Upcoming SlideShare
×

# Cryptography and network security

13,016 views

Published on

This presentation introduces the Basics of Cryptography and Network Security concepts. Heavily derived from content from William Stalling's book with the same title.

Published in: Technology, Education
8 Likes
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

Views
Total views
13,016
On SlideShare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
623
0
Likes
8
Embeds 0
No embeds

No notes for slide

### Cryptography and network security

1. 1. Cryptography and Network SecurityAn Overview<br />Nagendra U M<br />namahesh@cisco.com<br />
2. 2. Agenda<br /><ul><li>Introduction
3. 3. Security Trends
4. 4. ASM: Attacks, Services, Mechanisms
5. 5. A Network Security Model
6. 6. Private-Key Cryptography / Symmetric Ciphers
7. 7. DES, 3DES, AES
8. 8. Private Key Distribution
9. 9. Public-Key Cryptography
10. 10. Mathematical Concepts
11. 11. The RSA Algorithm
12. 12. Key Management
13. 13. Hashing Algorithms
14. 14. Digital Signatures
15. 15. Authentication Protocols
16. 16. Network Security
17. 17. X.509, Public Key Infrastructure (PKI)
18. 18. PGP, S/MIME
19. 19. SSL/TLS
20. 20. IPSec</li></li></ul><li>
21. 21.
22. 22.
23. 23. Model for Network Security<br />
24. 24. Simplified Model of Conventional Encryption<br />Model of Conventional Cryptosystem<br />
25. 25. Goals of an ‘Unconditionally Secure’ Encryption Algorithm:<br />● The cost of breaking the cipher exceeds the value of the encrypted information.<br />● The time required to break the cipher exceeds the useful lifetime of the information.<br />CLASSIC SUBSTITUTION ALGORITHMS:<br />Caesar Cipher:<br />C = E(k, p) = (p + k) mod 26<br />p = D(k, C) = (C - k) mod 26<br />where K={1..25} for english<br />Monoalphabetic Ciphers:<br />Substitute one arbitrary alphabet in the place of a particular alphabet<br />For english, it generates a key space of 26! (~4 x 10^26) keys<br />BUT it can be broken by exploiting patterns in language<br />Polyalphabetic Ciphers:<br />Use different monoalphabetic substitutions as one proceeds through the plaintext message.<br />Vignere Cipher<br />
26. 26. CLASSIC TRANSPOSITION ALGORITHMS:<br />Rail-fence Technique:<br />Written as a sequence of diagonals and read off as a sequence of rows<br />Eg: “CiscoSystems” is written as<br />C s o y t m<br />i c S s e s<br />CipherText:CsoytmicSses<br />A more complex scheme is to write the message in a rectangle, row by row, and read the message off, column by column, but permute the order of the columns. The order of the columns then becomes the key to the algorithm.<br />Rotor Machines:<br />Steganography:<br />Strictly speaking, its NOT encryption<br />Conceal the existence of a message<br />JPEG steganography<br />
27. 27.
28. 28. The Fiestel Cipher<br />
29. 29. DES: Data Encryption Standard<br /><ul><li>64-bit plaintext blocks => 64-bit ciphertext blocks
30. 30. 56-bit key
31. 31. Same algorithm with the same key is used to decrypt and encrypt
32. 32. Exhibits a strong Avalanche effect
33. 33. No big deal nowadays</li></ul>3DES: Triple DES<br /><ul><li>Since DES was too weak in itself
34. 34. Do DES encryption 3 times in an E-D-E sequence
35. 35. C = E(K1, D(K2, E(K1, P)))
36. 36. Much stronger than DES</li></ul>AES: Advanced Encryption Standard<br /><ul><li>Released in 2001 by the U.S. Govt.
37. 37. Extremely strong algorithm
38. 38. 128-bit plaintext blocks => 128-bit ciphertext blocks
39. 39. 128, 192 or 256-bit keys</li></ul>Blowfish<br /><ul><li>Developed by Bruce Schneier in 1993
40. 40. Unofficially the strongest encryption algorithm
41. 41. 64-bit plaintext blocks => 64-bit ciphertext blocks
42. 42. Variable length keys from 32 to 448 bits
43. 43. Twofishis the successor of Blowfish (128-bit blocks, 256-bit keys)</li></li></ul><li>Block Cipher Modes<br /><ul><li>ECB – Electronic Code Book
44. 44. CBC – Cipher Block Chaining</li></ul>Where to do encryption?<br />
45. 45. Centralized Symmetric Key Distribution<br />
46. 46. Public Key Cryptography<br />Mathematical Concepts:<br /><ul><li>The ability to choose a large prime number
47. 47. Discrete Logarithms</li></ul>Asymmetric encryption is a form of cryptosystem in which encryption and decryption are performed using the different keys - one a public key and one a private key.<br />It can be used for confidentiality, authentication or both.<br />Hailed as the greatest revolution in information security – no more substitutions and permutations and the use of 2 keys !!!<br />Attacks 2 problems in symmetric cryptography: Key distribution and digital signatures<br />One way function:<br />Y = f(X) easy<br />X = f^-1(X) infeasible<br /> (NP-hard or NP-complete)<br />Public-key algorithms are very slow and resource-consuming to be used for encryption. For practical uses, they are confined to key management and signature applications<br />
48. 48. The Public Key cryptosystem for secrecy<br />The Public Key cryptosystem for authentication, integrity, nonrepudiation<br />
49. 49. Best of both worlds : Authentication/Integrity and Secrecy<br />
50. 50. RSA Algorithm<br /><ul><li> Invented by Ronald Rivest, AdiShamir, and Len Adleman at MIT in 1978
51. 51. Block cipher (usually ~1024 bits block size)</li></ul>The Algorithm:<br /><ul><li> p and q should be chosen at random, both of the </li></ul>same size and large numbers<br /><ul><li> n = p*q where n is used as the modulus for both</li></ul>public and private keys<br /><ul><li>φ(n) is the Euler’s totient function
52. 52. Choose e such that e and φ(n) are relatively prime
53. 53. d is the private key exponent and e is the </li></ul>public key exponent<br />An Example:<br />1) Let Plaintext = 88<br />2) Let p = 17, q = 11 (both primes)<br />3) n = p*q = 17 * 11 = 187<br />4) φ(n) = (p-1)(q-1) = 16*10 = 160<br />5) We choose e = 7 since e < φ(n) and e is relatively prime to φ(n)<br />6) Choose d such that d = 1(mod φ(n)) / e i.e. de = 1 (mod 160). So, d = 7<br />Public Key = {7,187} Private Key = {23,187}<br />7) At the sender’s end:<br />Ciphertext C = P^e (mod n) = 88^7 (mod 187) = 11<br />8) At the receiver’s end:<br /> Plaintext P = C^d (mod n) = 11^7 (mod 187) = 88<br />
54. 54. Key Management<br /><ul><li>Public-key encryption schemes are secure only if the authenticity of the public key is assured.
55. 55. Various ways</li></ul>● Public announcement<br />● Publicly available directory<br />● Public-key authority<br />● Public-key certificates<br />Message Authentication<br /><ul><li> used to verify the integrity of a message
56. 56. Hash Functions
57. 57. accepts a variable-size message M as input and produces a fixedsizeoutput, referred to as a hash code H(M) or Message Digest
58. 58. Eg: MD5, SHA-256, SHA-512</li></li></ul><li>Digital Signatures<br /><ul><li> taking the hash of the message and encrypting the message with the creator's private key</li></ul>Authentication Applications<br /><ul><li>Kerberos – distributed authentication using symmetric cryptography
59. 59. ITU-T X.509 – authentication based on X.500 directory service
60. 60. PKI – Public Key Infrastructure
61. 61. CHAP</li></ul>Email Security<br />PGP – Pretty Good Privacy<br /><ul><li>FOSS
62. 62. Authentication via digital signatures, confidentiality via symmetric block ciphers, compression via ZIP etc.</li></ul>S/MIME – Secure/Multipurpose Internet Mail Extension<br /><ul><li>Internet standard approach</li></ul>IP Security (IPSec)<br /><ul><li>capability that can be added to IPv\$4 or IPv6 via additional headers
63. 63. 3 areas – authentication, confidentiality, key management
64. 64. Confidentality in 2 modes : tunnel and transport
65. 65. Higher-level layers may be ignorant of security implications
66. 66. RFC 2401-2408