Thrusts
How do we integrate active components into real-time network defenses?
How do we build scalable detection systems?
How do we develop situational awareness to enhance alert accuracy?
How do we build resilient honeynet deployments?
Active mapping techniques, Data pollution attempts

Defense system
Architectural components
Internet Sink (iSink): Observes unused address space
Observe
NetSA: Analyzes data collected by Internet Sinks

Analyze
Nemean: Signatures to protect live networks

Protect
Kaleidoscope: Secures honeynet deployments

Defense system
Nemean components and architecture
Automated semantics-aware NIDS signature generation
Original implementation was offline, userlevel
Tested on HTTP and NetBIOS
Low false alarms, high detection rate
Current focus: scalable, real-time Nemean instance
Online implementation of an IPS
Integration with live Active-Sink
Active-Sink
packet Protocol
traces semantics Connection
Clustering
Signature
Data Flow Service Generalizer
Collector Aggregator Normalizer
Session
Tuning Clustering IDS/IPS
parameters signatures

Defense system
Nemean components: Functional diagram
Star Clustering and

PFSA Generalization
(Userlevel)
Generalized
automatons
Aggregated,
reassembled and
Shared
annotated connection Memory
records Module Match?
Forward to
ALERT
Active Sink Database
Responder Inspector
(Kernel) (Kernel)
Dark IP traffic
Production traffic
Honeynet response
No match? To
network

Defense system
Nemean components
Active Sink responder
Receives packets destined to dark IP
Responds to packets
Enhancements
Support for tracking connection state
TCP and app-level reassembly
Periodic transfer of reassembled connections to shared memory
Expires connection state using timers
Shared memory driver
Handles flow of data between user level clustering module and the kernel modules
Fixed size memory allocation for data structures
Star clustering
Incremental clustering algorithm
Clusters related connections
PFSA generalizer
Sk-strings + domain specific enhancements
Suffix abstraction (repetition), subsequence creation (wildcards)
Pushes generalized automatons to shared memory
Defense system
Nemean components
Traffic inspector
Pulls new automatons from shared memory
Monitors production (live) network
Reassembles connections
Compares FSAs with connection records
Forwards matching connections to Alert DB
Minimal UI
Apache web server with PHP/HTML front end
Displays currently active automatons
Displays matched connection count summaries
Displays cluster information along with the generalized PFSA

Defense system
Therefore, true layered protection defense system is paramount
Public Internet In order to minimize an organization’s risk, it

is IMPERATIVE that security be pervasive
Internet Gateway throughout every layer of the network and
integrated into both technology and business
DMZ processes.
DMZ Gateway
Security has historically been difficult to
Secure DMZ calculate, many good ROI models have been
S-DMZ Gateway published to help minimize overall risk (both
operational and financial) as well as provide
Internal Network guidance on the appropriate level of protection
Internal Servers
Internal Clients
Internal Servers

Defense system
Implementation concept of defense system as the security domains
Literal Layer Domain Affiliation Domain Definitions:
Public Internet Wholly Wholly Untrusted
Internet Gateway Untrusted • No operational access or control
over devices in this environment

DMZ Partially Trusted:
• Operationally controlled by
DMZ Gateway Partial Trust organization
Secure DMZ • Accessed by systems not controlled
by organization
S-DMZ Gateway
Internal Trust:
Internal Network • Operationally controlled by
organization
Internal Servers
Internal Trust • NOT accessed by hosts not managed
by organization
Internal Clients
• Individuals using these systems or
Internal Servers devices have undergone

administrative review

Defense system
Therefore, an advancing defense system need to be design, develop
and deploy in a broad and complete sense and techniques of the
security domains
Clearly and completely Define technical and administrative controls for
communications from a higher trust-level domain to a lower trust-level domain
Example: Connections from an internal laptop to a DMZ system must be only
permitted on FTP or SFTP
Define technical and administrative controls for communications from a lower
trust-level domain to a higher trust-level domain
Example: Information that is needed for a web-facing application cannot be fetched
directly from an internal database. Instead a secure-DMZ database may receive
replicated data from the internal source, and the web application may access the
secondary database using strong authentication, and secure communications.
Will require a lot of thought and planning, but will result in a very strong
security infrastructure and reduced overall costs!

Digital IDs, Intrusion Detection Systems and PC Card
System Solutions
Intrusion detection system is:
Emerging new technology
Very interesting
Being informed is the best weapon in the security analyst’s

arsenal
It also helps keep vendors honest!
The ideal Intrusion Detection System will notify the

system/network manager of a successful attack in progress:
With high accuracy
Promptly (in under a minute)
With complete diagnosis of the attack
With recommendations on how to block it

System Solutions
Intrusion detection
Used to monitor for “suspicious activity” on a network
Can protect against known software exploits, like buffer overflows
Uses “intrusion signatures”
Well known patterns of behavior
Ping sweeps, port scanning, web server indexing, OS fingerprinting, DoS attempts, etc.
Example
IRIX vulnerability in webdist.cgi
Can make a rule to drop packets containing the line
However, IDS is only useful if contingency plans are in place to curb attacks as
they are occurring
A reasonably effective IDS can identify
Internal hacking
External hacking attempts
Allows the system administrator to quantify the level of attack the site is under
May act as a backstop if a firewall or other security measures fail
System Solutions
Paradigm for intrusion detection
Attack Detection
DMZ
Network
Internet WWW Desktop
Router
Server
w/some
screening Internal
Network
Firewall
IDS IDS detects (and counts) attacks against
the Web Server and firewall
Placing an IDS outside of the security perimeter records attack level

Presumably if the perimeter is well designed the attacks should not affect it!
Prediction: AD Will generate a lot of noise and be ignored quickly

System Solutions
Paradigm for intrusion detection
Intrusion Detection
DMZ
Network
Desktop
WWW Internal
Internet Server Network
Router
w/some
screening
Firewall
IDS detects hacking activity WITHIN
the protected network, incoming or outgoingIDS
Placing an IDS within the perimeter will detect instances of clearly improper behavior
Hacks via backdoors
Hacks from staff against other sites
Hacks that got through the firewall
When the IDS alarm goes off, it’s a red alert
System Solutions
PC card system solutions: recording what to throw away
Things that you know aren’t interesting
Consider keeping counts of the number of uninteresting events occur
Event frequency of uninteresting events may be interesting!
Build a stop list and forward all remaining output to a human intelligence
Building IDS
Things you need:
Sources of data
Network listeners
Host software (syslog, C2, application data)
Data analysis routines
Artificial ignorance
Counting/thresholding software
Long-term storage

System Solutions
PC card system solutions: recording what to throw away
Building hacker logic
To build misuse detection systems you need a large database of misuse
information
Vendors now are producing same and recognizing it as valuable
intellectual property
Some public information is available
Building statistics
Excel is your friend
Building log watchers

Logcheck
Monitors syslog files and applies search lists of violations to look for as
well as strings to ignore
Includes a pretty good set of log filters as a baseline
And others
Encrypted Login, Reusable Passwords and Antivirus
Software
Encrypted login
Makes communication unreadable to unauthorized viewers.
Uses electronic private and public key set.
Authorized viewers provided with encryption key, with ability to

encrypt and decrypt messages.
Medical office encrypts data using its private key.
Patient decrypts data using the medical office’s public key.
Encryption keeps data confidential.

Entities never share their private key.

Software
Password: encrypted/decrypted and reusable
The most commonly used way of authentication
But also vulnerabilities

Stealing passwords
Poorly chosen passwords that are easy to guess
Attacks that search through password directories
If you were to guess passwords, how would you go about doing

that?
Example, Words from dictionary, names of people/streets ….

Software
Anti-virus software
Software that blocks unauthorized communications on a
computer.
Windows OS all provide Windows Firewall.
Routers provide basic firewall protection.

Most ISP routers act as firewalls.
Inspects each piece of communication.
Permits or denies traffic based on rules.

For example, you will not be able to connect to someone else’s PC to copy
shared photos unless his firewall is configured to allow the communication.

Encrypted files and biometrics
Encrypted files
Electronic records
Very easy to make copies
Very fast distribution
Easy archiving and retrieval
Copies are as good as original
Easily modifiable
Environmental Friendly
To provide Authenticity, Integrity and Non-repudiation to

electronic documents
To use the Internet as the safe and secure medium for e-

Commerce and e-Governance

Encrypted files: Encryption and decryption Char 1 2 3 4 5 6 7 8 9
a b c d e f g h i j
b c d e f g h i j k
c d e f g h i j k l
Caesar Cipher d
e
e
f
f
g
g
h
h
i
i
j
j
k
k
l
l
m
m
n
3 changes
The shift is linear and equidistributed
f
g
h
g
h
i
h
i
j
i
j
k
j
k
l
k
l
m
l
m
n
m
n
o
n
o
p
o
p
q
i j k l m n o p q r
I agree lcdjuhh j
k
l
k
l
m
l
m
n
m
n
o
n
o
p
o
p
q
p
q
r
q
r
s
r
s
t
s
t
u
m n o p q r s t u v
i+3=l n o p q r s t u v w
o p q r s t u v w x
Space=c [+3] p q r s t u v w x y
q r s t u v w x y z
r s t u v w x y z 0
s t u v w x y z 0 1
Key Cipher t u v w x y z 0 1 2
u v w x y z 0 1 2 3
The shift is linear (cyclic) 269 v

w
x
w
x
y
x
y
z
y
z
0
z
0
1
0
1
2
1
2
3
2
3
4
3
4
5
4
5
6
y z 0 1 2 3 4 5 6 7
k.n.gupta 62 mewam3rzjba z
0
0
1
1
2
2
3
3
4
4
5
5
6
6
7
7
8
8
9
1 2 3 4 5 6 7 8 9 .
2 3 4 5 6 7 8 9 .
k+2=m 3 4 5 6 7 8 9 . a
4 5 6 7 8 9 . a b
5 6 7 8 9 . a b c
(dot)=e [+6] 6 7 8 9 . a b c d
7 8 9 . a b c d e
8 9 . a b c d e f
n=w [+9] 9 . a b c d e f g
. (Dot) a b c d e f g h
Space a b c d e f g h i
Encrypted files: Encryption and decryption
ENCRYPTION DECRYPTION
Message 1 Encrypted Message 1
Central to the growth of e-commerce and e- 9a46894335be49f0b9cab28d755aaa9cd98571b
governance is the issue of trust in electronic 275bbb0adb405e6931e856ca3e5e569edd13528
environment. 5482
Encrypted Message 1 Message 1

9a46894335be49f0b9cab28d755aaa9cd985 Central to the growth of e-commerce and e-
71b275bbb0adb405e6931e856ca3e5e569e governance is the issue of trust in electronic
dd135285482 environment.
Same Key
Message 2 SYMMETRIC
The Internet knows no geographical boundaries. Encrypted Message 2
It has redefined time and space. Advances in a520eecb61a770f947ca856cd675463f1c95a9a2b
computer and telecommunication technologies 8d4e6a71f80830c87f5715f5f59334978dd7e97da
have led to the explosive growth of the Internet. 0707b48a1138d77ced56feba2b467c398683c7db
This in turn is affecting the methods of eb86b854f120606a7ae1ed934f5703672adab0d7
communication, work, study, education, be66dccde1a763c736cb9001d0731d541106f50b
interaction, leisure, health, governance, trade b7e54240c40ba780b7a553bea570b99c9ab3df13
and commerce. d75f8ccfdddeaaf3a749fd1411
Encrypted Message 2 Message 2
a520eecb61a770f947ca856cd675463f1c95 The Internet knows no geographical boundaries. It has
a9a2b8d4e6a71f80830c87f5715f5f5933497 redefined time and space. Advances in computer and
8dd7e97da0707b48a1138d77ced56feba2b4 telecommunication technologies have led to the
67c398683c7dbeb86b854f120606a7ae1ed9 explosive growth of the Internet. This in turn is
Different Keys
34f5703672adab0d7be66dccde1a763c736c affecting the methods of communication, work, study,
b9001d0731d541106f50bb7e54240c40ba7 education, interaction, leisure, health, governance,
[Keys of a pair – Public and Private]
80b7a553bea570b99c9ab3df13d75f8ccfddd trade and commerce.
ASYMMETRIC
eaaf3a749fd1411
[PKI]
General concepts
• A 1024 bits number is a very big number much bigger than the total number of
electrons in whole world.
• Trillions of Trillions of pairs of numbers exist in this range with each pair having
following property
– A message encrypted with one element of the pair can be decrypted ONLY
by the other element of the same pair
• Two numbers of a pair are called keys, the Public Key & the Private Key. User
himself generates his own key pair on his computer
• Any message irrespective of its length can be compressed or abridged uniquely

into a smaller length message called the Digest or the Hash.
• Smallest change in the message will change the Hash value

Therefore, it is a digital signature
Hash value of a message when encrypted with the private key of a
person is his digital signature on that e-Document
Digital Signature of a person therefore varies from document to
document thus ensuring authenticity of each word of that document.
As the public key of the signer is known, anybody can verify the
message and the digital signature
Each individual generates his own key pair

[Public key known to everyone & Private key only to the owner]
Private Key – Used for making digital signature
Public Key – Used to verify the digital signature

Biometrics
Something that you are
Establishes a FRAMEWORK consisting of components

Data Capture, Signal Processing, Matching, Storage, etc.
Defines REQUIREMENTS for operating a biometric

authentication system in a financial services environment
Enrollment, Verification, Identification and Storage
Provides TECHNIQUIES satisfying the privacy, integrity and

authenticity requirements for biometric data
Harmonized w/ NISTR 6529 CBEFF & BioAPI Specification 1.0
Offers comprehensive set of CONTROL OBJECTIVES

professional auditor can validate a biometric authentication system

Biometrics
Biometric systems are one solution to increasing demand for strong
authentication of actions in a global environment.
Biometrics tightly binds an event to an individual
That uses for

Simple verification and identification that who is who?
Advanced: for detecting multiple identities and patrolling public spaces
Biometrics for Internet is Biometric today

Convenient Fingerprints
Retina Prints
Passwords are not user-friendly
Face Prints
Perceived as more secure DNA Identification
May actually be more secure Voice Prints
May be useful as a deterrent Palm Prints
Passive identification Handwriting Analysis
Etc…
Biometrics system architecture
Architecture Dependent on Application:
Identification: Who are you?

One to Many (millions) match (1:Many)
One to “few” (less than 500) (1:Few)
Cooperative and Non-cooperative subjects
Authentication: Are you who you say you are?

One to One Match (1:1)
Typically assume cooperative subject
Enrollment and Verification Stages common to both.

Enrollment: Capture and processing of user biometric data

for use by system in subsequent authentication operations.
Extract Formulate
Acquire and Digitize
High Quality Biometric Biometric Database
Biometric Data
Features/Representation Feature/Rep Template Template
Repository
Authentication/Verification: Capture and processing of
user biometric data in order to render an authentication
decision based on the outcome of a matching process of the
stored to current template.
Extract Formulate Decision

Acquire and Digitize Template
High Quality Biometric Biometric
Biometric Data Matcher Output
Features/Representation Feature/Rep Template

Authentication Application:
Enrollment Mode/Stage Architecture
Require new acquisition of Additional image preprocessing,

biometric adaptive extraction or representation No
Signal Processing, Quality

Biometric
Transmission Feature Extraction, Sufficient?
Data Collection
Representation
Yes
Database Generate Template

Authentication Application:
Verification/Authentication Mode/Stage Architecture
No
Require new acquisition of Additional image preprocessing,
biometric adaptive extraction/representation
Signal Processing, Quality

Biometric Transmission Feature Extraction, Sufficient?
Data Collection Representation
Yes
Generate Template
Database Template Match
Decision No
Yes Confidence?

Biometrics subsystem architecture
Data Collection
Transmission
Signal Processing/Pattern Matching
Database/Storage
Decision
What comprises these subsystems and how do they interact with

other elements (what are their interface and performance
specifications?)

Data Collection Module

Biometric choice, presentation of biometric, biometric data
collection by sensor and its digitization.
Recollect
Biometric Data Collection Signal Processing

Transmission Feature Extraction
Biometric Presentation Sensor
Representation

Transmission Module
Compress and encrypt sensor digital data, reverse process.
Recollect
Transmission
Biometric Data Collection Signal Processing,
Feature Extraction,
Biometric Presentation Sensor
Transmission
Compression
Representation
Decompress
Decryption
Encryption

Signal Processing/Matching Module

Be aware of potential transmission prior to match
No
Recollect Reprocess
Transmission
Signal Processing Quality
Feature Extraction, Control
Transmission
Compression
Decompress
Representation
Decryption
Encryption
Yes
Generate Template
Database Template Match
Decision No
Yes Confidence?

Database module
In what form is biometric stored? Template or raw data?
No
Recollect Reprocess
Transmission
Transmission
Compression
Representation
Decryption
Encryption
Expansion
Yes
Generate Template
Database
Templates Template Match
Biometric Template: A file holding a
Images
mathematical representation of the
identifying features extracted from the Decision No
raw biometric data. Yes 2 - 41
Confidence?

Decision module
Is there enough similarity to the stored information to declare a
match with a certain confidence ?
No
Recollect Reprocess
Transmission
Transmission
Compression
Decompress
Decryption
Encryption
Representation
Yes
Generate Template
Database
Templates
Template Match
Images
Decision No
Yes 2 - 42
Confidence?

Biometrics
However, biometric encryptions

Big problems:
Biometrics are noisy
Need for “error correction”
Potential Problems:
Encryption with a 10-bit key?
Are some “corrected” values more likely than others?
What happens when the person changes --- you still need a back door.

Physical security
Why physical security
Not all threats are “cyber threats”
one commodity that can be stolen without being “taken”
Physically barring access is first line of defense
Forces those concerned to prioritize!
Physical Security can be a deterrent
Security reviews force insights into value of what is being protected
Therefore, The physical security domain provides protection techniques

for the entire facility, from the outside perimeter to the inside office
space, including all of the information system resources.

Chryptohraphy
Cryptography: process of making and using codes to secure
transmission of information
Cryptology: science of encryption; combines cryptography and
cryptanalysis
Encryption: converting original message into a form unreadable by
unauthorized individuals
Cryptanalysis: process of obtaining original message from encrypted
message without knowing algorithms
Cipher method
Plaintext can be encrypted through bit stream or block cipher method
Bit stream: each plaintext bit transformed into cipher bit one bit at a time
Block cipher: message divided into blocks (e.g., sets of 8- or 16-bit blocks) and
each is transformed into encrypted block of cipher bits using algorithm and key

Chryptohraphy
.

Chryptohraphy
Hash functions
Mathematical algorithms that generate message summary/digest to confirm
message identity and confirm no content has changed
Hash algorithms: publicly known functions that create hash
value
Use of keys not required; message authentication code (MAC), however, may
be attached to a message
Used in password verification systems to confirm identity of user
Cryptography algorithms
Often grouped into two broad categories, symmetric and asymmetric; today’s
popular cryptosystems use hybrid combination of symmetric and asymmetric
algorithms
Symmetric and asymmetric algorithms distinguished by types of

keys used for encryption and decryption operations

Chryptohraphy
Cryptography algorithms …
Symmetric encryption: uses same “secret key” to encipher and
decipher message
Encryption methods can be extremely efficient, requiring minimal
processing
Both sender and receiver must possess encryption key
If either copy of key is compromised, an intermediate can decrypt and read
messages
Data Encryption Standard (DES): one of most popular symmetric
encryption cryptosystems
64-bit block size; 56-bit key
Triple DES (3DES): created to provide security far beyond DES

Chryptohraphy
Cryptography algorithms …
Advanced Encryption Standard (AES): developed to replace both DES
and 3DES
Asymmetric Encryption (public key encryption)
Uses two different but related keys; either key can encrypt or decrypt message
If Key A encrypts message, only Key B can decrypt
Highest value when one key serves as private key and the other serves as public
key
Encryption key size

When using ciphers, size of cryptovariable or key very important
Strength of many encryption applications and cryptosystems measured by key size
For cryptosystems, security of encrypted data is not dependent on keeping
encrypting algorithm secret
Cryptosystem security depends on keeping some or all of elements of
cryptovariable(s) or key(s) secret

Chryptohraphy
Encryption key power

Chryptohraphy
Cryptography tools
Public Key Infrastructure (PKI): integrated system of software, encryption
methodologies, protocols, legal agreements, and third-party services enabling
users to communicate securely
PKI systems based on public key cryptosystems; include digital certificates and
certificate authorities (CAs)
PKI protects information assets in several ways:

Authentication
Integrity
Privacy
Authorization
Nonrepudiation

Chryptohraphy
Protocol for secure communications
Secure Socket Layer (SSL) protocol: uses public key encryption to
secure channel over public Internet
Secure Hypertext Transfer Protocol (S-HTTP): extended version of

Hypertext Transfer Protocol; provides for encryption of individual
messages between client and server across Internet
S-HTTP is the application of SSL over HTTP; allows encryption of

information passing between computers through protected and secure
virtual connection

Chryptohraphy and cryptanalysis
The basic terminology

plaintext - the original message
ciphertext - the coded message
cipher - algorithm for transforming plaintext to ciphertext
key - info used in cipher known only to sender/receiver
encipher (encrypt) - converting plaintext to ciphertext
decipher (decrypt) - recovering ciphertext from plaintext
cryptography - study of encryption principles/methods
cryptanalysis (codebreaking) - the study of principles/ methods
of deciphering ciphertext without knowing key
cryptology - the field of both cryptography and cryptanalysis

The language of cryptography

Alice’s Bob’s
K encryption K decryption
A
key B key
plaintext encryption ciphertext decryption plaintext

algorithm algorithm
symmetric key crypto: sender, receiver keys identical

public-key crypto: encryption key public, decryption key secret
(private)

Symmetric encryption
or conventional / secret-key / single-key
sender and recipient share a common key
all classical encryption algorithms are private-key

Symmetric key cryptography
KA-B KA-B

message, m algorithm algorithm
K (m) m = K ( KA-B(m) )
A-B A-B
symmetric key crypto: Bob and Alice share know same

(symmetric) key: K A-B
e.g., key is knowing substitution pattern in mono alphabetic
substitution cipher

Symmetric cypher model

Basic requirements between source and the destination of the text is

two requirements for secure use of symmetric encryption:
a strong encryption algorithm
a secret key known only to sender / receiver
Y = EK(X)
X = DK(Y)
assume encryption algorithm is known
implies a secure channel to distribute key
The cryptography
can characterize by:
type of encryption operations used substitution / transposition / product
number of keys used: single-key or private / two-key or public
way in which plaintext is processed
block / stream
Classical substitutions
where letters of plaintext are replaced by other letters or by numbers or
symbols
or if plaintext is viewed as a sequence of bits, then substitution involves
replacing plaintext bit patterns with ciphertext bit patterns
Caesar cipher
earliest known substitution cipher
by Julius Caesar
first attested use in military affairs
replaces each letter by 3rd letter later
example:
meet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWB

Caesar cipher
can define transformation as:
abcdefghijklmnopqrstuvwxyz
DEFGHIJKLMNOPQRSTUVWXYZABC
mathematically give each letter a number

abcdefghijk l m
0 1 2 3 4 5 6 7 8 9 10 11 12
n o p q r s t u v w x y Z
13 14 15 16 17 18 19 20 21 22 23 24 25
then have Caesar cipher as:

C = E(p) = (p + k) mod (26)
p = D(C) = (C – k) mod (26)

Cryptanalysis of Caesar cipher

only have 26 possible ciphers
A maps to A,B,..Z
could simply try each in turn

a brute force search
given ciphertext, just try all shifts of letters
do need to recognize when have plaintext
eg. break ciphertext “ERE L ORYH BRX DOLFH"

Symmetric encryption example

Substitution
KA-B KA-B

message, m algorithm algorithm
K (m)
A-B
Plaintext
KA-B
Ciphertext
Encryption algorithm
Decryption algorithm

Monoalphabetic ciphers
“Cipher” line can be any permutation of the 26 alphabetic char
Statistical analysis
Letters “e” and “t” are the most frequent occurring letters
Two and three letter occurrences of letters appear quite often

together, like “the”, “in”
Guess the appearance of the words

Type of cryptanalytics attack

ciphertext only
only know algorithm / ciphertext, statistical, can identify plaintext
known plaintext
know/suspect plaintext & ciphertext to attack cipher
chosen plaintext
select plaintext and obtain ciphertext to attack cipher
chosen ciphertext
select ciphertext and obtain plaintext to attack cipher
chosen text
select either plaintext or ciphertext to en/decrypt to attack cipher

Brute force search

always possible to simply try every key
most basic attack, proportional to key size
assume either know / recognise plaintext

Chosen plaintext attack
PIN is encrypted and

transmitted to bank
cipher(key,PIN)
Crook #2 eavesdrops
Crook #1 changes on the wire and learns
his PIN to a number ciphertext corresponding
of his choice to chosen plaintext PIN

Polyalphabetic ciphers
another approach to improving security is to use multiple cipher
alphabets
called polyalphabetic substitution ciphers
makes cryptanalysis harder with more alphabets to guess and flatter
frequency distribution
use a key to select which alphabet is used for each letter of the message
use each alphabet in turn
repeat from start after end of key is reached
Polyalphabetic encryption
monoalphabetic ciphers + Caesar cipher.
Two Caesar ciphers (k=5, k=19)
Repeating pattern c1, c2, c2, c1, c2

Vigenere Cipher
simplest polyalphabetic substitution cipher is the Vigenère Cipher
effectively multiple caesar ciphers
key is multiple letters long K = k1 k2 ... kd
ith letter specifies ith alphabet to use
use each alphabet in turn
repeat from start after d letters in message
decryption simply works in reverse

Example
write the plaintext out
write the keyword repeated above it
use each key letter as a caesar cipher key
encrypt the corresponding plaintext letter
eg using keyword deceptive

key: deceptivedeceptivedeceptive
plaintext: wearediscoveredsaveyourself
ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ

One time-pad
if a truly random key as long as the message is used, the cipher will be secure
called a One-Time Pad
is unbreakable since ciphertext bears no statistical relationship to the plaintext
since for any plaintext & any ciphertext there exists a key mapping one to
other
can only use the key once though
have problem of safe distribution of key

The advantage of one time-pad

Easy to compute
Encryption and decryption are the same operation
Bitwise XOR is very cheap to compute
As secure as possible
Given a ciphertext, all plaintexts are equally likely, regardless of attacker’s
computational resources
…as long as the key sequence is truly random
True randomness is expensive to obtain in large quantities
…as long as each key is same length as plaintext
But how does the sender communicate the key to receiver?

Transposition ciphers
now consider classical transposition or permutation ciphers
these hide the message by rearranging the letter order
without altering the actual letters used
can recognise these since have the same frequency distribution as

the original text

Rail Fence Cipher

write message letters out diagonally over a number of rows
then read off cipher row by row
eg. write message out as:

m e m a t r h t g p r y
e t e f e t e o a a t
giving ciphertext
MEMATRHTGPRYETEFETEOAAT

Row transposition Ciphers

a more complex scheme
write letters of message out in rows over a specified number of
columns
then reorder the columns according to some key before reading
off the rows
Key: 4 3 1 2 5 6 7
Plaintext: a t t a c k p
o s t p o n e
d u n t i l t
w o a m x y z
Ciphertext:
TTNAAPTMTSUOAODWCOIXKNLYPETZ

Product Ciphers
ciphers using substitutions or transpositions are not secure
because of language characteristics
hence consider using several ciphers in succession to make

harder, but:
two substitutions make a more complex substitution
two transpositions make more complex transposition
but a substitution followed by a transposition makes a new much harder
cipher
this is bridge from classical to modern ciphers

Public key infrastructure
Secret key cryptography works, but key management is a

nightmare
Public key cryptography uses two keys
one that is secret to the “owner”
one that is widely available
And all our problems were solved, who’s key is this anyway?
Secure, reliable, and scalable method for distributing public
keys for secrecy, correctness, and sender verification
“Binds” the owner to the public key using a digital certificate
Maintains and distributes status information for the life of that
binding
Public-key cryptography refers to a cryptographic system requiring

two separate keys, one of which is secret and one of which is public.
One key locks or encrypts the plaintext, and the other unlocks or decrypts
the ciphertext. Neither key can perform both functions by itself.
The public key may be published without compromising security, while
the private key must not be revealed to anyone not authorized to read the
messages.
Public-key cryptography uses asymmetric key algorithms, and can also
be referred to as asymmetric key cryptography.
Public-key cryptographic algorithms have three primary uses:
encryption Key distribution and digital signatures.
Encryption: This is a technique to encrypt a message with a recipient's public key

that cannot be decrypted by anyone except a possessor of the matching private key
of the recipient.
Digital signatures: This is a technique for signing a message using a sender's

private key that can be verified by anyone who has access to the sender's public
key,
thereby proving that the sender had access to the private key and, therefore, is
likely to be the person associated with the public key used.
Key distribution: This is a technique for the distribution of the public key and the
private keys among the users.

Examples of well-regarded asymmetric key techniques :
DSS (Digital Signature Standard), which incorporates the Digital Signature
Algorithm
Various elliptic curve techniques
Various password-authenticated key agreement techniques

Digital signature
A Digital Signature is the result of encrypting the Hash of the data
to be exchanged.
A Hash (or Message Digest) is the process of mathematically
reducing a data stream down to a fixed length field.
The Hash uniquely represents the original data.
The probability of producing the same Hash with two sets of
different data is <.001%.
Signature Process is opposite to Encryption Process
Private Key is used to Sign (encrypt) Data
Public Key is used to verify (decrypt) Signature

Digital signature process

Step 1. Hash (digest) the data using one of the supported
Hashing algorithms, e.g., MD2, MD5, or SHA-1.
Step 2. Encrypt the hashed data using the sender’s private
key.
Step 3. Append the signature (and a copy of the sender’s
public key) to the end of the data that was signed.
Step 1. Step 2.
Hash Encrypt
Data
Hash Digital Signature
Private
Digital Signature
Step 3.
Public

Digital signature verification process

Step 1. Hash the original data using the same hashing algorithm.
Step 2. Decrypt the digital signature using the sender’s public key. All
digital signatures contain a copy of the signer’s public key.
Step 3. Compare the results of the hashing and the decryption. If the
values match then the signature is verified. If the values do not match,
then the data or signature was probably modified in transit.
Step 1.
Hash
Hash Step 3.
Data
Step 2.
Decrypt
Hash
Digital Signature
Public Key

PKI layers
Registration Authority (RA) to identity proof users
Certification Authorities (CA) to issue certificates and CRL’s
Repositories (publicly available databases) to hold certificates

and CRLs

Certificate authority
Certification Authority What’s Important

Trusted (Third) Party Operational Experience
Enrolls and Validates Subscribers High Assurance Security
Issues and Manages Certificates Architecture
Manages Revocation and Renewal Scalability

of Certificates Flexibility
Establishes Policies & Procedures Interoperability
Trustworthiness

Registration authority
Enrolling, de-enrolling, and approving or rejecting requested
changes to the certificate attributes of subscribers.
Validating certificate applications.
Authorizing requests for key-pair or certificate generation and
requests for the recovery of backed-up keys.
Accepting and authorizing requests for certificate revocation or
suspension.
Physically distributing personal tokens to and recovering obsolete
tokens from people authorized to hold and use them.

Certificate policy is …
the basis for trust between unrelated entities
not a formal “contract” (but implied)
a framework that both informs and constrains a PKI
implementation
a statement of what a certificate means
a set of rules for certificate holders
a way of giving advice to Relying Parties

XÇw4

Chapter 3 - Design Cryptography

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 3 - Design Cryptography

Uploaded by

Copyright:

Available Formats

Network Management and

Understanding Defenses, Cryptography and Public Key

Gebeyehu B. (Dr. of Eng.) Asct Professor

Network management and security Chapter 3

Network management and security Chapter 3

Network management and security Chapter 3

It is the process of curing network infrastructure to maximize

The overall goal of understanding of security and its component

However, what is threat as the mater of defense system, is a good

Network management and security Chapter 3

Network management and security Chapter 3

Network management and security Chapter 3

NetSA: Analyzes data collected by Internet Sinks

Nemean: Signatures to protect live networks

Network management and security Chapter 3

Network management and security Chapter 3

Star Clustering and

Network management and security Chapter 3

Network management and security Chapter 3

Public Internet In order to minimize an organization’s risk, it

Network management and security Chapter 3

Public Internet Wholly Wholly Untrusted

Internet Gateway Untrusted • No operational access or control

over devices in this environment

Internal Servers devices have undergone

Network management and security Chapter 3

Network management and security Chapter 3

Being informed is the best weapon in the security analyst’s

The ideal Intrusion Detection System will notify the

Network management and security Chapter 3

Placing an IDS outside of the security perimeter records attack level

Network management and security Chapter 3

Network management and security Chapter 3

Building log watchers

Authorized viewers provided with encryption key, with ability to

Encryption keeps data confidential.

Network management and security Chapter 3

The most commonly used way of authentication

But also vulnerabilities

If you were to guess passwords, how would you go about doing

Network management and security Chapter 3

Windows OS all provide Windows Firewall.

Routers provide basic firewall protection.

Inspects each piece of communication.

Permits or denies traffic based on rules.

Network management and security Chapter 3

To provide Authenticity, Integrity and Non-repudiation to

To use the Internet as the safe and secure medium for e-

Network management and security Chapter 3

The shift is linear (cyclic) 269 v

Encrypted Message 1 Message 1

• Any message irrespective of its length can be compressed or abridged uniquely

• Smallest change in the message will change the Hash value

Network management and security Chapter 3

Each individual generates his own key pair

Network management and security Chapter 3

Something that you are

Establishes a FRAMEWORK consisting of components

Defines REQUIREMENTS for operating a biometric

Provides TECHNIQUIES satisfying the privacy, integrity and

Offers comprehensive set of CONTROL OBJECTIVES

Network management and security Chapter 3

That uses for