This action might not be possible to undo. Are you sure you want to continue?
At the end of the period, the students should be able to: • • • • Overview of Cryptography and encryption techniques Explain the Cryptography Key Fundamentals and History Distinguish the different types of encryption modes
• The purpose of cryptography is to protect transmitted information from being read and understood by anyone except the intended recipient. In the ideal sense, unauthorized individuals can never read an enciphered message. In practice, reading an enciphered communication can be a function of time — the effort and corresponding time, which is required for an unauthorized individual to decipher an encrypted message may be so large that it can be impractical. By the time the message is decrypted, the information within the message may be of minimal value.
Definitions • Block Cipher
– Obtained by segregating plaintext into blocks of n characters or bits and applying the identical encryption algorithm and key, K, to each block.
– A cryptographic transformation that operates on characters or bits.
• Ciphertext or Cryptogram
– An unintelligible message.
– A situation in which a plaintext message generates identical ciphertext messages using the same transformation algorithm, but with different cryptovariables or keys.
breaking the ciphertext. . • Cryptographic Algorithm – A step-by-step procedure used to encipher plaintext and decipher ciphertext.Cryptography • Codes – A cryptographic transformation that operates at the level of words or phrases. • Cryptanalysis – The act of obtaining the plaintext or key from the ciphertext that is used to obtain valuable information to pass on altered or fake messages in order to deceive the original intended recipient.
. • Cryptology – Encompasses cryptography and cryptanalysis. this requires the sender and receiver to have the identical key for the session. kryptos (hidden) and graphein (to write). • Cryptosystem – A set of transformations from a message space to a ciphertext space • Decipher – To undo the encipherment process and make the message readable • Encipher – To make the message unintelligible to all but the intended recipients. In symmetric key encryption. The word cryptography comes from the Greek. • End to End Encryption – Encrypted information that is sent from the point of origin to the final destination.Cryptography • Cryptography – The art and science of hiding the meaning of a communication from unintended recipients.
Cryptography Cryptography – science of encrypting information. Visual next slide . – “scrambles” data so only authorized parties can “unscramble” and read data How do we scramble data? – Substitution (confusion) – Transposition (diffusion) • A strong cipher will use BOTH these methods.
Basic Idea Figure 1.akadia.0: Encryption Source: www.com .
Cryptographic Terminology • Cryptography . . breaking. and reverse engineering algorithms and keys.a method of storing and transmitting data in a form only intended for authorized parties to read or process. • Cryptanalysis* .science of studying.
• Plaintext – the format (usually readable) of data before being encrypted • Cipher text – the “Scrambled” format of data after being encrypted .Cryptographic Terminology • Encryption – the method of transforming data (plaintext) into an unreadable format.
Cryptographic Terminology • Decryption – the method of turning cipher text back into • Encryption algorithm – a set or rules or procedures that dictates how to encrypt and decrypt data. Also called an encryption “cipher” • Key – (crypto variable) a values used in the encryption process to encrypt and decrypt .
000 if it can be 6 digits key space = 1.Cryptosystem Definitions • Key space – the range of possible values used to construct keys example: if a key can be 4 digits (0-9) key space = 10.000 • Key Clustering – Instance when two different keys generate the same cipher text from the same plaintext • Work factor – estimated time and resources to break a cryptosystem .000.
• The only thing that should be secret in a cryptosystem is the “key” (Kerckhoffs Principal) .Cryptosystem Development Concepts • assume the attacker knows your encryption/decryption algorithm. • Algorithms should be open to review.
Key Generation and Management .
Key Generation and Management • The goal of designing an encryption method is to make compromising it too expensive to be worth it.000. • The amount of work to break it is called “work-factor” • Protecting the key is important. There is no point to designing an encryption system that would take 1.000 years to break if you can easily just get some ones key! • Key Protection is CRITICA .
this is called “Key Complexity” • Keys should be extremely random and use the full spectrum of the key space – Ex. Assume your key can be 10 digits is 0000000001 a good key? . the more secure a cryptosystem is.Key Generation and Management • The larger the key space is.
• Keys lifetime should correspond with the sensitivity of the data to be protected.Key Generation and Management • Keys must be securely distributed/transported and storage / accessed. . and the amount of times the key is used.
it should be retired after a certain lifetime. • If a key is used often. .Key Generation and Management • Keys should be backed in case of emergency • Keys should be destroyed when their lifetime is at and end.
Cryptography History .
.Cryptography History Romans used a shift cipher called a “CEASAR” cipher. Shift Ciphers simply shift characters in an alphabet.
org .ROT13 / shift cipher Figure 2.it.0:ROT13 Source: www.wikipedia.
. The Spartans of Greece used a form of this called the “Scytale” Cipher.Transposition Cipher Jumbles up the ordering of characters in a message.
com .Scytale Figure 3.ecriture-art.0: Scytale Source: www.
Vigenere Cipher • Polyalphabetic Substitution Cipher – A more advanced substitution cipher as it any letter can have multiple letters substituted for it! • That is an A will not always map to an N • Harder to break! .
cryptodox.org .Vigenere Cipher Figure 4.0: Vigenere Cipher Source: www.
Symmetric Encryption .
Symmetric Encryption • Idea same key is used to BOTH encrypt and decrypt data! Figure 5.karul.org .0: Symmetric Encryption Source: www.
– Chicken in the egg situation with networks • Anyone with the key can either encrypt or decrypt • Very Fast to encrypt or decrypt • Key Management is the big issue .Symmetric Encryption • Called Symmetric or “Private Key encryption” • Must securely distribute keys to both parties.
Key Management n: number of parties who want to securely communicate # keys = (n*(n-1)) / 2 5 = (5*4)/2 = 10 keys 10 = (10*9)/2 = 45 keys 100 = (100*99)/2 = 4950 keys 1000 = (1000*999)/2 = 499500 keys .
Encryption Modes .
Encryption Modes – Block • Take the message and break it up into fixed sized blocks. . encrypt each block using the given key.
com .0: ECB Source: www.Block Figure 6.knowledgerush.
the resulting cipher text block will have the same cipher text.Block Encryption • Problems with Block Encryption? -If a block has the same contents. .
we include a value in addition to the key that changes for each block. – CBC chaining & Initialization Vectors . so we don’t get repetitive cipher text blocks.Block Encryption Problems • Often with block encryption.
Cipher Block Chaining Figure 7.com .cryptoshop.0: Cipher Block Chaining Source: www.
Counter Mode • Sometimes You have to encrypt and you don’t know the previous block’s cipher text ahead of time (example if you encrypt in parallel). • Then we simply use a additional component (like the IV) that is predetermined. A counter .
• XORing is a Boolean mathematical “function” which creates an output bit based on two input bits. It outputs a 1 IF and ONLY if one bit of input is 1 and the other is a 0. INPUT1 INPUT 2 XOR OUTPUT -----------------------------------------------------------------0 0 = 0 0 1 = 1 1 0 = 1 1 1 = 0
The “key” is used as a key stream generator, which creates a series of bits each are is mathematically combined with the bit stream of plaintext to produce cipher text. This is done for small pieces of information, or information not in blocks. • Keyboard input • Morse code • Any input that arrives one bit or byte at a time
Stream Encryption Plain Text Bit Keystream Bit Output Bit 0 1 1 1 1 0 0 1 XOR 1 1 = 0 Cipher text = 0 .
Stream Encryption Plain Text Bit Keystream Bit Output Bit 0 1 1 1 1 0 XOR 0 1 = 1 Cipher text = 0 1 .
Stream Encryption Plain Text Bit Keystream Bit Output Bit 0 1 1 1 XOR 1 0 = 1 Cipher text = 0 1 1 .
Stream Encryption Plain Text Bit Keystream Bit Output Bit 0 1 XOR 1 1 = 0 Cipher text = 0 1 1 0 .
Stream Encryption Plain Text Bit Keystream Bit Output Bit 0 XOR 1 = 1 Cipher text = 0 1 1 0 1 .
. • “key stream generator” should not product predictable output • “key stream generator” should not produce a key stream related to the key • The number of 0’s and 1s in the key stream should be about equal.Stream Cipher considerations • Stream ciphers are hard work. better done in hardware • “key stream generator” should not generate repeating patterns.
• Think “Cipher Block Chaining” for stream encryption. however in this case. . We will use 1 few bits of the cipher text to “alter” the output of a key stream generator.Cipher Feedback Mode • Similar to Cipher Block Chaining in block mode. We are using a stream cipher.
XOR 1110 – cipher text • In a one time pad you use a different key/pad each time you send a message .One Time Pad 1011 – plain text 0101 – pad -----.
• A “perfect cryptosystem” • Unbreakable if implemented properly • The key is a series of bits (0 and 1) • The plain text is converted to bits • The message is XORed with the pad/key to generated the cipher text (see next slide) .One Time Pad A modification of a symmetric key system.
The pad must be as long as the message The pad must be securely distributed The pad must be used up of truly random values .One Time Pad considerations • • • • • The pad must be used only one time The pad must be shared by both sides.
Symmetric Algorithms .
can be broken easily with distributed computing.Symmetric Algorithms – DES Data Encryption Standard • Developed from at NIST request for an encryption standard • Chosen algorithm was called “Lucifer” from IBM • Block Cipher • Fixed sized blocks of 64 bits • Key size 64 bits. effective size is 56 bits • 16 rounds of substitution and transposition • DES is no longer considered strong enough. .
.Triple DES Nothing but DES 3 times • 3DES – EEE3 • 3DES – EDE3 • 3DES – EEE2 • 3DES – EDE2 Since it’s 3 x DES. 48 rounds of substitution and transposition.
256 • Rounds depend on key size – 9: for 128 keys – 11: for 192 keys – 13: for 256 bit keys .AES Developed as a replacement to DES • Actual algorithm is called “Rinjdael” • Block cipher • 128 bit blocks • Key sizes of 128.192.
128 Key Size up to 2048 bits Rounds up to 255.RC5 • • • • Block cipher Block size 32. 64. minimum of 12 recommended .
same attributes as RC5 • Developed to be a AES candidate • Faster that RC5 .RC6 • Block cipher based on RC5.
but released on Internet in 1994.RC4 • Stream cipher – what was that again? • Was proprietary. “ARC4” is the “open version of RC4” • Key length 8 – 2048 bits • Used in SSL and WEP communication .
Blowfish • • • • • Block cipher 64 bit blocks Keys 32 .448 bits 16 rounds is the “full version” Free algorithm .
IDEA International Data Encryption Algorithm • Proposed AES candidate • Block cipher • 64 bit blocks • 128 bit keys • Used in PGP .
Symmetric That’s Symmetric Encryption For the exam • Understand the concept (shared keys) • Understand it’s strengths (fast for bulk encryption and decryption) • Understand it’s weaknesses (key management. non-repudiation) • Understand the different algorithm “properties” on the slides. .
Symmetric Cons • Keys must be shared – This is difficult to really do? How to you get a key to someone you want to talk to? – Requires secure mechanism to deliver keys – Number of keys becomes needed becomes crazy large as number of people involved increases – Does Not provide Authenticity or Non-repudiation .
Asymmetric Encryption .
com .infosysblogs.Asymmetric Encryption Use 2 keys.0: Asymmetric Encryption Source: www. public key to encrypt a message. private key can decrypt Figure 8.
Asymmetric Encryption • Called Public key encryption • Requires 2 related keys – Public key – given to anyone – Private key – kept secret • • • • Public key is used to encrypt message Private key is used to decrypt message Private key is used to sign messages Public key is used to validate signed messages .
not suitable for encrypting large amounts of data • What is a problem with Asymmetric Encryption and key exchange? (MiM) • Asymmetric Encryption uses “trapdoor” functions to make hard work easier. (just memorize this) • Can be used to “digitally sign” a message (next slides) – Provides integrity – Provides non-repudiation • Can anyone see a use to Asymmetric encryption already?* (very important) .Asymmetric Encryption • Key exchange is simple! • Asymmetric Encryption is SLOW.
• Enables two people to receive a symmetric key securely without a previous relationship • Generates session keys for secure SYMETRIC encryption communications • Algorithm is based on “difficulty of calculating discrete logarithms in a finite field” • Vulnerable to “man in the middle” attacks .Diffie-Hellman • The original Asymmetric algorithm • Developed to address shortfalls of key distribution in symmetric key distribution.
and encryption • Security based on difficulty of factoring large numbers.Asymmetric Algorithms – RSA • Can be 100 times slower than DES • Can be used for digital signatures. • Private and Public keys are functions (results of mathematical operations) of large prime numbers. • Was patented. key exchanges*. has expired .
Asymmetric Algorithms – DSA • Designed for use in the Digital Signature Standard (DSS). . • Can only be used for signing.
El-Gamal • • • • Encryption. • Slowest of all methods we will discuss . key exchanges or digital signatures Actually an extension of Diffie-Hellman Free Security based on computing discrete logarithms in a finite field?!? Yeah. I don’t even know what that means… time to go back to math class..
• Because it’s fast and easy used on devices with limited resources.Elliptic Curve Cryptosystem • Used for digital signatures. (example: cell phones) . • The fastest asymmetric algorithm that we discuss. • Deals with discrete logarithms of elliptic curve. encryption and key distribution.
one for encryption.Asymmetric Overview • Uses 2 keys. key distribution problem (kind of…) • Can provide integrity and proof of sender (nonrepudiation) • Is VERY slow (orders of magnitude slower) • Often used in a hybrid system (along with private key encryption) – Encrypt symmetric keys using asymmetric algorithms – Actually do large scale encryption with these asymmetric keys! . one for decryption • This mitigates the key management.
Hashing is a one way operation. Retrieve fixed length value (hash digest) .Hashing Hashing is similar to encryption… but different. Take input message 2. Put through hashing function 3. 1.
0: Hash Source: http://www.htm .info/tool/hash.fileformat.Hash Figure 9.
•Hash digests are fixed.Hashes • Once hashed. so multiple messages theoretically could produce the same hash digest (collision) . no way to get back the original message.
generally the more secure (less change for collision…generally) • One Example of a hash that you are probably familiar with is called a “CRC” .Hashes • Hashing can provide integrity (assuming no MiM) • Hashes can be combined with a private key to provide protection against MiM attacks (visualization on next slide) • The more bits in the digest.
Hash algorithms – SHA Secure Hash Algorithm • Designed/Published by NIST and NSA • Designed for use in the DSS • Modeled after MD4 • SHA-1 (SHA-160) – 160 bit digest – 512 bit blocks • SHA-256 – 256 bit digest – 512 bit blocks • SHA-384 – 384 bit digest – 1024 bit blocks • SHA-512 – 512 bit digest – 1024 bit blocks .
MD2 • Developed by Ronald Rivest (of RC and RSA fame) • 128 bit digest • 128 bit blocks .
MD4 • Optimized for 32 bit computers • 128 bit digest • Collisions can be found in under 1 minute on a PC .
but more secure Slower and more secure 128 bit digest 512 bit blocks Was part of the NTLM authentication protocol Collisions in 8 hours on a PC Moving away from. to SHA .MD5 • • • • • • • Similar to MD4.
“I’d like to buy 100 units of the widget” => A3BT – What if I could make the messages “I’d like to buy 500 units of the widget” and have the same hash value “A3BT” I can beat the integrity constraint • This is called a birthday attack .Attacks against Hashes • Collisions – figure out how to create a message with the same hash value (collision) – Ex.
Otherwise you could create a message what would generate the same hash as another (why is this bad?) .Hash overview • Know what a hash is – – – – – – Concept Fixed length digest What is a hash used for Know what a collision is Know it’s susceptible to MiM Know what HMAC is. and what it tries to accomplish • Understand a good hash function should not make it predictable on how to “force” a collision.
and SHA-x • Understand that SHA is considered the best algorithm .Hash Overview • Be familiar with MDx.
append your secret key to the message to create a new message and run the hash on the new message.HMAC HMAC – uses a secret hey in combination to a hash algorithm to verify that a hash is not tampered with. Rather than just doing the “hash algorithm” on the message. The returned value is called a MAC (Message Authenticating Code) .
0: HMAC Source: www.com .HMAC Figure 10.networkworld.
HMAC • Provide integrity and data original authentication (how?) • Does not provide confidentiality • Does not provide specific person authentication (as keys are shared) .
you have learned: • • • • • • • • • Cryptography Encryption Modes Cipher Symmetric Algorithm Symmetric Encryption Asymmetric Encryption Attacks against Hash Hashing HMAC .Summary In this lesson.
Any Questions? Thank You! .