Cryptography – A compilation by A.K.Asokan : : email:firstname.lastname@example.org INTRODUCTON TO CRYPTOGRAPHY Compiled by A.K.Asokan : : email:email@example.comPlease read the paragraph below once and then continue…Sheela used the public key of Tom and encrypted a message and sent it to Tom. Tomhas decrypted the message with his private key and he understood that sheela wantedto make sure his identity and asked him to send his digital signature. Tom then send aquick reply to sheela telling that the next day he will send the digital signature and heencrypted the message with sheelas public key. Sheela received the same and read itafter decrypting it with her private key. The next day Tom has sent her anothermessage. This message has a message digest with it as he used hash encryption tocreate the digest. Tom has encrypted the digest with his private key and he encryptedthe original message with sheelas public key. On receiving the message, sheeladecrypted the digest using Toms public key and she then decrypted the originalmessage with her own private key, since it has been encrypted with her public key byTom. In order to verify the digital signature, sheela did a hashing on the original plaintext message sent by Tom and compared the resulted message digest with themessage digest which Tom has sent to her which she decripted using the public key ofTom. There was no difference in the message digests and she confirmed the integrity ofthe data and also verified the digital signature. She also cross checked the digitalsignature and public key of Tom in the Directories provided by the CA.Thoroughly confused?…. You are in the right track.. read on…..ForewardThis note has been compiled by me especially for the CISA aspirants to get a basic ideaabout Computer security concepts like Cryptography, Crypto systems, Public keyinfrastructure (PKI), Symmetric key or private key and assymmetric key or public key,message digest, encryption, decryption, digital signature, hashing algorithm, CertificateAuthority etc., and the overall working of the ‘system’. This note is not a technical writingon the subject and it is intented to circulate among the CISA group members ONLY.Utmost care is taken to explain the concepts in the right perspective. Unlike my previousnotes, this note will be a bit hard to understand because we deal with ‘security’ andnone of the concepts are light weight. Have a nice time and good luck to all those whoare going to take the forthcoming CISA exam. – A.K.Asokan.Network SecurityEversince we explored new possibilities in communication over a networkedenvironment, the threats, and security issues are also associated somehow. In order toovercome such threats and vulnerabilities, we have been struggling hard to find out newways and methods. Cryptography is a method by which communication can be sent in asecured manner.
Cryptography – A compilation by A.K.Asokan : : email:firstname.lastname@example.org 2What is cryptographyCryptography has a history dates back thousand years. It refers to "the art of writing insecret characters". The main purpose of cryptography is to enable securecommunications between the two parties, the sender and the receiver. If someoneintercepted the message while in transit, he will not be able to read or understand theoriginal message because the data in between the sender and the receiver will be a‘scrambled message’. The scrambled message is otherwise known as ‘encryptedmessage’ and it is achieved with a computer program and a key. Only the receiver whohas the key to ‘unscramble’ or “decrypt it, can read and understand the message. If thatis so, how do we ensure the following?How do we ensure the confidentiality of the data received?How do we ensure that no one has altered the data while it was transmitting from thesender to the receiver?How do we ensure that the message is originated only from the person who claims whohe is?What is the guarantee that at a later date, the sender will not deny that he has not sentsuch a message at all? How do we prove it that only he sent the message?How to identify that the message we received is definetely altered in transit and it is notthe message which was originally sent?All these can be very well answered with the help of cryptographic systems. In thecryptographic systems, the following two systems are important. 1. Secret key or Private key otherwise known as Symmetric key cryptography 2. Public Key CryptographySymmetric Key or Private key otherwise Secret Key CryptographyLet us understand what is a key, at the outset.Just read the following message and imagine that you are a Bank Manager and youreceived this message from one of your clients.“Order two tons of black metal from Asokan and transfer ten lakh dollars to his account”.This is the message you received from one of your clients.
Cryptography – A compilation by A.K.Asokan : : email:email@example.com 3Now, if you did according to the instruction, what happen if your client later denied thathe has not instructed so and he is going to sue you? What is your proof that he only hassent you the message? So some mechanism should be there to solve this problem.Before answering all such questions, let us understand what is meant by ‘scrambling” or“encrypting”. We achieve this by creating an algorithmic pattern or rules to convertmessages to an unreadable form called “scrambled message” or “encrypted message”.For this let us create a key (a rule) now on our own. Let us assume that, when theabove plain text message is encrypted, there is an equivalent letter in the encryptedmessage also which is forward shift all letters by 1 position in the alphabet. That is ‘a’becomes b, ‘b’ becomes c, ‘c’ becomes d and ‘d’ becomes e etc … Lets now encryptthe message.The Key: Forward shift all letters by 1 position in the alphabet that is a becomes b, bbecomes c, c becomes d and d becomes e etc (So we created an angorithmic partternon our own now)Original message : “Order two tons of black metal from Asokan and transfer ten lakhdollars to his account”.Now if we apply our ‘key’ to the original message, then we get an “encrypted message”as below.Encrypted message according to our above key : psefs uxp upot pg cmbdl nfubm gspnbtplbo boe usbotgfs ufo mbli epmmbst up ijt bddpvou. (This encrypted message isknown as cipher text (after encryption of the plain text).To decipher or unscramble or decrypt the above encrypted text, what key we have touse? Very simple! It is the opposite of the key we used to encrypt. That is backwardshift all letters by 1 position in the alphabet that is d becomes c, c become b, b becomea and so on. Now if you apply the backward shift all letters by 1 key to the aboveencrypted message, we get the original plain text message:“Order two tons of black metal from Asokan and transfer ten lakh dollars to his account”.For instance, you as bank manager keeps the key to decrypt it, and your client has thekey to ‘encrypt” it, then, no one can read and understand the message in transit.(Remember the ‘key’ what we discuss is only for example purpose. In reality, thealgorithmic pattern will be much more complex that no one can unscramble it, if themessage captured in transit)Therefore, “encryption” is the process of translating a normal message called plain textto a message written with secret characters known as cypher text. “Decryption” is theprocess of translating a message written with secret characters (the cypher text) into areadable, normal message called plain text. For both the operations, we need a KEY.
Cryptography – A compilation by A.K.Asokan : : email:firstname.lastname@example.org 4Think of this key as your main door key. Let us say it is the ‘secret’ key or “private” keyfor you. You use the key to lock the door and you use the same key to unlock it. If youhave another duplicate key, you can give it to your wife and she can use the same keyto lock and unlock the door. If you think the same in encryption and decryption, you usethe same ‘secret’ key to ‘encrypt’ the message and the same key is used to ‘decrypt’ themessage.If you lock the door, your wife can open the door provided both of you must have thesame key. If you distributed the secret keys to 20 of your family members and youlocked the door with your secret key, then any of the 20 members can open the door!.Like that if you ‘encrypt’ a message with your secret key and distribute your ‘key’ toanother 20 people, all of them will be able to ‘decrypt’ the message.What happens if a culprit like me got the key somehow from any one of you? I can alsoopen your door or I can also ‘decrypt’ your message and read the contents? So what weunderstand here is, the distribution of the secret key or ‘symmetric key’ is a problem.Symmetric means similar or equal. Since we use the ‘same’ key to encrypt and decrypt,the name ‘Symmetric’. You have to somehow trust a communication channel for the keydistribution.More over, if someone compromised the key which is used to ‘encrypt’ a message, it isvery very easy to generate the other key to ‘decrypt’ the message from that key itself.The is the major disadvantage of ‘secret’ key otherwise known as ‘symmetric key’.Refer table 1 below for an example.
Cryptography – A compilation by A.K.Asokan : : email:email@example.com 5Table 1. Secret key or Private key otherwise known as Symmetric keycryptosystem. Plain text message. “Send tenStep 1 thousand dollars to Asokan”Step 2 Encrpt it with the secret keyStep 3 (Encrypted message or Both these keys are one @## $#$# $%& *(* $%$ and the same in cipher text.) @#@# $%^ *(*)(&$ Symmetric cryptography as your main door key which you use for both locking and unlocking.Step 4 send it to the receiverStep 5 Receiver Decrypts it with secret key Derived the plain textStep 6 message “Send ten thousand dollars to Asokan”
Cryptography – A compilation by A.K.Asokan : : email:firstname.lastname@example.org 6Public Key InfrastructurePublic key infrastructure is a broad concept where there are lot of components in that.PKI is “The framework and service that provides for the generation, production,distribution, control and accounting of public key certificates and provides the criticallyneeded support to application and providing confidentiality and authentication ofnetwork transactions as well as data integrity and non-repudiation”It is basically “Asymmetric’ means there will be TWO keys for the communicationprocess i.e. the Public key and the Private key. These keys are mathematically related.“Asymmetric” can be thought of ‘not similar’. Please do not be in a hurry to think thatone is for encryption and another is for decryption. It should not be understood(misunderstood) in that way. Understanding how the ‘key pair works’ is a lovely conceptyou might ever enjoyed in Network security. Let us see what are the components ofPKI.The Public Key Infrastructure or popularly known as PKI has the following components. • Root Certification Authority (Root CA) • Certification Authority (CA) • Registration Authority (RA) • Local Registration Authority (LRA) • Directories and • UsersLet us first understand about the ‘key pairs’, The “Public key” and the “Private key”. (Theprivate key should not be confused with the key utilized in private key cryptography orsecret key cryptography explained above. The perspective meaning of the word ‘private’here in Asymmetric or public key cryptography is that it is just private as we used to say“it is my private afffair don’t poke your nose into that”. It means not to discolse or sharethe key with another person, that’s all.) For anyone who has the apprehension “howthese keys will look like” do not visualise these as physical keys. All are driven bysoftware programmes. At the end of the day you click once for “encryption” and youclick once for “decryption” that is what happens.So we have two keys in front of us. One is the “Public key” and the other is the “Privatekey”. Imagine what happens if you display your phone number in your website.Everyone in the world can see that and note it down. Like that the public key is the keywhich has to be distributed publically for anyone who can copy it into their own machine.Why they are copying the public key into their machine? Because they want to send youmessages in an ‘encrypted form” otherwise to communicate with you securely. Fine. In that case, can I copy any public key and use the same for ‘encrypting messages” forcommunicating to all my friends? The answer is NO. It is not possible because the keysare ‘pairs’. The idea is that if you encrypt a message with a public key, only thecorresponding private key can decrypt it. Not any other private key. The ‘private key’ is
Cryptography – A compilation by A.K.Asokan : : email:email@example.com 7to be kept confidentially with the owner. It is private or personal to him. It is hisresponsibility to keep it confidentially. Not to be shared with anyone as you keep yourpassword.A very important concept here to understand is that both the keys can be used toencrypt a message and both the keys can be used to decrypt a message. But in whatcontext, which key is the crux of the matter. That is the fact which make the ‘security’.Now let us look at the following example carefully and understand where and when wehave to use and what keys!I want to send a ‘secure’ message to my friend Mr.Mukesh Pandya. To do this, first ofall I must have his public key to encrypt the message. Yes. His public key. I will encryptmy message with Mr.Mukesh’s public key. Once I encrypted the message, it becomesin a ‘scrambled’ format known as cipher text. I, then send it to him and he will ‘decrypt’ itwith his private key and read the message.Now (please read carefully) he wants to reply me for my message. What he has to dois, he has to encrypt the message with MY PUBLIC KEY and send it to me. Only then, Iwill be able to decrypt it and read the reply message. Suppose he has encrypted thereply message with his private key, instead of my public key, what is the implication?The message can be decrypted with his public key only. Fine. Who has his public key?The entire world has! That means anyone who has his public key can read themessage! Is there any security? Instead of that, if he correctly encrypted the messagewith my public key, and inadvertantly if the message has gone to any other person, noone will be able to ‘decrypt’ it except me because the ONLY person who has thecorresponding private key to decrypt the message is ME. Here the communication issecured.If someone is intercepted the message in between he will not be able to read themessage and it is highly difficult to generate the opposite key from one key in PKI. Butthen what is the use of ‘encrypting a message” with Private key? There is definetely acontext in which you ‘must’ use the private key for encryption which we will discuss in aminute.Another example, Mr.Tom wants to write to sheela, Tom uses the public key of sheelaand encrypt his message with sheela’s public key and send it to her. Sheela decryptTom’s message with her private key and read the message. When she replies to Tom,she uses Tom’s public key to encrypt her message and send it to Tom. Tom, onreceiving the message, uses his private key to decrypt it and read sheelas reply. Refertable 2. below for an example.
Cryptography – A compilation by A.K.Asokan : : email:firstname.lastname@example.org 8Table 2. Public Key Infrastructure - Asymmetric cryptosystem Plain text message. “Send tenStep 1 thousand dollars to Asokan”Step 2 Encrpt it with the public key of the receiverStep 3 (Encrypted message or Both these keys are @## $#$# $%& *(* $%$ different in Asymmetric cipher text.) @#@# $%^ *(*)(&$ cryptography.Step 4 send it to the receiverStep 5 Receiver Decrypts it with his private key Derived the plain textStep 6 message “Send ten thousand dollars to Asokan”
Cryptography – A compilation by A.K.Asokan : : email:email@example.com 9From the above examples, it must be understood that any two parties can communicatesecurely provided both the parties (sender as well as receiver) must own their own keypairs. If you want to send secure messages to ten of your friends, you must have thepublic keys of all the ten friends in your computer. If all the ten friends have to reply youin a secured way, then they all must have your public key to encrypt the messages.Remember our previous message received by the Bank Manager? I shall write downthe same for you below.“Order two tons of black metal from Asokan and transfer ten lakh dollars to his account”.Upon receiving the messages from the client, the bank manager, who wanted to dothings at a fast pace, ordered two tons of black metal from Asokan and he transferred10 lakh dollars to Asokan’s account. Subsequently he got a telegram from the clientstating that they have not given any instruction to the manager to debit their accountand the action of the manager having debited 10 lakh dollars is wrong and he is gong tosue the bank.What to do in this situation. Both of them went to the court. In the court, the bankmanager when asked to show the proof of having received the above message from theclient, he brought his computer and the message and proved that the message hasbeen really sent by the client only!. The client could not deny any more and he heardthe music after that. Let us now discuss how the bank manager proved this.When the sender of a message cannot deny having sent the message is known as“nonrepudiation”. This is accomplished when the sender ‘signs’ a message with his‘private key’. This is called digital signature. When a message comes to you which isdigitally signed, we can make sure that it is coming from the same person who claimswho he is. It is possible because only he has the private key. Since only the public keycan decrypt the private key, the message must have come from the sender. Non-repudiation protects against the sender saying “I didn’t send the message”. In the aboveexample also, the bank manager showed the digital signature to the judge and hisverdict was “Yes. You only has sent the message because you signed it with your privtekey”.A digital signature is used to verify the integrity of the message and encryption is usedto protect the contents. (Both these concepts are hard to understand and only when youunderstand the subtle interlinking of these two together, you understand the concept ofencryption with digital certificate well. Some new related concepts also will beintroduced in between and hence readers are requested to read carefully and if need beplease repeat the same so that you get the concept in the right perspective).So far we have understood what is encryption. Recall that I sent an encrypted messageto Mr.Mukesh Pandya sometime before? The message was encrypted with his publickey and it become a scrambled message and he unscrambled or decrypted it using his
Cryptography – A compilation by A.K.Asokan : : email:firstname.lastname@example.org 10private key. All that is fine. Here we protected the contents. But can you tell me for surethat what Mr.Mukesh received is the message sent by me? And it is not tampered intransit? I mean whether he can be sure of the integrity of the message? And later if Isay that I have not sent that message to him; what happens? How he will prove that Ionly sent the same? Here is where we learn the concept of digital signature. If I wouldhave digitally signed the message, then Mr.Mukesh could have make sure and provedthat it is from me only and it is not tampered in transit. Let us understand how it works.Before we proceed further, I would like to introduce another concept called ‘hashencryption”. There are many types of encryptions. What we discussed so far issymmetric key or secret key encryption, and public key encryption. We will discuss onemore encryption method called “hash encryption”.Hash encryption is a special type of encryption that it is a “one way encryption”. Oneway means, once you encrypted a message, that message become scrambledmessage and it cannot be unscrambled or decrypted. Obviously what happens if weuse hash encryption on the contents of our messages? The message will never be ableto decrypt by anyone and hence hash encryption cannot be used for “protecting” thecontents of the message. Then what is the use of hash encryption? The use of the hashencryption is for the purpose of digital signature.In order to understand the digital signature, I am going to send the same message toMr.Mukesh once again, but this time with my digital signature. Fine. What should I dofirst. I create the message. It is a plain text message now. I apply hash encryption onthe message. When I apply hash algorithm on my plain text message, a ‘messagedigest’ is generated. What is a message digest? It is a ‘scrambled copy’ of my originalmessage. A fingerprint of the original message. Nothing happens to my originalmessage but a message digest is generated. The message digest is comparatively verysmall when you compare with the original message and it is compressed down to asmall size. It is an ‘encrypted summary’ of the original message. Once it is generated,there is no way to reverse the process. It cannot be converted back into plain text, fromthe hash.So I hashed my plain text message and generated a ‘message digest’. Now I have theoriginal message with me as well as the message digest also with me. I should nowsend it to Mr.Mukesh. How this will ensure the data integrity? It is very interesting. Thefollowing steps are to be done. 1) I encrypt the hashed message digest with my ‘private key’ once again. This encrypted message digest is known as “Digital signature” 2) I encrypt my original message with the ‘public key’ of Mukesh. 3) I send both, the encrypted message and the digital signature to Mr.Mukesh 4) Mukesh receives the same. 5) He detach the digital signature and decrypt it using my public key. 6) He decrypt the original message with his private key. 7) He sees my plain text message and the hashed message digest.
Cryptography – A compilation by A.K.Asokan : : email:email@example.com 11 8) He separately ‘re-hash’ my original plain text message once and the hash function generates a message digest. 9) He then compares both the message digests (one which I sent and the other one which he himself generated using hash function on my plain text message). 10) Here he takes a decision of integrity. If the message is not tampered in transit, then both the message digests will be equal. If both the message digests are not matched, then it is sure that the message is tampered in transit.Table 3. Digital Signature Plain text messageStep 1 run a hash algorithm.Step 2Step 3 !@#$(You get the digest and you also have Plain Text %^&*your plain text message with you) Encrypt the Encrypt the plain text message digest message with with sender’s own This encryptedStep 4 version of message receiver’s private key so digest is called public key so that the receiver ’digital signature’ that he can can identify the decrypt it with sender his private key Send both (the encrypted You can even send a plain text with the digital signature.Step 5 message and the digital signature) to the receiverStep 6 (receiver end) &^%$*#[Encrypted message and the %$^%&^&# @$Digital signature (encrypted $%$%@#message digest)]
Cryptography – A compilation by A.K.Asokan : : email:firstname.lastname@example.org 12 Decrypt the Since message digest was digital signature encrypted with the sender’s private key, if it is decryptedStep 7 with sender’s with his own public key, then it Decrypt the public key to get is sure that he only has sent ‘encrypted’ the message the message as no one will message with have his private key. digest receiver’s private keyStep 8 !@#$ If both the(Plain text and message digest) Plain Text %^&* message digests are equal, then Both are the digital compared signature is verified. The receiverStep 9 !@#$New Message digest generated re-hashes the %^&*by the receiver plain text to generate a new message digestThe Digital signature and the Publick key of anyone can be accessed or cross checked and downloaded from theCertificate Authority’s website and directories.
Cryptography – A compilation by A.K.Asokan : : email:email@example.com 13The speciality of the hash function is that, even if you change a ‘single bit’ of data in theoriginal message, the hash function would produce a completely different messagedigest.Everything is fine. But where we will cross check whether the digital signature is reallybelong to the person who claims it to be. This is achieved with the help of “DigitalCertificates”.A digital certificate is a digital document that certifies that a certain public key is ownedby a particular user. The following are its main content. • Version • Serial number • Certificate issuer • Certificate holder • Validity period (the certificate is not valid before or after this period) • Attributes, known as certificate extensions, that contain additional information such as allowable uses for this certificate • Digital signature from the certification authority to ensure that the certificate has not been altered and to indicate the identity of the issuer • Public key of the owner of the certificate • Message digest algorithm used to create the signatureThis document is signed and authorised by a third party called the certificate authority(or CA). CA and digital certificate are two elements of the PKI. Digital certificate provesto everyone that your public key is really yours. If you digitally sign your message withyour private key, and send the receiver a copy of your certificate, he can know for surethat the message was sent by you because only your public key can decrypt the digitalsignature and the certificate assures that the public key the receiver uses is yours. Youcan even publish your digital signature on the website. Sender authentication can beachieved with the use of digital signature and digital certificate.A public key infrastructure consists of: • A certificate authority (CA) that issues and verifies digital certificate. A certificate includes the public key or information about the public key. • A registration authority (RA) that acts as the verifier for the certificate authority before a digital certificate is issued to anyone who apply for it. • One or more directories where the certificates (with their public keys) are displayed. The private key is given to the person who apply for it and the public key is made publicly available in a directory that everyone can access. This is part of the digital certificate. • A certificate management system.
Cryptography – A compilation by A.K.Asokan : : email:firstname.lastname@example.org 14Now go back and read the first paragraph, you should be able to understand thesequences well.The above notes are provided to get only a preliminary understanding of the cryptosystems..Cryptography is a deep subject and since it is a security system and every moment, there arehackers who work to break the system, if one has to study in depth in this area, it is desirousthat he/she do some research with the available tools and understand the related concepts ofethical hacking and firewall, NAT, IDS, and various standards etc. – Hope this note achieved thepurpose –I wish you all Success. A.K.Asokan. Your feedback to email@example.com will be highly appreciated. ___________________________________