Cryptography

By Amit Kumar Bhardwaj

Agenda
• • • • Pros and cons of data encryption Single key encryption Two-key encryption Combining single and two-key encryption • Message integrity • Digital certificates • PKI

Encryption is a method of changing a message so that its content isn’t intelligible to a casual viewer. Using something that only the sender and receiver know, the message is turned from readable to nonsense before it is sent and restored to readable form when it is received. Encryption is the primary technique for protecting the content of a data communications message while it is traveling outside the local network on which it originated. Encryption can also be used to protect data stored on a hard disk.

Pros and cons of data encryption Encrypting and decrypting messages

consumes a lot of computing power, slowing down data communications. • Negotiating the type of encryption to be used during a communications session lengthens the time needed to set up the session. • Using encryption and digital certificates for authentication requires the development and maintenance of a PKI, which can be costly for a small organization.

Cont ..
• You can’t process data in encrypted form; it must be decrypted. If you use encryption to protect data stored on your servers, for example, it must be decrypted every time a user needs to search for or display data. This can significantly increase processing time. • The secret keys for many well-known encryption algorithms can be cracked by today’s high-end computers. Therefore, no encryption method should be considered totally uncrackable, especially when the problem is distributed among Internet users whose computers run a brute force attack during idle periods.

Single Key Encryption Schemes
• The algorithmically simplest type of encryption uses a single shared key to encrypt and decrypt a message. Because there is only one key, it must be known to both the sender and receiver. The result is encryption that is conceptually simple, but possibly difficult to manage. • Because the key used by both sender and receiver is the same, single key encryption keys are also commonly known as symmetric keys.

Substitution Cyphers
• Single key encryption methods are essentially • substitution cyphers , where one character is substituted for another based on a transformation that process is used to decrypt the message. When one character is substituted for another, we call it a stream cypher ; when a longer key is applied to a group of characters, we call it a block cypher . Most of the substitution cyphers in use today are block cyphers because they are more secure than stream cyphers.

government’s first successful attempt at standardizing the encryption used to communicate with government agencies. It was formally adopted as a Federal Information Processing Standard (FIPS) in 1976. • However, its short key length has made it relatively easy to crack with today’s computing power (less than 24 hours), and although you may find it still in use commercially, • It has been replaced for government use by AES • DES works much like the second version of the sample substitution cypher

Data Encryption Standard (DES) (DES) was the U.S. The Data Encryption Standard

• The DES key is 64 bits in length, although only 56 bits actually are used in the encryption; the remainder are parity bits used for error checking. • The plaintext is modified in 64-bit chunks. Each time a key is used, it is exclusive-ORd (XORd) with the plaintext. Encrypting a single 64bit block of plaintext with DES is not as simple as our example, however. It involves 16 rounds of plaintext transformations, including breaking the plaintext into two 32-bit chunks that are swapped repeatedly during the rounds. Each round also expands the 32- bit block to 48 bits, which are then XORd with a 48-bit subkey. The subkey has been generated by a “key schedule,” an algorithm that creates the 48-bit subkeys based on the original 56-bit key. After XORing with the subkey, the 48-bit plaintext block is divided into 6-bit chunks (S-boxes), which then output 4-bit blocks, reducing the overall plaintext block back to its original 32-bits. (The security of DES rests with the transformation that occurs in the S-blocks.) Decryption is similar to encryption with the exception that the key transformations must be generated and applied in the reverse order. Because of its computational complexity, DES was often implemented in hardware.

Cont ..

Triple DES
The vulnerabilities in DES became very well known. Therefore, cryptographers developed an interim version, for use until another encryption method was adopted, called Triple DES . Triple DES uses a 192bit key, three times the length of the 64-bit DES key. The algorithm repeats the DES encryption process three times, each time using a different 64 bits of the 192-bit key. Because Triple DES is essentially DES performed three times, it is more than three times harder to crack. It is also three times slower to implement and therefore was never considered as a permanent encryption standard.

Advanced Encryption Standard The Advanced Encryption Standard (AES) was developed

in 1998 by Vincent Rijmen and Joan Daemen from their proprietary encryption scheme named Rijndael. (AES uses the same algorithms as Rijndael, but requires fixed key and plaintext block sizes; Rijndael can handle keys and block sizes in varying multiples of 32 bits between 128 and 256 bits.) • AES is similar to DES in that it uses key transformations for security. However, its keys are longer—128, 192, or 256 bits—and it works on 128- bit blocks of plaintext. It also uses S-boxes to output chunks of cyphertext through 10, 12, or 14 rounds of key transformations. (The number of rounds corresponds to the length of the key.)

Two-Key Encryption Schemes The serious key management issues surrounding symmetric key

encryption methods prompted the development of an encryption method that didn’t require the presharing of a secret key. Three researchers—Ronald L. Rivest, Adi Shamir, and Leonard Adleman— proposed public key encryption (PKE) in 1977. • The developers of public key encryption are the source of the acronym RSA, the name of their company that currently acts as one of the major issuers of digital certificates. • PKE is sometimes also called asymmetric key encryption to differentiate it from symmetric key encryption. • The basic idea behind PKE is that you have different encryption and decryption keys. You publish the encryption key freely so that anyone can encrypt messages to send to you. However, your secret decryption key is the only key that can decrypt the message.

Combining Single- and Two-Key Encryption
• Most encrypted transmissions today use a combination of single- and two-key encryption. The process works as follows: 1. The sender and receiver negotiate encryption methods. 2. Each generates a private symmetric encryption key (a session key). This key will be used to encrypt and decrypt messages for the current communications session only. 3. The sender and receiver encrypt the session key using PKE and send the session keys to each other. 4. The remainder of messages in the session are encrypted using the symmetric key.

Ensuring Message Integrity
• Encryption ensures message privacy, preventing unauthorized people from viewing the content of a message. It does not, however, ensure message integrity, preventing someone from changing the message while it is in transit. • One widely used solution is to create a message digest, or digital signature, a compressed transformation of the message that has the property that a small change in the input (the message) produces a large change in the output (the message digest). The message digest is computed as the message is assembled for transmission and attached to the message itself. The recipient then recomputes the message digest and compares it to what was received. If the two digests don’t match, then the message was altered during transmission. • Most message digests are created using a process called hashing, which takes an input string and puts it through a predefined transformation. The output is a shorter string of some fixed length. In the case of message digests, the output of the most widely used algorithms is between128 and 160 bits.

• Good hashing algorithms are one-way, in the sense that you can’t reconstruct the message from the hashed output. Having the message digest doesn’t allow a system cracker to determine the message in a packet. The most common way to use message digests in a cracking attempt is a brute force attack that runs millions of potential messages through the algorithm to find matching digests. When the digests match, then the system cracker has determined the message.

Message Digest Algorithms
• MD5: MD5 was developed in 1991 by Ronald Rivest as a successor to MD4 and MD2. It produces a 128-bit output string that is generally considered quite secure. Research by RSA indicates that it would take a computer designed specifically to crack MD5 24 days to generate a collision. • SHA-1: SHA-1 is an alternative to MD5 that was developed by NIST. It produces a 160-bit output string. Because it has a longer output string, it is considered more resilient to bruteforce cracking attempts than MD5. • HMAC: HMAC is an extension to both MD5 and SHA-1 that adds a password, further increasing the security of both algorithms.

Checksums
Another way to ensure message integrity is to use a checksum, a simpler form of a message digest. Because they are not as secure as message digests checksums are most commonly used to indicate accidental modifications to data during transmission, rather than malicious modifications.

CRC Checksums