Upcoming SlideShare
×

# Introduction to Cryptography

979 views

Published on

1 Like
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

Views
Total views
979
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
38
0
Likes
1
Embeds 0
No embeds

No notes for slide

### Introduction to Cryptography

1. 1. SECURITY CRYPTOGRAPHYPrepared by Katur Bharat Kumar 1
2. 2. PART - 1Topics discussed in this section:Basic ConceptsEncryption TechniqueDecryption TechniqueIntroduction to CryptosystemsSymmetric CryptosystemsAsymmetric CryptosystemsSymmetric vs. Asymmetric 2
3. 3. BAISC CONCEPTSCryptography – hidden writingEncryption – encode or encipherDecryption – decode or decipherCryptosystem – a system for encryption and decryptionCryptographer – anyone who invents encryption algorithmsCryptanalyst – anyone who attempts to break encryptionalgorithmsCryptology – research of encryption and decryption, includingboth cryptography and cryptanalysis 3
4. 4. ENCRYPTION TECHNIQUE• Encryption Plaintext – Input: plaintext and key – Output: cipher text Encryption Function Cipher text 4
5. 5. DECRYPTION TECHNIQUE Cipher text• Decryption – Input: cipher text and a key – Output: original plaintext Decryption Function Plaintext 5
6. 6. CRYPTOSYSTEMSPlaintext Encryption Ciphertext Decryption Plaintext P Algorithm E C Algorithm D P• Algorithms with a parameter – key K 6
7. 7. SYMMETRIC CRYTOSYSTEMPlaintext Encryption Ciphertext Decryption Plaintext P Algorithm E C Algorithm D P Secret channel K K• C=E(P,K)• P=D(C,K) 7
8. 8. ASYMMETRIC CRYPTOSYSTEMAsymmetric key cryptography uses two separate keys: oneprivate and one public. Locking and unlocking in asymmetric-key cryptosystem 8
9. 9. ASYMMETRIC CRYPTOSYSTEM (Contd.)General idea of asymmetric-key cryptosystemGeneral formulae of asymmetric-key cryptosystem C = f (Kpublic , P) P = g(Kprivate , C) 9
10. 10. SYMMETRIC vs ASYMMETRIC Symmetric algorithm 100 to 1000 times faster than asymmetric one. Symmetric key 10 times shorter than asymmetric key. In Asymmetric algorithm Public Key must be authenticated by CA. Asymmetric Key Generator robustness. Asymmetric algorithm is mainly used for exchange and storage of the secret (symmetric) keys. 10
11. 11. END OF PART - 1 11
12. 12. PART - 2Topics discussed in this section:Certificates and X.509 structureGenerating Self-Signed CertificateCertificate ComponentsWhy Certificates needs to be signed by CARSA CryptosystemOperation Modes for Symmetric CryptosystemsAES CryptosystemHybrid CryptosystemOpenSSL X509 FunctionsOpenSSL EVP FunctionsOpenSSL RSA Functions 12
13. 13. CERTIFICATES and X.509 STRUCTUREWhat is Certificate? A digitally signed statement from the issuer saying that thepublic key of the subject has some specific values.Basic ConceptsSigned Statement :- The certificate must be signed by the issuerwith a digital signature.Issuer :- The person or organization who is issuing this certificate.Public key :- The public key of a key pair selected by the subject.Subject :- The person or organization who owns the public key. 13
14. 14. CERTIFICATES and X.509 – Contd.What is X.509 Certificate? Certificate written in X.509 standard format is called as X.509Certificate and X.509 standard was introduction in 1988. Itrequires a certificate to have the following information:Version :- X.509 standard version number.Serial Number :- A sequence number given to each certificate.Signature Algorithm Identifier :- Name of the algorithm used tosign this certificate by the issuer 14
15. 15. CERTIFICATES and X.509 – Contd.Issuer Name :- Name of the issuer.Validity Period :- Period during which this certificate is valid.Subject Name :- Name of the owner of the public key.Subject Public Key Information :- The public key and its relatedinformation. 15
16. 16. GENERATING SELF-SIGNED CERTIFICATESIntroduction A self-signed certificate is a certificate that the "issuer" is the "subject" himself. In other word, a seft-signed certificate is a certificate where the "issuer" signs his own public key with his private key.ProcedureStep-1 :- Enter your own name as the "subject".Step-2 :- Provide your public key.Step-3 :- Sign it with your private key.Step-4 :- Put everything in the X.509 format. 16
17. 17. CERTIFICATES COMPONENTSopenssl x509 –in MCC.crt -noout -textCertificate:Data:Version: 3 (0x2)Serial Number: 0 (0x0)Signature Algorithm: md5WithRSAEncryptionIssuer: C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=MCCValidity Not Before: Aug 15 02:19:47 2011 GMTNot After : Sep 14 02:19:47 2011 GMTSubject: C=USA,CN=---,OU=MCCSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public Key: (512 bit) Modulus (512 bit):00:a9:e6:19:c6:ee:88:01:86:d9:72:9e:93:92:db:57:01:7b:02:84:fc:1e:e3:57:5e:2a:7b:2b:25:9e:bd:ba:c5:95:2c:49:59:28:df:a6:67:86:26:8e:ff:36:cc:3a:84:5c:28:af:6f:11:c8:0c:b5:c2:c5:b9: 04:d6:0e:5d:d1Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Subject Key Identifier:55:C8:EF:49:2B:5D:E4:03:C5:98:1B:68:24:28:47:88:D4:0E:77:04 X509v3 AuthorityKey Identifier:keyid:55:C8:EF:49:2B:5D:E4:03:C5:98:1B:68:24:28:47:88:D4:0E:77:04DirName:/C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=MCCserial:00 X509v3 Basic Constraints: CA:TRUESignature Algorithm: md5WithRSAEncryption3f:ba:0c:c1:ae:38:ca:f6:37:16:9c:35:5f:18:79:64:de:27:0d:46:ad:28:57:b4:62:df:6c:ff:f8:74:17:eb:b6:91:7e:06:6e:ec:a5:9d:23:e2:6e:5a:6e:c3:09:fa:cf:34:65:70:15:65:10:3a:6b:0f:b9:ef:6b:64:18:0e 17
18. 18. VIEWING COMPONENTS OF CERTIFICATES (Contd) This certificate tells us that: The subject is "C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=MCC" The subjects public key is included in it. The issuer is "C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=MCC". The issuer is identical to the subject, because this is a self-signed certificate. The certificate is valid for one month. The certificate is signed by the issuer with the signature at the end. 18
19. 19. WHY CERTIFICATES NEED TO BE SIGNED BY CA? Definition of the Certificate Authority (CA) A Certificate Authority (CA) issues digital certificates that contain a public key and the identity of the owner. The matching private key is not made available publicly, but kept secret by the end user who generated the key pair. The certificate is also a confirmation or validation by the CA that the public key contained in the certificate belongs to the person, organization, server or other entity noted in the certificate. A CAs obligation in such schemes is to verify an applicants credentials, so that users and relying parties can trust the information in the CAs certificates. CAs use a variety of standards and tests to do so. In essence, the Certificate Authority is responsible for saying "yes, this person is who they say they are, and we, the CA, verify that". If the user trusts the CA and can verify the CAs signature, then he can also verify that a certain public key does indeed belong to whoever is identified in the certificate. 19
20. 20. WHY CERTIFICATES NEED TO BE SIGNED BY CA? (Contd). Certificate Authority (CA) comes into picture when your communication partner does not trust digital signature generated in your certificate. For Certificates to be signed by CA following is the Procedure Step - 1 :- Owner puts its public key into a certificate signing request (CSR) and mails it to the Certificate Authority (CA). Step - 2 :- The Certificate Authority (CA) will verify the request and put owner’s public key in a certificate and sign it with CAs private key. Step - 3 :- Certificate Authority (CA) will share the certificate been signed by the CA back to the owner. When your communication partner receives your public key signed by a CA, communication partner can validate the signature with the Certificate Authority CAs public key. If the validation is ok, communication partner can then trust sender public key. 20
21. 21. RSA CRYPTOSYSTEMThe most common public-key algorithm is the RSA cryptosystem,named for its inventors (Rivest, Shamir, and Adleman). 21
22. 22. RSA CRYPTOSYSTEM – KEY GENERATION ALGORITHM 22
23. 23. RSA CRYPTOSYSTEM - EXAMPLEBob chooses 7 and 11 as p and q and calculates n = 77. The value off(n) = (7 − 1)(11 − 1) or 60. Now he chooses two exponents, e and d,from Z60∗. If he chooses e to be 13, then d is 37. Note that e × d mod60 = 1 (they are inverses of each Now imagine that Alice wants tosend the plaintext 5 to Bob. She uses the public exponent 13 toencrypt 5.Bob receives the ciphertext 26 and uses the private key 37 todecipher the ciphertext: 23
24. 24. OPERTION MODES FOR SYMMETRIC CRYPTOSYSTEM ECB Mode CBC ModeOther Modes are OFB, CFB, CTR Modes 24
25. 25. ECB: Electronic Codebook Encryption Using ECB Mode Decryption Using ECB Mode 25
26. 26. CBC: Cipher Block Chaining Encryption Using CBC Mode Decryption Using CBC Mode 26
27. 27. AES CRYPTOSYSTEMAES stands for Advanced Encryption Standard performs encryption anddecryption based on the Block Cipher technique. Block Ciphers could beCBC, EBC etc.Encryption of the Plan Text Decryption of the Plan Text 27
28. 28. AES CRYPTOSYSTEM Need for a more efficient and secured algorithm AES is Rindjael (Rijmen & Daemen) with 128-bit data block only Key Size: 128, 192, and 256 bits. Approved as a Federal Standard (FIPS 197). Five Standard Modes of Operation specified in the NIST Special Publication 800-38A. 28
29. 29. AES CRYPTOSYSTEM - FEATURES Need for a more efficient and secured algorithm AES is Rindjael (Rijmen & Daemen) with 128-bit data block only. Key Size: 128, 192, and 256 bits. Approved as a Federal Standard (FIPS 197). Five Standard Modes of Operation specified in the NIST Special Publication 800-38A. 29
30. 30. HYBRID CRYPTOSYSTEM User User A Symmetric Encrypted Symmetric B Encryption Message Decryption Message Asymmetric Signed Asymmetric Encryption Encrypted Key Decryption KsecretKsecret + Signature Ksecret + Signature KpubB KprivA KpubA KprivB 30
31. 31. OPENSSL X509 FUNCTIONSX509_set_serialNumber :- Set Serial Number for the X.509 Certificate.X509_get_serialNumber :- Get Serial Number from the given X.509 Certificate.X509_cmp_current_time :- Validates the certificate expiry time.X509_set_pubkey :- Appends the certificate with public key.X509_get_pubkey :- Extracts the public key from the given public certificate.X509_to_X509_REQ :- Converts the given public certificate from X509 format toCertificate Request (PKCS10 ).X509_REQ_sign :- Sign the given Certificate Request (PKCS10 ).PEM_write_X509_REQ :- Write the given Certificate Request (PKCS10 ) to the PEM file.PEM_read_X509:- Reads the given Certificate Request (PKCS10 ) from the PEM file. 31
32. 32. OPENSSL EVP FUNCTIONSEVP_CIPHER_CTX_init :- initializes cipher context.EVP_EncryptInit_ex :- sets up cipher context for encryption with cipher type from ENGINE.EVP_EncryptUpdate :- encrypts the given data and store it in the out variable .This function could be called multiple times to encrypt the successive blocks of data.EVP_EncryptFinal :- This function is called only when padding is set. The main purposeof this function is encrypts the "final" data, that is any data that remains in a partial block.It uses standard block padding|/NOTES (aka PKCS padding).EVP_MD_CTX_init :- initializes signing context.EVP_SignInit_ex :- sets up signing context with digest type from ENGINE.EVP_SignUpdate :- hashes the given data into the signature context. This function can becalled several times on the same context to include additional data .EVP_SignFinal :- signs the data available in the context using the Private/ Shared secret key. 32
33. 33. OPENSSL EVP FUNCTIONS (Contd.)EVP_MD_CTX_init :- initializes verify context.EVP_VerifyInit_ex :- sets up verification context with digest type from ENGINE.EVP_VerifyUpdate :- hashes the given data into the verification context. This function can becalled several times on the same context to include additional data .EVP_VerifyFinal :- verify the data available in the context using Public / Share Secret keyagainst the given signature.EVP_CIPHER_CTX_init :- initializes cipher context.EVP_DecryptInit_ex :- sets up cipher context for decryption with cipher type from ENGINE.EVP_DecryptUpdate :- decrypts the given data and store it in the out variable .This function could be called multiple times to decrypt the successive blocks of data.EVP_DecryptFinal :- The main purpose of this function is decrypt the "final" data,that is any data that remains in a partial block. 33
34. 34. OPENSSL RSA FUNCTIONSRSA_generate_key_ex :- This function is used to generate RSA key pair. Key size could be512, 1024, 2048, 4096.RSA_public_encrypt :- This function is used to encrypt a given data, RSA encrypts the givendata using Public key.RSA_sign :- This function is used to encrypt a given data using message digest algorithmand generates the signature on the encrypted data (generated by the message digestalgorithm).RSA_verify :- This function is used to encrypt a given data using message digest algorithm,generates the signature on the encrypted data (generated by the message digestalgorithm) and compares the generated signature with the given signature.RSA_private_decrypt :- This function is used to decrypt a given encrypted data, RSAdecrypts the given encrypted data using Private key.PEM_read_RSAPrivateKey :- This function is used to read the Private key from the PEM file.PEM_write_RSAPrivateKey :- This function is used to write the Private key to the PEM file.PEM_read_RSAPublicKey :- This function is used to read the Public key from the PEM file.PEM_write_RSAPublicKey :- This function is used to write the Public key to the PEM file. 34
35. 35. END OF PART - 2 35