Cryptography Basics Pki


Published on

PKI Training

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cryptography Basics Pki

  1. 1. Unit 1 : Cryptography Basics Introduction and Key Terms LEARN CRYPO & PKI « La Citadelle électronique » Cryptography A technology for protecting you digital asset And then design Security Solution
  2. 2. Introduction and Key Terms Unit 1 : Cryptography Basics TRAINING CRYPTOGRAPHY & PKI Author: Sylvain Maret Security architect, PKI instructor & Checkpoint instructor (Checkpoint CCSE) Dimension Data (Swiss) formerly Datelec Cédric Enzler IPSEC & cryptographic engineer, PKI instructor Dimension Data (Swiss) formerly Datelec Revision: Version 1.5, October 1999, rev. August 2000
  3. 3. Unit 1 : Cryptography Basics Introduction and Key Terms TABLE OF CONTENTS Learn Crypo & PKI _______________________________________________1 Training Cryptography & PKI ______________________________________2 Table of contents _________________________________________________3 1. Cryptography Basics ___________________________________________5 1.1. Introduction _______________________________________________________5 1.2. Key terms _________________________________________________________5 1.3. Miscellaneous Cryptosystems _________________________________________7 1.3.1. Secret Key __________________________________________________________ 7 1.3.2. Public Key __________________________________________________________ 7 1.3.3. Message Digest ______________________________________________________ 7 1.4. Cryptography in history _____________________________________________8 1.5. Cryptoanalysis ____________________________________________________20 1.6. AES (Advanced Encryption Standard) ________________________________22 1.6.1. Overview of the AES Development Effort ________________________________ 22 1.6.2. Minimum Acceptability Requirements ___________________________________ 23 1.6.3. AES Round 2 Finalists ________________________________________________ 23 1.7. Smart Cards ______________________________________________________25 1.7.1. Introduction ________________________________________________________ 25 1.7.2. What kinds of Smart Cards are available? _________________________________ 25 1.7.3. Symmetric / Asymmetric Cryptoprocessing _______________________________ 26 1.7.4. Smart Cards with different “flavor” ______________________________________ 26 1.7.5. Memory Cards ______________________________________________________ 26 1.7.6. Symmetric Cryptoprocessor Cards ______________________________________ 27 1.7.7. PKI Smart Cards ____________________________________________________ 27 2. PKI Applications (lab exercises)_________________________________29 2.1. Symmetric file encryption ___________________________________________29 2.1.1. Lab Exercise 1 ______________________________________________________ 29 2.2. Message-Digest Algorithms __________________________________________33 2.2.1. Lab Exercise 2 ______________________________________________________ 33 2.3. Securing the desktop _______________________________________________37 2.3.1. Introduction ________________________________________________________ 37 2.3.2. Blowfish Advanced CS _______________________________________________ 37 2.3.3. Lab Exercise 3 ______________________________________________________ 40 2.4. PGP (Pretty Good Privacy) __________________________________________46 2.4.1. The PGP Symmetric Algorithms ________________________________________ 46 2.4.2. About PGP Data Compression Routines __________________________________ 47 2.4.3. About the Random Numbers used as Session Keys__________________________ 48 2.4.4. About the Message Digest _____________________________________________ 48 2.4.5. Encryption and Decryption ____________________________________________ 49 2.4.6. Digital Signature for PGP _____________________________________________ 50
  4. 4. Introduction and Key Terms Unit 1 : Cryptography Basics 2.4.7. Lab Exercise 4_______________________________________________________ 51 2.5. The SSH Protocol _________________________________________________ 63 2.5.1. Introduction _________________________________________________________ 63 2.5.2. Host Authentication___________________________________________________ 64 2.5.3. User Authentication___________________________________________________ 64 2.5.4. Cryptographic Methods________________________________________________ 65 2.5.5. Lab Exercise 5_______________________________________________________ 66 2.6. S/MIME _________________________________________________________ 79 2.6.1. Lab Exercise 6_______________________________________________________ 79 2.7. SSL _____________________________________________________________ 97 2.7.1. History_____________________________________________________________ 97 2.7.2. Secure Sockets Layer (SSL) ____________________________________________ 97 2.7.3. Session Establishment _________________________________________________ 98 2.7.4. Key Exchange Method ________________________________________________ 99 2.7.5. Cipher for Data Transfer _______________________________________________ 99 2.7.6. Digest Function _____________________________________________________ 100 2.7.7. Handshake Sequence Protocol _________________________________________ 100 2.7.8. Data Transfer_______________________________________________________ 101 2.7.9. Lab Exercise 7______________________________________________________ 102 2.7.10. Lab Exercise 8______________________________________________________ 123 2.8. Smart Card _____________________________________________________ 138 2.8.1. Lab Exercise 9______________________________________________________ 138 2.9. Playing the security officer _________________________________________ 140 2.9.1. Lab Exercise 10_____________________________________________________ 140 2.10. Revocation with client SSL authentication __________________________ 143 2.10.1. Lab Exercise 11_____________________________________________________ 143 2.11. IPSEC ________________________________________________________ 147 2.11.1. Introduction ________________________________________________________ 147 2.11.2. IPSec Architecture___________________________________________________ 148 2.11.3. IPSec Tunneling ____________________________________________________ 149 2.11.4. IKE Main Mode and Quick Mode_______________________________________ 154 2.11.5. Lab Exercise 12_____________________________________________________ 157
  5. 5. Unit 1 : Cryptography Basics Introduction and Key Terms 1. CRYPTOGRAPHY BASICS 1.1. INTRODUCTION It is likely that almost all students attending our “introduction to PKI” already have at least a basic knowledge of encryption and related subjects. Consequently, some of you might wish to skip this chapter: defining a terminology or a set of cryptography key terms is austere. However, we decided to begin with this less exciting section because we noticed, in many discussions with people familiar to the field, that terms definitions are often mixed up. As a result, we decided to start with simple definitions of key terms, which will be used constantly in the course, in order to provide the basis needed to understand the subject. 1.2. KEY TERMS A message will be defined as plaintext or cleartext. The process of disguising a message to hide its substance is encryption. The encrypted message is refered to as ciphertext. Decryption is the process turning cyphertext back into plaintext. You can see hereafter a schematic view of these definitions: Cryptography Key Terms Figure 1 Cryptography is the science allowing messages to be kept secure. Cryptanalysis is the art and science of breaking ciphertext (seeing through the above disguise). Cryptology is the mathematics branch encompassing both cryptography and cryptanalysis. Today, as cryptology is based on mathematical properties of numbers both in modern algebra and number theory, cryptologists are theoretical mathematicians.
  6. 6. Introduction and Key Terms Unit 1 : Cryptography Basics Encryption and decryption are conducted by way of a set of mathematical functions, referred to as cryptographic algorithm or cipher. Besides providing confidentiality, cryptography is required to provide other security feature, as: - Authentication: It should be possible for the receiver of an encrypted message to be certain of the sender’s identity. Authentication is the process that guarantees the respect of this rule. - Non repudiation: Inability of a sender to certify he was not the sender of the ciphertext. - Integrity: Provides a guarantee that the message was not modified between the sender and the receiver. First ciphers or cryptographic algorithms suffered a major drawback : their security was based on the secrecy of the algorithm itself. As a result, every time a user was leaving the group of people knowing the algorithm, all other users had to switch to a different one! We understand today that this is not acceptable, therefore these ciphers, called restricted algorithms, are not used anymore. Modern cryptography worked around this drawback by introducing the concept of key. In these algorithms, security is based on key(s), meaning that the algorithm can be published at no risk. In most cases, the key used for encryption is not the same as the one used for decryption. As a result, the above diagram is modified as follows: Cryptography Key Terms Figure 2 A cryptosystem consists of a cipher, keys and all possible plaintexts and ciphertexts. In some algorithms, the decryption key can be calculated from the encryption key. Both keys can be similar or different. In this case, we talk about symmetric encryption (see further in the course). In some other algorithms, both keys cannot be calculated from each other: this is called asymmetric encryption or Public-Key encryption.
  7. 7. Unit 1 : Cryptography Basics Miscellaneous Cryptosystems 1.3. MISCELLANEOUS CRYPTOSYSTEMS Today’s cryptosystems do not rely on simple text shifts or substitution techniques, like those described in the beginning of the next section, but rather on sophisticated mathematical algorithms that theoretically would use an unreasonable amount of computer power and time to break. The range of applications using cryptography to solve everyday problems is growing. Today, exchanging information is so easy and the amount of information we routinely exchange is so far greater than ever before, that the need to secure that information and have secure means of transmitting it is of considerable importance. Records ranging from personal medical data to credit card purchases that were once relatively easy to secure in hard copy now flow freely over public networks. Today, the use of cryptography has shifted from a “weapon” conceived primarily for military applications and espionage to a valuable and indispensable tool the general public to conduct everyday, routine transactions 1.3.1. Secret Key This cryptosystem – sometimes referred to as Symmetric Key Encryption, this is a rather straightforward cryptographic system in which plain text is encrypted by providing the encryption algorithm with a value; this value is the secret key. Only the parties that know the secret key value are able to decrypt the resulting cyphertext. 1.3.2. Public Key Sometimes referred to as Asymmetric Key Encryption, this type of cryptosystem relies on a key set composed of two elements: a private key and a public key. The public key is typically stored in a location available to anyone. When someone wants to send an encrypted message to another party, he obtains that party’s public key and uses it to encrypt the message. As the recipient is in possession of the private component of the key, only he can decrypt s the message. Miscellaneous Cryptosystems Figure 1 1.3.3. Message Digest This type of cryptosystem is often called a hashing function. With this technology, a variable length message is run through the encryption algorithm to produce a fixed length digest through the algorithm to produce the original message. All three cryptosystems are used in most Public Key Infrastructure implementations. They will be described in more details in the following sections. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 7
  8. 8. Cryptography in History Unit 1 : Cryptography Basics 1.4. CRYPTOGRAPHY IN HISTORY Cryptography is one of the oldest fields of technical study we can find records of, going back at least 4,000 years. It is quite noteworthy that, of all the cryptosystems developed in those 4,000 years of effort, only 3 systems remain hard enough to break to be of real value. Cryptography probably began in or around 2000 B.C. in Egypt, where hieroglyphics were used to decorate the tombs of deceased rulers and kings. These hieroglyphics told the story of the life of the king and proclaimed the great acts of his life. They were purposefully cryptic, but not apparently intended to hide the text. Rather, they seem to have been intended to make the text seem more regal and important. As time went by, these writings became more and more complicated, and eventually the people lost interest in deciphering them. Cryptography in History Figure 1: Hieroglyphics Cryptology was (and still is to some extent) enshrouded in a veil of mystique to most people. It was because of this that the public began to acquaint cryptography with the black arts. It was often thought to be related to communication with dark spirits, and developed a bad image because of this. Most early cryptographers were scientists, but the common people were often convinced that they were also followers of the devil. The ancient Chinese used the ideographic nature of their language to hide the meaning of words. Messages were often transformed into ideographs for privacy, but no substantial use in early Chinese military conquests is apparent. Genghis Khan, for example, seems never to have used cryptography. In India, secret writing was apparently more advanced. The government used secret codes to communicate with a network of spies spread throughout the country. Early Indian ciphers consisted mostly of simple alphabetic substitutions, often based on phonetics. Some of these were spoken or used as sign language. This is somewhat similar to quot;pig latinquot; (igpay atinlay) where the first consonant is placed at the end of the word and followed by the sound quot;ayquot;. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 8
  9. 9. Unit 1 : Cryptography Basics Cryptography in History The cryptographic history of Mesopotamia was similar to that of Egypt, in that cuneiforms were used to encipher text. The picture here under shows table of numbers found in Suse (Iran modern). These numbers were associated to words, demonstrating an amazingly modern level of cryptography. Cryptography in History Figure 2: Mesopotamian tables This technique was also used in Babylon and Assyria. In the Bible, a Hebrew ciphering method is used at times. In this method, the last letter of the alphabet is replaced by the first, and vice versa. This is called 'atbash'. For example, the following table gives a translation of this sort for English. The word quot;HELLOquot; becomes quot;SVOOLquot;. Try to decrypt the word quot;WVXIBKGquot; and see what you get. ABCDEFGHIJKLMNOPQRSTUVWXYZ ZYXWVUTSRQPONMLKJIHGFEDCBA Cryptography in History Figure 3: An “Atbash” cipher In the famous Greek drama the 'Iliad', cryptography was used when Bellerophon was sent to the king with a secret tablet, which told the king to have him put to death. The king tried to kill him by having him fight several mythical creatures, but he won every battle. The Spartans used a system, which consisted of a thin sheet of papyrus wrapped around a staff (now called a quot;staff cipherquot;). Messages were written down the length of the staff, and the papyrus was unwrapped. In order to read the message, the papyrus had to be wrapped around a staff of equal diameter. Called the 'skytale' cipher, this was used in the 5th century B.C. to send secret messages between Greek warriors. Without the right staff, it would be difficult to decode the message using the techniques available at that time. The following version of the alphabet demonstrates the technique. First we see the wrapped version of the alphabet, then the unwrapped version. ADGJMPSVY BEHKNQTWZ CFILORUX ADGJMPSVYBEHKNQTWZCFILORUX Cryptography in History Figure 4: A “Skytale” cypher © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 9
  10. 10. Cryptography in History Unit 1 : Cryptography Basics Polybius developed another Greek method (now called the quot;Polybius Squarequot;). The letters of the alphabet would be laid out in a five by five square (similar to the later Playfair method), with i and j occupying the same square. Rows and columns are numbered 1 to 5 so that each letter has a corresponding (row,column) pair. These pairs could easily be signaled by torches or hand signals. Decryption consists of mapping the digit pairs back into their corresponding characters. This system was the first to reduce the size of the symbol set, and in a loose sense it might be considered the forerunner of modern binary representations of characters. Cryptography in History Figure 5: The “Polybius Square” Julius Ceasar used a system of cryptography (i.e. the 'Caesar Cipher') which shifted each letter 2 places further through the alphabet (e.g. Y shifts to A, R shifts to T, etc.). This is probably the first cipher used by most schoolchildren. In figure 5, the first row is plaintext, while the second row is the equivalent ciphertext. The distance of the displacement is not important to the scheme, and in fact, neither is the lexical ordering chosen. The general case of this sort of cipher is the quot;monoalphabetic substitution cipherquot; wherein each letter is mapped into another letter in a one to one fashion. Try decoding VJKU. ABCDEFGHIJKLMNOPQRSTUVWXYZ CDEFGHIJKLMNOPQRSTUVWXYZAB Cryptography in History Figure 6: The “Caesar” cypher Cryptanalysis is the practice of changing ciphertext into plaintext without complete knowledge of the cipher. The Arabs were the first to make significant advances in cryptanalysis. An Arabic author, Qalqashandi, wrote down a technique for solving ciphers which is still used today. The technique is to write down all the ciphertext letters and count the frequency of each symbol. Using the average frequency of each letter of the language, the plaintext can be written out. This technique is powerful enough to cryptanalyze ANY monoalphabetic substitution cipher if enough cyphertext is provided. During the Middle Ages, cryptography started to progress. All of the Western European governments used cryptography in one form or another, and codes started to become more popular. Ciphers were commonly used to keep in touch with ambassadors. The first major advances in cryptography were made in Italy. Venice created an elaborate organization in 1452 with the sole purpose of dealing with cryptography. They had three cipher secretaries who solved and created ciphers that were used by the government. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 10
  11. 11. Unit 1 : Cryptography Basics Cryptography in History Leon Battista Alberti was known as quot;The Father of Western Cryptologyquot; in part because of his development of polyalphabetic substitution. Polyalphabetic substitution is any technique allowing different ciphertext symbols to represent the same plaintext symbol. This makes it more difficult to interpret ciphertext using frequency analysis. In order to develop this technique, Alberti analyzed the methods for breaking ciphers, and devised a cipher which would try to render these techniques invalid. He designed two copper disks that fit into each other, each with the alphabet inscribed upon it. To start enciphering, a predetermined letter on the inner disk is lined up with any letter on the outer disk, which is written as the first character of the ciphertext. The disks are kept stationary, with each plaintext letter on the inner disk aligned with a ciphertext letter on the outer disk. After a few words of ciphertext, the disks are rotated so that the index letter on the inner disk is aligned with a new letter on the outer disk, and in this manner, the message is enciphered. By rotating the disk every few words, the cipher changed enough to limit the effectiveness of frequency analysis. Even though this technique in its stated form is very weak, the idea of rotating the disks and therefore changing the cipher many times within a message was a major breakthrough in cryptography. The next major step was taken in 1518 by Trithemius, a German monk who had a deep interest in the occult. He wrote a series of six books called 'Polygraphia', and in the fifth book, devised a table that repeated the alphabet with each row a duplicate of the one above it, shifted over one letter. To encode a message, the first letter of the plaintext is enciphered with the first row of the table, the second letter with the second row, and so on. This produces a message where all available ciphers are used before being repeated. Figure 7 shows a changing key cipher of this sort. Notice that the assignment of code symbols to plaintext symbols changes at each time step (T1,T2,...). In this system, the key repeats every 26 letters of ciphertext. Here under we see the table used (called tabula recta) as well as successiv encryption step Cryptography in History Figure 7: “Tabula recta” ABCDEFGHIJKLMNOPQRSTUVWXYZ Plaintext FGUQHXSZACNDMRTVWEJBLIKPYO T0 OFGUQHXSZACNDMRTVWEJBLIKPY T1 YOFGUQHXSZACNDMRTVWEJBLIKP T2 PYOFGUQHXSZACNDMRTVWEJBLIK T3 GUQHXSZACNDMRTVWEJBLIKPYOF T25 Cryptography in History Figure 8: A “Changing Key” cipher © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 11
  12. 12. Cryptography in History Unit 1 : Cryptography Basics In 1553, Giovan Batista Belaso extended this technique by choosing a keyword that is written above the plaintext, in a letter to letter correspondence. The keyword is restarted at the beginning of each new plaintext word. The letter of the keyword above the letter of the plaintext is the first letter of the cipher line to be used. In other words, if the plaintext letter is 'b', and it's keyword letter is 'r', then the line of the Trithemius cipher beginning with 'r' is used to encipher the letter 'b'. He chose to name the keyword a “password”… Keyword : BEL ASOBELA SOB ELASOB Plaintext : LES ITALIENS ONT TROUVE The basic keyword is BELASO in this example. The most famous cryptographer of the 16th century was Blaise de Vigenere (1523-1596). In 1585, he wrote 'Tracte des Chiffres' in which he used a Trithemius table, but changed the way the key system worked. One of his techniques was to use plaintext as its own key. Another used ciphertext. The way in which these keys are used is known as key scheduling, and is an integral part of the quot;Data Encryption Standardquot; (DES) which we will discuss later. Cryptography in History Figure 9 Until 1917, Vigene cipher was considered as impossible to decrypt. In 1628, a Frenchman named Antoine Rossignol helped his army defeat the Huguenots by decoding a captured message. After this victory, he was called upon many times to solve ciphers for the French government. He used two lists to solve his ciphers: quot;one in which the plain elements were in alphabetical order and the code elements randomized, and one to facilitate decoding in which the code elements stood in alphabetical or numerical order while their plain equivalents were disarranged.quot; When Rossignol died in 1682, his son, and later his grandson, © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 12
  13. 13. Unit 1 : Cryptography Basics Cryptography in History continued his work. By this time, there were many cryptographers employed by the French government. Together, they formed the quot;Cabinet Noirquot; (the quot;Black Chamberquot;). By the 1700's, quot;Black Chambersquot; were common in Europe, one of the most renown being that in Vienna. It was called 'The Geheime Kabinets-Kanzlei' and was directed by Baron Ignaz de Koch between 1749 and 1763. This organization read through all the mail coming to foreign embassies, copied the letters, resealed them, and returned them to the post-office the same morning. The same office also handled all other political or military interceptions, and would sometimes read as many as 100 letters a day. The English Black Chamber was formed by John Wallis in 1701. Until that time, he had been solving ciphers for the government in a variety of unofficial positions. After his death in 1703, his grandson, William Blencowe, who was taught by his grandfather, took over his position and was granted the title of Decypherer. The English Black Chamber had a long history of victories in the cryptographic world. In the colonies, there was no centralized cryptographic organization. Decryption was done predominantly by interested individuals and men of the cloth. In 1775, a letter intercepted from Dr. Benjamin Church was suspected to be a coded message to the British, yet the American revolutionaries could not decipher it. Their problem was solved by Elbridge Gerry, who later became the fifth Vice-President, and Elisha Porter. The message proved Church guilty of trying to inform the Tories, and he was later exiled. Benedict Arnold used a code wherein each correspondent has an exact copy of the same 'codebook'. Each word of plaintext is replaced by a number indicating its position in the book (e.g. 3.5.2, means page 3, line 5, word 2). Arnold's correspondent was caught and hung, so the codebook wasn't used very much. The revolutionaries also employed ciphers during the war. Samuel Woodhull and Robert Townsend supplied General George Washington with much information about British troop strength and movements in and around New York City. The code they used consisted of numbers, which replaced plaintext words. Major Benjamin Tallmadge wrote this code. For further assurance, they also used invisible ink. The father of American cryptology is James Lovell. He was loyal to the colonies, and solved many British ciphers, some which led to Revolutionary victories. In fact, one of the messages that he deciphered set the stage for the final victory of the war. Former Vice-President Aaron Burr and his assistant General James Wilkinson were exploring the Southwest for possible colonization at the expense of Spain, and there was some confusion as to whether this colony would belong to the United States or Aaron Burr. Wilkinson was a Spanish agent, and changed one of Burr's encrypted letters home to make it appear as if Burr's intentions were to carve out his own country. This letter fell into the hands of President Thomas Jefferson. Burr was tried and acquitted, but his name was tainted forever. The 'wheel cipher' was invented by Thomas Jefferson around 1795, and although he never did very much with it, a very similar system was still in use by the US navy only a few years ago. The wheel cipher consisted of a set of wheels, each with random orderings of the letters of the alphabet. The key to the system is the ordering in which the wheels are placed on an axle. The message is encoded by aligning the letters along the rotational axis of the axle such that the desired message is formed. Any other row of aligned letters can then be used as the ciphertext for © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 13
  14. 14. Cryptography in History Unit 1 : Cryptography Basics transmission. The decryption requires the recipient to align the letters of the ciphertext along the rotational axis and find a set of aligned letters that makes linguistic sense as plaintext. This will be the message. There is a very small probability that there will be two sensible messages from the decryption process, but this can be checked simply by the originator. Without knowing the orderings of symbols on the wheels and the ordering of wheels on the axle, any plaintext of the appropriate length is possible, and thus the system is quite secure for one time use. Statistical attacks are feasible if the same wheels are used in the same order many times. Wheel 1 GJTXUVWCHYIZKLNMARBFDOESQP Wheel 2 IKMNQLPBYFCWEDXGZAJHURSTOV Wheel 3 HJLIKNXWCGBDSRVUEOFYPAMQZT ... Wheel n BDFONGHJIKLSTVUWMYEPRQXZAC Cryptography in History Figure 10: A “Wheel” cipher In 1817, Colonel Decius Wadsworth developed a set of two disks, one inside the other, where the outer disk had the 26 letters of the alphabet, and the numbers 2-8, and the inner disk had only the 26 letters. The disks were geared together at a ratio of 26:33. To encipher a message, the inner disk is turned until the desired letter is at the top position, with the number of turn required for this result transmitted as ciphertext. Because of the gearing, a ciphertext substitution for a character will not repeat itself until all 33 characters for that plaintext letter have been used. Unfortunately, Wadsworth never got credit for his design, because Charles Wheatstone invented an almost identical machine a few years after Wadsworth, and got all the credit. In 1844, the development of cryptography was dramatically altered by the invention of the telegraph. Communication with the telegraph was by no means secure, so ciphers were needed to transmit secret information. The public's interest in cryptography blossomed, and many individuals attempted to formulate their own cipher systems. The advent of the telegraph provided the first instance where a base commander could be in instant communication with his field commanders during battle. Thus, a field cipher was needed. At first, the military used a Vigenere cipher with a short repeating keyword, but in 1863, a solution was discovered by Friedrich W. Kasiski for all periodic polyalphabetic ciphers, which until this time were considered unbreakable. So the military had to search for a new cipher to replace the Vigenere. The Black Chambers of Europe continued to operate and were successful in solving most American ciphers, but without a war underway, their usefulness was diminished, and by 1850 they were dissolved. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 14
  15. 15. Unit 1 : Cryptography Basics Cryptography in History The 'Playfair' system was invented by Charles Wheatstone and Lyon Playfair in 1854, and was the first system that used pairs of symbols for encryption. The alphabet is laid out in a random 5 x 5 square, and the text is divided into adjacent pairs. The two letters of the pair are located, and a rectangle is formed with the two letters at opposite corners. The letters at the other two corners are the two letters of ciphertext. This is very simple to use, but is not extremely difficult to break. The real breakthrough in this system was the use of two letters at a time. The effect is to make the statistics of the language less pronounced, and therefore to increase the amount of work and the amount of ciphertext required to determine a solution. This system was still in limited use in World War 2, and was very effective against the Japanese. I K M N Q L P B Y F C W E D X G Z A H U R S T O V Plaintext: PL AI NT EX TZ Ciphertext: LP MG MO XE AS In 1859, Pliny Earle Chase, developed what is known as the fractionating or tomographic cipher. A two digit number was assigned to each character of plaintext by means of a table. These numbers were written so that the first numbers formed a row on top of the second numbers. The bottom row was multiplied by nine, and the corresponding pairs are put back in the table to form the ciphertext. Kasiski developed a cryptanalysis method in 1863, which broke almost every existing cipher of that time. The method was to find repetitions of strings of characters in the ciphertext. The distance between these repetitions is then used to find the length of the key. Since repetitions of identically ciphered identical plaintext occur at distances that are a multiple of the key length, finding greatest common divisors of repetition distances will lead to the key length. Once the key length (N) is known, we use statistics on every Nth character and the frequency of use implies which character it represents in that set of ciphertext symbols. These repetitions sometimes occur by pure chance, and it sometimes takes several tries to find the true length of the key using this method, but it is considerably more effective than previous techniques. This technique makes cryptanalysis of polyalphabetic substitution ciphers quite straight forward. During the Civil War (1861-1865), ciphers were not very complex. Many techniques consisted merely of writing words in a different order and substituting code words for proper names and locations. Where the Union had centralized cipher control, the Confederacy tended to let field commanders decide their own forms of ciphers. The Vigenere system was widely used by field commanders, and sometimes led to the Union deciphering messages faster than their Confederate recipients. The Confederacy used three keywords for most of its messages during the War, quot;Manchester Bluffquot;, quot;Complete Victoryquot;, and quot;Come Retributionquot;. They were quickly discovered by three Union cryptanalysts Tinker, Chandler, and Bates, and messages encoded using them were regularly deciphered by the Union. The use of common words as keys to cryptosystems has caused many plaintext messages to be discovered. In fact, the use of common words for passwords is the most common entry point in modern computer system attacks. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 15
  16. 16. Cryptography in History Unit 1 : Cryptography Basics In 1883, Auguste Kerckhoffs wrote 'La Cryptographie Militaire' in which he set forth six basic requirements of cryptography. We note that the easily remembered key is very amenable to attack, and that these rules, as all others, should be questioned before placing trust in them. 1. Ciphertext should be unbreakable. 2. The cryptosystem should be convenient for the correspondents. 3. The key should be easily remembered and changeable. 4. The ciphertext should be transmissible by telegraph. 5. The cipher apparatus should be easily portable. 6. The cipher machine should be relatively easily to use. In the beginning of the 20th century, war was becoming likely in Europe. England spent a substantial effort improving its cryptanalytic capabilities so that when the war started, they were able to solve most enemy ciphers. The cryptanalysis group was called 'Room 40' because of its initial location in a particular building in London. Their greatest achievements were in solving German naval ciphers. These solutions were greatly simplified because the Germans often used political or nationalistic words as keys, changed keys at regular intervals, gave away intelligence indicators when keys were changed, etc. Just as the telegraph changed cryptography in 1844, the radio changed cryptography in 1895. Now transmissions were open for anyone's inspection, and physical security was no longer possible. The French had many radio stations by WW1 and intercepted most German radio transmissions. The Germans used a double columnar transposition that they called 'Ubchi', which was easily broken by French cryptanalysts. In 1917, the Americans formed the cryptographic organization MI-8. Its director was Herbert Osborne Yardley. They analyzed all types of secret messages, including secret inks, encryption, and codes. They continued with much success during and after WW1, but in 1929, Herbert Hoover decided to close them down because he thought it was improper to quot;read others' mailquot;. Yardley was hard pressed to find work during the depression, so to feed his family, he wrote a book describing the workings of MI-8. It was titled quot;The American Black Chamberquot;, and became a best seller. Many criticized him for divulging secrets and glorifying his own actions during the War. Another American, William Frederick Friedman, worked with his wife, Elizabeth Smith, to become quot;the most famous husband-and-wife team in the history of cryptologyquot;. He developed new ways to solve Vigenere-like ciphers using a method of frequency counts and superimposition to determine the key and plaintext. Up to 1917, transmissions sent over telegraph wires were encoded in Baudot code for use with teletypes. The American Telephone and Telegraph company was very concerned with how easily these could be read, so Gilbert S. Vernam developed a system which added together the plaintext electronic pulses with a key to produce ciphertext pulses. It was difficult to use at times, because keys were cumbersome. Vernam developed a machine to encipher messages, but the system was never widely used. The use of cryptographic machines dramatically changed the nature of cryptography and cryptanalysis. Cryptography became intimately related to machine design, and security personnel became involved with the protection of these machines. The basic systems remained the same, but the method of encryption became reliable and electromechanical. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 16
  17. 17. Unit 1 : Cryptography Basics Cryptography in History In 1929, Lester S. Hill published an article quot;Cryptography in an Algebraic Alphabetquot; in quot;The American Mathematical Monthlyquot;. Each plaintext letter was given a numerical value. He then used polynomial equations to encipher plaintext, with values over 25 reduced modulo 26. To simplify equations, Hill transformed them into matrices, which are more easily multiplied. This method eliminates almost all ciphertext repetitions, and is not broken with a normal frequency analysis attack. It has been found that if a cryptanalyst has two different ciphertexts from the same plaintext, and if they use different equations of the same type, the equations can be solved, and the system is thus broken. To counter charges that his system was too complicated for day to day use, Hill constructed a cipher machine for his system using a series of geared wheels connected together. One problem was that the machine could only handle a limited number of keys, and even with the machine, the system saw only limited use in the encipherment of government radio call signs. Hill's major contribution was the use of mathematics to design and analyze cryptosystems. The next major advance in electromechanical cryptography was the invention of the rotor. The rotor is a hick disk with two faces, each with 26 brass contacts separated by insulating material. Each contact on the input (plaintext) face is connected by a wire to a random contact on the output (ciphertext) face. Each contact is assigned a letter. An electrical impulse applied to a contact on the input face will result in a different letter being output from the ciphertext face. The simple rotor thus implements a monoalphabetic substitution cipher. This rotor is set in a device which takes plaintext input from a typewriter keyboard and sends the corresponding electrical impulse into the plaintext face. The ciphertext is generated from the rotor and printed and/or transmitted. The next step separates the rotor from previous systems. After each letter, the rotor is turned so that the entire alphabet is shifted one letter over. The rotor is thus a quot;progressive key polyalphabetic substitution cipher with a mixed alphabet and a period of 26quot;. A second rotor is then added, which shifts its position one spot when the first rotor has completed each rotation. Each electrical impulse is driven through both rotors so that it is encrypted twice. Since both rotors move, the alphabet now has a period of 676. As more rotors are added the period increases dramatically. With 3 rotors, the period is 17,576, with 4 it is 456,976, and with 5 it is 11,881,376. In order for a 5 rotor cipher to be broken with frequency analysis, the ciphertext must be extremely long. The rotor system can be broken because, if a repetition is found in the first 26 letters, the cryptanalyst knows that only the first rotor has moved, and that the connections are changed only by that movement. Each successive set of 26 letters has this property, and using equations, the cryptanalyst can completely determine this rotor, hence eliminating one rotor from the whole problem. This can be repeated for each successive rotor as the previous rotor becomes known, with the additional advantage that the periods become longer, and thus they are guaranteed to have many repetitions. This is quite complex to do by hand. The first rotor machine was invented by Edward Hugh Hebern in 1918, and he instantly realized what a success it could be. He founded a company called Hebern Electric Code, which he promised would be a great financial success. The company died in a bitter struggle, the Government bought some of his machines, and he continued to produce them on his own, but never with great success. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 17
  18. 18. Cryptography in History Unit 1 : Cryptography Basics During Prohibition, alcohol was transported into the country by illegal smugglers (i.e. rum runners) who used coded radio communication to control illegal traffic and help avoid Coast Guard patrols. In order to keep the Coast Guard in the dark the smugglers used an intricate system of codes and ciphers. The Coast Guard hired Mrs. Elizabeth Smith Friedman to decipher these codes, and thus forced the rum runners to use more complex codes, and to change their keys more often. She succeeded in sending many rum runners to jail. During WW2, the neutral country Sweden had one of the most effective cryptanalysis departments in the world. It was formed in 1936, and by the time the war started, employed 22 people. The department was divided into groups, each concerned with a specific language. The Swedes were very effective in interpreting the messages of all the warring nations. They were helped, however, by bungling cryptographers. Often the messages that were received were haphazardly enciphered, or even not enciphered at all. The Swedes even solved a German cipher that was implemented on a Siemens machine similar to a Baudot machine used to encipher wired messages. During WW2, the Americans had great success at breaking Japanese codes, while the Japanese, unable to break US codes, assumed that their codes were also unbreakable. Cryptanalysis was used to thwart the Japanese attack on Midway, a decisive battle in the South Pacific. The US had been regularly reading Japanese codes before the attack on Pearl Harbor, and knew of the declaration of war that was presented to the President just after the attack on Pearl Harbor, several hours before the Japanese embassy in Washington had decoded it. German codes in WW2 were predominantly based on the 'Enigma' machine, which is an extension of the electromechanical rotor machine discussed above. A British cryptanalysis group, in conjunction with an escaped group of Polish cryptanalysts, first broke the Enigma early in WW2, and some of the first uses of computers were for decoding Enigma ciphers intercepted from the Germans. The fact that these codes were broken was of such extreme sensitivity, that advanced knowledge of bombing raids on England was not used to prepare for the raids. Instead, much credit was given to radar, and air raids were given very shortly before the bombers arrived. In 1948, Shannon published quot;A Communications Theory of Secrecy Systemsquot;. Shannon was one of the first modern cryptographers to attribute advanced mathematical techniques to the science of ciphers. Although the use of frequency analysis for solving substitution ciphers was begun many years earlier, Shannon's analysis demonstrates several important features of the statistical nature of language that make the solution to nearly all previous ciphers very straight forward. Perhaps the most important result of Shannon's famous paper is the development of a measure of cryptographic strength called the 'unicity distance'. The unicity distance is a number that indicates the quantity of ciphertext required in order to uniquely determine the plaintext of a message. It is a function of the length of the key used to encipher the message and the statistical nature of the plaintext language. Given enough time, it is guaranteed that any cipher can be broken given a length of ciphertext such that the unicity distance is 1. Shannon noted that in a system with an infinite length random key, the unicity distance is infinite, and that for any alphabetic substitution cipher with a random key of length greater than or equal to the length of the message, plaintext cannot be derived from ciphertext alone. This type of cipher is called a quot;one-time-padquot;, because of the use of pads of paper to implement it in WW2 and before. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 18
  19. 19. Unit 1 : Cryptography Basics Cryptography in History The story of cryptography would be finished if it weren't for the practical problem that, in order to send a secret message, an equal amount of secret key must first be sent. This problem is not severe in some cases, and it is apparently used on the hot line between Moscow and Washington, but it is not the ultimate solution for many practical situations. For most human (and computer) languages, a key of given length can only be guaranteed safe for 2-3 times the length of the key. From this analysis, it appears that any system with a finite key is doomed to fail, but several issues remain to be resolved before all hope of a finite key cryptography is abandoned. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 19
  20. 20. Cryptoanalysis Unit 1 : Cryptography Basics 1.5. CRYPTOANALYSIS As stated earlier, the strength of a cryptosystem lies in the key and whether or not the algorithm has stood the test of time in a public forum. There are two terms used to describe the degree of difficulty, sometimes called computational difficulty, associated with breaking a particular cryptosystem: Computationally secure: With a cryptosystem that is said to be computationally secure, it is understood that given enough computing power and disk storage space the system could eventually be broken. However, unless the cryptosystem is flawed in some fundamental way, the amount of time and computing power necessary to break the system would either be too costly or unreasonable. For example, given today’s technology, it would take an amount of time approximately equal to the age of the universe to break the cryptosystem! Unconditionally secure: A cryptosystem that can never be broken even if an infinite amount of resources were dedicated to the effort is said to be unconditionally secure. By making the code of a cryptographic system available to the world, cryptographers have the opportunity to do what they can to break a cryptosystem. Often, cryptographers will have a high degree of computing power at their disposal: much more so than the average individual. This is what is known as cryptoanalysis. In this field, a cryptanalyst deploys a variety of tools and methods to break a cryptosystem, however, it does not necessarily mean that the entire algorithm has been compromised. In fact, there are different levels of weaknesses one can discover in a cryptosystem: Information deduction: This is the lowest level weakness in which the cryptanalyst is able to discover portions of the key or some information about the plain text from the cipher text. Instance deduction: The cryptanalyst is able to find the plaintext of a given intercepted cipher. Global deduction: The cryptanalyst devises an algorithm that can decrypt the ciphertext created from another algorithm. Total break: The cryptanalyst can recover the key and decrypt any encrypted message. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 20
  21. 21. Unit 1 : Cryptography Basics Cryptoanalysis There are a variety of methods one can use to break a cipher. The easiest way is to obtain the key either through social engineering, chance or some form of coercion. These however, are not cryptanalytic techniques: Ciphertext only: In this scenario, the cryptanalyst only has cipher text to work with. If this is the case, one approach may be to user a brute-force attack in which the cryptanalyst attempts to try all possible combinations of keys. If the key is based on a pass phrase, often the cryptanalyst can engage a dictionary attack in which he tries common words and combinations Chosen ciphertext: The cryptanalyst chooses the cipher text and attempts to obtain the corresponding plaintext. Adaptive chosen ciphertext:This is a variation of the attack outlined above in which the cryptanalyst has free user of decryption hardware, but is unable to extract the encryption key from it. Known plaintext: The cryptanalyst may have the benefit of obtaining plaintext that corresponds to some ciphertext. With these two elements, the cryptanalyst may be able to derive the key with which to decipher any text encrypted with that key. Chosen plaintext: A variant of the known plaintext attack in which the cryptanalyst can select the plaintext to use for the analysis and and then obtain the corresponding ciphertext. Adaptive chosen plaintext: A variation of the chosen plaintext attack in which the cryptanalyst can dynamically choose the plaintext samples. Then, he can change his selection based on the results of previous encryptions. Biological attacks: This type of attack gets its name because the technique used to break the cryptosystem resembles methods used in biology to study organisms rather than the mathematically based techniques described above. Biological techniques subject the cryptosystem different stimuli to see how it reacts and studying its input and outputs. An example would be some work done by Paul Kocher of Cryptography research in which he was able to extract various secrets from smartcards by monitoring its power consumption. Specific information on these techniques can be found at Cryptanalytic attacks can be mounted against any cryptographic system including encryption algorithms, digital signature algorithms and message authentication code (MAC) algorithms to name a few. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 21
  22. 22. AES (Advanced Encryption Standard) Unit 1 : Cryptography Basics 1.6. AES (ADVANCED ENCRYPTION STANDARD) 1.6.1. Overview of the AES Development Effort The National Institute of Standards and Technology (NIST) has been working with industry and the cryptographic community to develop an Advanced Encryption Standard (AES). The overall aim is to develop a Federal Information Processing Standard (FIPS) that specifies an encryption algorithm(s) capable of protecting sensitive government information well into the next century. The algorithm(s) is expected to be used by the U.S. Government and, on a voluntary basis, by the private sector. On January 2, 1997, NIST announced the initiation of the AES development effort. They made a formal call for algorithms on September 12, 1997. The call stipulated that the AES would specify an unclassified, publicly disclosed encryption algorithm(s), available royalty-free, worldwide. In addition, the algorithm(s) must implement symmetric key cryptography as a block cipher and (at a minimum) support block sizes of 128-bits and key sizes of 128-, 192- and 256-bits. On August 20th 1998, NIST announced a group of fifteen AES algorithm candidates at the First AES Candidate Conference (AES1). Members of the cryptographic community from all over the world had submitted these algorithms. At that conference and in a simultaneously published Federal Register notice, NIST solicited public comments on the candidates. A Second AES Candidate Conference (AES2) was held in March 1999, to discuss the results of the analysis conducted by the global cryptographic community on the algorithm candidates. The public comment period on the initial algorithm review closed on April 15th 1999. Using the analyses and comments received, NIST selected five algorithms out of the fifteen. The AES finalist algorithm candidates are MARS, RC6, Rijndael, Serpent, and Twofish. NIST has developed a Round 1 Report describing the selection of the finalists. These algorithm finalists will receive further analysis during a second, more detailed review period, and this before the selection of the final algorithm(s) for the AES FIPS. NIST solicits comments on the remaining algorithms until May 15th, 2000. Comments and analysis are actively sought by NIST on any aspect of the candidate algorithm including (but not limited to) the following topics: cryptanalysis, intellectual property, crosscutting analyses of all the AES finalists, overall recommendations and implementation issues. An informal AES discussion forum is also provided by NIST for interested parties to discuss the AES finalists and relevant AES issues. Near the end of Round 2, NIST will sponsor the Third AES Candidate Conference (AES3), which is an open, public forum for discussing the analyses of the AES finalists. Submitters of the AES finalists will be invited to attend the discussions and make comments on their algorithms. AES3 will be held April 13th-14th, 2000 in New York, NY, USA. Proposed papers for this conference are due to NIST by January 15th, 2000 and they will also be considered as Round 2 public comments. After the closing of the Round 2 public analysis period on May 15th, 2000, NIST intends to study all available information and propose the AES, which will incorporate one or more AES algorithms selected from the finalists. The AES will be announced as a proposed Federal Information Processing Standard (FIPS), which will be published for public review and © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 22
  23. 23. Unit 1 : Cryptography Basics AES (Advanced Encryption Standard) comments. Following the comment period, the standard will be revised, as appropriate, by NIST in response to those comments. A review, an approval and a promulgation process will also follow. If all steps of the AES development process proceed as planned, it is scheduled that the standard will be completed by the summer of 2001. 1.6.2. Minimum Acceptability Requirements 1. The algorithm must implement symmetric (secret) key cryptography. 2. The algorithm must be a block cipher. 3. The algorithm candidates shall be capable of supporting key-block combinations with sizes of 128-128, 192-128, and 256-128 bits. A submitted algorithm may support other key-block sizes and combinations, and such features will be taken into consideration during analysis and evaluation. 1.6.3. AES Round 2 Finalists Mars – IBM Research MARS is a shared-key (symmetric) block cipher, supporting 128-bit blocks and a variable key size. It is designed to take advantage of the powerful operations supported in today's computers, resulting in a much improved security/performance trade-off over existing ciphers. As a result, MARS offers better security than triple DES while running significantly faster than single DES. The current C implementation runs at rates of about 65 Mbit/sec. on a 200 MHz Pentium-Pro, and 85 Mbit/sec. on a 200 MHz PowerPC. In hardware, MARS can achieve a 10X-speedup factor. Moreover, both hardware and software MARS implementations are remarkably compact and fit easily on a smartcard and in other limited-resource environments. The combination of high security, high speed and flexibility makes of MARS an excellent choice for the encryption needs of this century’s world information. TwoFish – Counterpane Bruce Schneier Twofish is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit S- boxes, a fixed 4-by-4 maximum distance separable matrix over GF(28), a pseudo-Hadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8-bit smart card implementation encrypts at 1820 clock cycles per byte. Twofish can be implemented in a 14000-gate hardware. The design of the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count and memory. We have extensively cryptanalyzed Twofish : our best attack breaks 5 rounds with 222.5 chosen plaintexts and 251 efforts. RC6 - RSA Laboratories Like all AES ciphers, RC6 works on 128 bit blocks. It can accept variable length keys and is very similar to RC5, incorporating the results of various studies on RC5 to improve the algorithm. The studies of RC5 found that not all bits of data are used to determine the rotation amount (rotation is used extensively in RC5). However, RC6 uses multiplication to determine the rotation amount and all bits of input data to determine the rotation amount, strengthening the avalanche effect. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 23
  24. 24. AES (Advanced Encryption Standard) Unit 1 : Cryptography Basics Serpent - Ross Anderson, Eli Biham, Lars Knudsen Serpent is an AES submission by Ross Anderson, Eli Biham, and Lars Knudsen. Its authors combined the design principles of DES with the recent development of bitslicing techniques to create a very secure and very fast algorithm. While bitslicing is generally used to encrypt multiple blocks in parallel, the designers of Serpent have embraced the technique of bitslicing incorporating it into the design of the algorithm itself. Serpent uses 128 bit blocks and 256 bit keys. Like DES, Serpent includes both an initial and a final permutation of no cryptographic significance; these permutations are used to optimize the data before encryption. Serpent was released at the 5th International Workshop on Fast Software Encryption. This iteration of Serpent was called Serpent 0 and used the original DES S-boxes. After comments, the key schedule and the S-boxes were changed slightly. This new iteration of Serpent is called Serpent 1 and resists both linear and differential attacks. Rijndael - Joan Daemen, Vincent Rijmen The cipher has a variable block and key length. The authors have demonstrated how to extend the block and key lengths by multiples of 32 bits. The SQUARE algorithm influenced the design of Rijndael. The authors provide a Rijndael specification and a more theoretical paper on their design principles. The authors have vowed to never patent Rijndael. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 24
  25. 25. Unit 1 : Cryptography Basics Smart Cards 1.7. SMART CARDS 1.7.1. Introduction Security issues around network (Internet) connected personal computers are heavily debated today. One of the most discussed issues is weather someone can access your stored data or read and alter information you type prior to sending it over the network. If you want to do business over the Internet there are three major security services that have to be in place: 1. Authentication 2. Confidentiality 3. Non-repudiation PKI can offer those security services and seems to be the solution. PKI systems build on the uniqueness and protection of the user’s private keys. The private key should never be exposed to anyone, not even necessarily to the owner/user. Where would you trust storing the keys you use to identity yourself and sign document or agreements, order, etc… over the Internet? As you would have guessed, the answer to this question is within a Smart Card. 1.7.2. What kinds of Smart Cards are available? There are a number of smart cards on the market today but not all of them are viable for e- commerce solutions requiring non-repudiation and remote authentication. Smart cards consists of a chip (processor or/and memory), a contact plate (generally the visual recognition point of a smart card) and a piece of plastic (ISO 7810 - 54x85x0.8 mm). Processor chips require operating software (generally named a mask). Although the chip may be the same, smart cards may be assembled and equipped by different companies providing unique operating services. Widely known producers of smart cards are, to mention a few, Gemplus, Schlumberger, Oberthur, Siemens, Giesecke & Devrient, Setec and Bull. They all provide smart cards for a broad application range. The combination of built-in chip functionality and an operating system on the chip (the mask), supporting this functionality is essential in producing smart card security. Basically all categories of cards described below offer some kind of write protection but not all of them offer read protection. What is more important, some cards can not offer processing of data (key) that only take place securely inside the chip. It should never be possible to copy quot;your signaturequot;. Thus, techniques where signature keys are transported, even if encrypted, from the card are simply not good enough. Therefore, in order to provide for non-repudiation services there is an obvious need to have a secure signature process inside the smart card chip. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 25
  26. 26. Smart Cards Unit 1 : Cryptography Basics Smart cards can be divided into three prime categories: 1. Memory Cards 2. Symmetric Cryptoprocessor Cards 3. PKI smart cards (our name for asymmetric cryptoprocessor cards) 1.7.3. Symmetric / Asymmetric Cryptoprocessing The reason for dividing Cryptoprocessor Cards into a symmetric and an asymmetric part (PKI smart card) is simply because these processes are different when it comes to authentication and non-repudiation. The processor on the chip providing symmetric encryption could possibly be equipped with software (mask) enabling asymmetric encryption. Nevertheless, existing asymmetric cryptoprocessor cards are dedicated to perform the cryptographic process (commonly RSA) as fast as possible. 1.7.4. Smart Cards with different “flavor” Remember that all smart cards are not alike, they come in different “flavors”. Many cards cannot provide support for the RSA algorithm within the card processor. And even if they do support RSA they may not be optimised to handle this process very efficiently. Far too often there are solutions in place where the smart card is nothing but a storage media for the keys. This document will describe various types of smart cards and where they typically apply. 1.7.5. Memory Cards Access Control Plain memory cards may provide access restrictions through one or several Personal Identification Number (PIN). However, memory cards may not protect the contents of the stored information file from disclosure. A memory card can be compared to a floppy disc although providing less storage capacity. On the other hand the card reader device is less complex and less expensive compared to a floppy disc reader, thus enabling a better commercial ground for deployment in environments where a floppy disc reader may not be present. Processing Memory smart cards should probably not even be categorized as smart cards. Their processing power is restricted to perform storage operations but little else. Once a user/owner of a PIN protected file in a plain memory card has been granted read access he/she can freely retrieve the contents of the file. Hence, the actual file contents may be copied from the smart card. These cards exist with various amounts of memory and can be used in applications requiring none or limited read protection. They may for instance be useful for storing medical information necessary for emergency actions, such as your name and blood type. They may provide write protection, which enables them to be useful in other applications where adding or modifying data on the card should be restricted. However, such protection generally requires more than just a PIN code, thus the commercial use is limited. Conclusion Memory cards can not provide a secure non-repudiation service, hence not very suitable for e- commerce. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 26
  27. 27. Unit 1 : Cryptography Basics Smart Cards 1.7.6. Symmetric Cryptoprocessor Cards Access Control Symmetric cryptoprocessor smart cards may offer a sophisticated access structure. Files may be readable but not “writeable” or vice versa and if the reverse order applies, it is likely that the file contents is accessible within the card. Files may be protected by one or several passwords (PIN) and not accessible without entering the correct PIN. The PIN file itself is only “writeable” (in order to let you change your password) and accessible within the card (in order to verify the PIN you enter). Processing By using encryption it is possible to transfer information between two parties without disclosing the contents to a quot;third-personquot;. This is quite useful for applications utilizing an electronic smart card purse or in connection with GSM cards. It is not only possible to have quot;filesquot; write protected. In fact, it is possible with the encryption process to ensure that only an authorized party may alter information in a successful manner. Symmetric encryption is fast, by broad margin faster than asymmetric encryption. Conclusion Although symmetric encryption is fast, it has a few drawbacks. First, key management is virtually impossible from a large-scale public perspective, mainly due to the difficulty of deploying and maintaining trust, and secondly, it is not possible to provide non-repudiation services. 1.7.7. PKI Smart Cards Access Control The basic difference between the PKI smart card and symmetric cryptoprocessor smart cards is that the former offer a secure RSA process onboard the chip. From an access point of view they are equal, what differs is the processing of RSA. In fact, it is likely that the PKI smart card additionally can offer symmetric as well as asymmetric encryption functionality. Files may be readable but not writeable or vice versa and only accessible within the card as described earlier. Files may be protected by one or several passwords (PIN) and not accessible without entering the correct PIN. This is also a necessity concerning the private key file. Processing PKI smart cards enable secure remote authentication and non-repudiation services through the use of the RSA algorithm. PKI smart cards are using a cryptoprocessor handling asymmetric encryption. The general positive effects of smart cards, i.e. ease of use and fairly low-cost equipment, apply for all cards including PKI smart cards. What makes PKI smart cards additionally beneficial compared to symmetric encryption cards is the possibility to provide a scalable solution and not to be forgotten, the ability to provide for a secure authentication and non-repudiation service. Scalability advantages due to the fact that there is a public and a private part of keys involved and this makes deployment and maintenance much easier from a security perspective compared to symmetric keys. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 27
  28. 28. Smart Cards Unit 1 : Cryptography Basics Also consider the effect of having only the RSA cryptoprocessor enabled to use your private information; the private information is not possible to copy! It can never leave the card. The PKI card offers a completely different level of security compared to storing private information on a floppy disc, on a hard disc or even on a less protected smart card. It is the card's operating system that prevents the keys from being exposed outside the card. They can thus never be read, removed or tampered with (even by the user). The user will only have access to the functions of the card through the use of a secret PIN code that the user may change at any time. Conclusion The only secure smart card solution out on the market today would be a solution based on PKI smart cards. If using something less, keys are only as secure as if they were stored on a floppy or on your hard disc. PKI smart cards are the only alternative for doing business over an evolving e- commerce market. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 28
  29. 29. Unit 2 : PKI Applications (Lab Exercises) Symmetric File Encryption 2. PKI APPLICATIONS (LAB EXERCISES) 2.1. SYMMETRIC FILE ENCRYPTION 2.1.1. Lab Exercise 1 Objective The student will use a symmetric encryption algorithm to encrypt a text file. DES and IDEA will be used for this lab. Main steps 1. Create a text file with an editor 2. Encrypt this file using DES 3. Encrypt this file using IDEA 4. Decrypt this file using DES 5. Decrypt this file using IDEA Time 15 minutes © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 29
  30. 30. Symmetric File Encryption Unit 2 : PKI Applications (Lab Exercises) Step 1: Create a text file with an editor • Create a “Notepad file” called toto.txt in c:temp • Edit this file and add a text like “Hello world…” • Save and quit © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 30
  31. 31. Unit 2 : PKI Applications (Lab Exercises) Symmetric File Encryption Step 2: Encrypt this file using DES • On your desktop, launch OpenSSL • You will encrypt this file with DES. Type the command des –in toto.txt –out toto.txt.des –e • Enter a password that will be the secret key • Have a look at the file toto.txt.des Step 3: Encrypt this file using IDEA • Encrypt the file toto.txt with IDEA. Type the command idea –in toto.txt –out toto.txt.idea –e • Enter a password • Have a look at the file toto.txt.idea © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 31
  32. 32. Symmetric File Encryption Unit 2 : PKI Applications (Lab Exercises) Step 4: Decrypt this file using DES • You can now decrypt those two files • Type des –in toto.txt.des –d to decrypt the DES file • Enter your password Step 5: Decrypt this file using IDEA • Type idea –in toto.txt.idea –d to decrypt the IDEA file • Enter your password • Now you are finished… © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 32
  33. 33. Unit 2 : PKI Applications (Lab Exercises) Message-Digest Algorithms 2.2. MESSAGE-DIGEST ALGORITHMS For a theoretical introduction, please refer to the book “Digital Certificates” written by Jalal Feghhi, Jalil Feghhi and Peter Williams. 2.2.1. Lab Exercise 2 Objective The student will “play” with message digest functions. MD5 and SHA-1 will be used to compute digest for an input text file. Main steps 1. Create a text file with an editor 2. Compute message digest functions with MD5 3. Change the text 4. Compute message digest functions again with MD5 5. Compute message digest functions with SHA-1 Time 15 minutes © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 33
  34. 34. Message-Digest Algorithms Unit 2 : PKI Applications (Lab Exercises) Step 1: Create a text file with an editor • Create a file with an editor called toto.txt in c:temp • Edit this file and add a text like “Hello world…” • Save and quit © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 34
  35. 35. Unit 2 : PKI Applications (Lab Exercises) Message-Digest Algorithms Step 2: Compute message digest functions with MD5 • On your desktop, launch OpenSSL • Type the command md5 toto.txt • Have a look at the result. You will see the MD5 digest (128 bits) Step 3: Change the text • Edit again c:temptoto.txt and change only one character (for instance H h) © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 35
  36. 36. Message-Digest Algorithms Unit 2 : PKI Applications (Lab Exercises) Step 4: Compute message digest functions again with MD5 • Type md5 toto.txt again on the OpenSSL applications • What do you see? This is the new MD5 digest Step 5: Compute message digest functions with SHA-1 • Type now sha1 toto.txt on the OpenSSL application • What do you see? Compare this with the MD5 digest! • You are now finished… © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 36
  37. 37. Unit 2 : PKI Applications (Lab Exercises) Securing the Desktop 2.3. SECURING THE DESKTOP 2.3.1. Introduction Safeguarding data being transmitted as e-mail messages over an open network like the Internet is an important step to take in order to keep your data private. Protecting data on a personal computer presents a different set of issues in terms of how the data should be protected and how to control keys. The most important issue may perhaps be how to select a data encryption product for your desktop. Many products are available on the market to perform file encryption (RSA SecurPC, Blowfish Advances CS, etc.) For this particular training we will use “Blowfish Advanced CS” because it is a very simple product to use. Moreover, it will allow you to be familiar with secret-key file encryption, key splitting and files wiping. 2.3.2. Blowfish Advanced CS Introduction Blowfish Advanced CS is a file encryption program, protecting your files with a key built from a password or a key disk, so that no one except you can access its contents. Blowfish Advanced CS erases sensitive files that are no longer needed, in order to prevent anyone to restore them. Working with encrypted files and clearing empty disk space are other useful features. Today, we are in the information age and encrypting data is becoming more and more important for most of us. There are many reasons why data have to be protected from unauthorized access, as for instance sensitive medical data, private or business documents, or just some “hot stuff” from the Internet. There are many ways to make data readable only to a selection of people. Besides physical measures like locking removable disks into a safe or hiding files with stenography (which is a cheap solution), the only way to make files really inaccessible is to use strong cryptography. That means high-end encryption algorithm with long-enough keys to resist any attacks, this combined with secure removal of the original data. Encryption Algorithms Blowfish Advanced CS is currently shipped with 4 algorithms, which are the followings: Blowfish Bruce Schneier designed the algorithm. Blowfish is a very fast algorithm, performing with excellence on modern 32bit processors. Another advantage is its variable key-size, which goes up to 448 bits (56 bytes). It was first published in Doctor Dobb's Journal, issue 4/94, and after a year of intensive cryptanalysis it was still unbroken (as reported in DDJ 10/95). PC1 This algorithm is 100% compatible with the RC4 stream cipher. Ron Rivest developed RC4 in 1987. Someone posted 1994 the source code in a mailing list and since then it has been spread all over the world. RC4 is a stream cipher handling single bytes. The implementation used by Blowfish Advanced CS uses a key size of 160 bits. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 37
  38. 38. Securing the Desktop Unit 2 : PKI Applications (Lab Exercises) Triple-DES DES is the standard encryption algorithm, designed by IBM in the middle seventies. Although it has been cryptanalyzed for over 20 years, no weakness has been found yet. The only problem of DES is its short key length of 7 bytes (equals 56 bits). If someone has access to very fast computers, he can try out all possible keys within a few hours. There are some DES variants, extending the original algorithm to a new one with a larger key. The most common one is triple- DES, where a 64-bit data block will be encrypted three times with DES, using three different keys (or a single key split into three parts). Therefore, the key length is 21 bytes (168 bits), improving significantly the security but also slowing down the algorithm. The triple-DES implementation in Blowfish Advanced CS is 100% compatible with the DES standard. Twofish TwoFish is the AES candidate from Counterpane. It is a new, fast and very flexible encryption algorithm. After extensive cryptanalysis, no weaknesses are known yet. For more information about TwoFish, visit The version of Twofish in Blowfish Advanced CS uses a key size of 256 bits and a block size of 128 bits. Key Setup Different encryption algorithms require different key lengths. The Blowfish encryption algorithm needs e.g. a key of 448 bits (56 bytes). It is very uncomfortable to find passwords having exactly the right length each time, so that the program converts the password into a key for the individual algorithm. Blowfish Advanced CS uses a key setup in which your password (or key disk content) is hashed with SHA-1, the most quot;Secure Hash Algorithmquot; available today. One of the advantages is that the key result appears in binary form and looks like random data. Moreover, the password’s length is not restricted to the maximum key-length of the selected algorithm, so it can be hashed up or down to the right size. You will find hereafter two examples, which will help you to understand the key setup of Blowfish Advanced CS: Let us choose quot;helloworldquot; as our password. We want to create a key of 128 bits (16 bytes). The SHA-1 allows us to input as many data bytes as we wish and it puts out a hash of 160 bits (20 bytes). A hash (also called digest) is like a CRC32 checksum, but secure for encryption. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 38
  39. 39. Unit 2 : PKI Applications (Lab Exercises) Securing the Desktop To resize the 20 bytes of the hash to the required 16 bytes for the key, we take the first 16 bytes of the hash and XOR the rest of 4 bytes over the beginning of these 16 bytes. Doing so, we take the totality of the hash into consideration: In the second example, we still define quot;helloworldquot; as our password, but we need a key for Blowfish having the required length of 56 bytes. As already mentioned, SHA-1 only returns 20 bytes. So we have to create 36 additional bytes from the password in the following way: we hash the password with SHA-1 and get 20 bytes. Then we add those 20 bytes to the original password and hash the modified password again. The result is a new hash, which means 20 new bytes for our key. Due to the modified password, this new hash is completely different from the first one. Now we append this second hash to the modified password again and rehash it to get the last 20 bytes. Of course, we have now 4 bytes too much, so we XOR them over the first hash as we did in the first example. At least, we have the needed 56 bytes for the Blowfish encryption algorithm. Random Number Generation Blowfish Advanced CS offers you two pseudo random number generators. PRNGs are used to create random data for security purposes, (e.g. salt values, which are combined with keys), for overwriting (wiping) data or (most important) to create key files. Yarrow This PRNG was designed by Counterpane and can be considered as the best concept to create random data for security purposes. Blowfish Advanced CS uses a Yarrow implementation with SHA-1 as the hash algorithm and triple-DES as the block cipher. For the latest paper of the Yarrow specifications please visit CryptPak PRNG The random generator was working in the predecessor Blowfish Advanced 97 as the one and only PRNG. It uses a SHA-1 rescrambling method. To initialize the generator, a string with various data (system date and time, drive information, etc.) is built and hashed by SHA-1. As a result, one gets a 20 bytes buffer of random data, from which just 16 bytes are used to avoid predictable random sequences. If another 16 bytes are requested, the hash value is hashed with itself to a new digest. This method provides a much better randomness than conventional 32-bit random number generators. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 39
  40. 40. Securing the Desktop Unit 2 : PKI Applications (Lab Exercises) 2.3.3. Lab Exercise 3 Objective The student will setup a file’s encryption software to protect sensitive information. This software will use strong symmetric encryption mechanisms to protect information. Scenario The Management wants to implement a solution to protect sensitive information on the laptop. For specific files they want to implement key splitting. Moreover, they want to store a secret key on an external support that will be a diskette. Main Steps 1. Encrypt a file with one secret key 2. Exchange this file with your partner 3. Decrypt the partner’s file you receive 4. Encrypt a file with two secret keys (Key Splitting) Time 20 minutes © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 40
  41. 41. Unit 2 : PKI Applications (Lab Exercises) Securing the Desktop Step 1: Encrypt a file with one secret key • On your desktop, launch Blowfish Advanced CS. • Select c:encrypted filesssh.pdf. • Encrypt this file using the Blowfish encryption algorithm. • Enter a password. In fact, it will be your private key. • Keep this password secret. Your partner should not know it. • Reenter the password to confirm. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 41
  42. 42. Securing the Desktop Unit 2 : PKI Applications (Lab Exercises) • Now your file ssh.pdf is encrypted with your private key (or symmetric key). Step 2: Exchange this file with your partner • Send this encrypted file to your partner via e-mail. Your partner will also send one to you. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 42
  43. 43. Unit 2 : PKI Applications (Lab Exercises) Securing the Desktop Step 3: Decrypt the partner’s file you receive • Read your e-mail. You should have received the encrypted file from your partner. • Double click on the attachment. Blowfish Advanced CS will be launched. • Ask your partner’s password. • Enter the password. • That’s it, you are able to read the PDF document. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 43
  44. 44. Securing the Desktop Unit 2 : PKI Applications (Lab Exercises) Step 4: Encrypt a file with two secret keys (Key Splitting) You will now use Key Splitting • Insert a diskette into your reader. The Key Disk will be stocked on it. • Go to Tools Option menu Miscellaneous and choose make a Key Disk. This key will be used as a private key for encryption and decryption. • Move you mouse until the progress bar has reached 100%. Those mouse’s movements are for random seed. • Key Disk generation is done. • Now you can encrypt the file c:encrypted filessecuregate.pdf with your Key Disk. • On the Encrypt option choose first Multi Key Input and Use Key Disk. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 44
  45. 45. Unit 2 : PKI Applications (Lab Exercises) Securing the Desktop • Press Yes to append another password. It will be the second private key that we call Key Splitting. • Choose Password option and ask your partner to enter a password. Your partner should keep this password private. • Press No to end the encryption. • The encryption with two keys (one Key Disk and one Standard password) is done. • You can try to decrypt this file. • Now, you are finished… © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 45
  46. 46. PGP (Pretty Good Privacy) Unit 2 : PKI Applications (Lab Exercises) 2.4. PGP (PRETTY GOOD PRIVACY) 2.4.1. The PGP Symmetric Algorithms PGP offers a selection of different secret key algorithms to encrypt the actual message. By secret key algorithm, we mean a conventional or symmetric block cipher that uses the same key to both encrypt and decrypt. The three symmetric block ciphers offered by PGP are CAST, Triple-DES and IDEA. They are not “home-grown” algorithms. Teams of cryptographers with distinguished reputations developed them all. For the cryptographic curious, all three ciphers operate on 64-bit blocks of plaintext and ciphertext. CAST and IDEA have key sizes of 128 bits, while Triple-DES uses a 168-bit key. Like Data Encryption Standard (DES), any of these ciphers can be used in cipher feedback (CFB) and cipher block chaining (CBC) modes. PGP uses them in a 64-bit CFB mode. CAST encryption algorithm has been included in PGP because it is promising as a good block cipher with a 128-bit key size. Moreover, it is very fast and free. The name is derived from the initials of its designers, Carlisle Adams and Stafford Tavares of Northern Telecom (Nortel). Nortel have applied for a CAST patent, but they have made a written commitment to make CAST available to anyone on a royalty-free basis. CAST appears to be exceptionally well designed by people with good field reputation. The design is based on a very formal approach, with a number of formally provable assertions, giving good reasons to believe that it probably requires key exhaustion to break its 128-bit key. CAST has no weak or semiweak keys. There are strong arguments that CAST is completely immune to both linear and differential cryptanalysis, the two most powerful forms of cryptanalysis in the published literature. Moreover, both of them have been effective in cracking DES. CAST is too new to have developed a long track record, but its formal design and the good reputation of its designers will undoubtedly draw the attention and attempt cryptanalytic attacks of the rest of the academic cryptographic community. I nearly have the same good feeling of confidence for CAST that I had years ago for IDEA, the cipher I selected for use in earlier versions of PGP. The IDEA (International Data Encryption Algorithm) block cipher is based on the design concept of “mixing operations from different algebraic groups.” It was developed at ETH in Zurich by James L. Massey and Xuejia Lai and published in 1990. Early published papers on the algorithm called it IPES (Improved Proposed Encryption Standard), but they later changed the name to IDEA. So far, IDEA has resisted attack much better than other ciphers such as FEAL, REDOC-II, LOKI, Snefru and Khafre. Moreover, IDEA is more resistant than DES to Biham and Shamir’s highly successful differential cryptanalysis attack, as well as attacks from linear cryptanalysis. © Dimension Data SA (Switzerland), Sylvain Maret & Cédric Enzler Version 1.5, October 1999, rev. August 2000 Page 46