9953330565 Low Rate Call Girls In Rohini Delhi NCR
Security - ch3.pptx
1. Computer Security and Privacy
(CS 671 – 2CrHr)
Chapter 3-Security Techniques
Department of Computer Science
School of Postgraduate Studies
Admas University
2. Cryptography = the science (art) of encryption
Cryptanalysis = the science (art) of breaking encryption
Cryptology = cryptography + cryptanalysis
DEFINITIONS
3. 3
PURPOSE OF CRYPTOGRAPHY
• Secure stored information - regardless if access
obtained
• Secure transmitted information - regardless if
transmission has been monitored
4. 4
SERVICES PROVIDED BY CRYPTOGRAPHY
• Confidentiality
– provides privacy for messages and stored data by hiding
• Message Integrity
– provides assurance to all parties that a message remains
unchanged
• Non-repudiation
– Can prove a document came from X even if X denies it
• Authentication
– identifies the origin of a message
– verifies the identity of person using a computer system
5. 6
CRYPTOGRAPHY
• Cryptography has the following components:
-Plaintext: This is what you want to encrypt.
-Ciphertext: The encrypted output.
-Enciphering or encryption: The process by which
plaintext is converted into ciphertext.
- Encryption algorithm: The sequence of data
processing steps that go into transforming plaintext into
ciphertext.
-Secret Key: is used to set some or all of the various
parameters used by the encryption algorithm.
-Deciphering or decryption: Recovering plaintext from
ciphertext.
- Decryption algorithm: The sequence of data processing
steps that go into transforming ciphertext back into
plaintext.
6. KEYS
• A key can be thought of as simply
a collection of bits
• The more bits, the stronger the key
• Keys are tied to specific
encryption algorithms
• Lengths vary depending on the
encryption algorithm
– e.g. 128 bits is long for some
algorithms, but short for others
1 0 1 1 1 1 0 1 1
1 0 1 1 0 0 1 0 1
7
7. 8
CRYPTOGRAPHY
• Encryption Overview
– Plain text is converted to cipher text by use of an algorithm and
key.
• Algorithm is publicly known
• Key is held private
– Three Main Categories
• Secret Key
– single key is used to encrypt and decrypt information
• Public/Private Key
– two keys are used: one for encryption (public key) and
one for decryption (private key)
• One-way Function
– information is encrypted to produce a “digest” of the
original information that can be used later to prove its
authenticity
8. ENCRYPTION
• Encryption is the process of taking
some data and a key and feeding it
into a function and getting
encrypted data out
• Encrypted data is, in principle,
unreadable unless decrypted Encryption
Function
8
9. DECRYPTION
• Decryption is the process of
taking encrypted data and a
key and feeding it into a
function and getting out the
original data
– Encryption and decryption
functions are linked
Decryption
Function
9
10. Symmetric Encryption
• Encryption and decryption algorithms
that use the same key are called
symmetric
– In this case everyone wanting to read
encrypted data must share the same
key
• Sender and receive have the same
secret key that will encrypt and
decrypt plain text.
• Strength of encryption technique
depends on key length
Encrypt
Decrypt
ENCRYPTION TECHNIQUES
10
11. 12
ENCRYPTION TECHNIQUES…
• Secret Key (Symmetric)
– Known symmetrical algorithms
• Data Encryption Standard (DES)
– 56 bit key
• Triple DES, DESX, GDES, RDES
– 168 bit key
• Advanced Encryption Standard (AES)
– 128, 192,256 key sizes
• RC2, RC4, RC5
– variable length up to 2048 bits
• IDEA - basis of PGP
– 128 bit key
• Blowfish
– variable length up to 448 bits
12. Asymmetric Encryption
•Encryption and decryption algorithms
that use a different key pair are called
asymmetric
–Keys are mathematically linked
•Most common algorithm is the RSA
(Rivest Shamir Adelman) algorithm
with key lengths from 512 to 1024
bits.
13
ENCRYPTION TECHNIQUES…
13. CRYPTOGRAPHY
DES
• In 1973, the NBS (National Bureau of Standards, now called NIST -
National Institute of Standards and Technology) published a request for
an encryption algorithm that would meet the following criteria:
• have a high security level
• be easily understood
• not depend on the algorithm's confidentiality
• be adaptable and economical
• be efficient and exportable
In late 1974, IBM proposed "Lucifer", which was then modified by NSA
(National Security Agency) in 1976 to become the DES (Data Encryption
Standard). DES was approved by the NBS in 1978. The DES was
standardized by the ANSI under the name of ANSI X3.92, also known as
DEA (Data Encryption Algorithm).
14. CRYPTOGRAPHY
DES
• DES Utilizes block cipher, which means that during the
encryption process, the plaintext is broken into fixed length blocks
of 64 bits.
• To do the encryption, DES uses a 64 bits long key. However,
every 8th key bit is ignored in the DES algorithm, so that the
effective key size is 56 bits.
• 56-bit key gives 256 ( 7.2*1016) possible key variations
• How DES works?
15. CRYPTOGRAPHY
DES
• DES was best suited for implementation in hardware,
probably to discourage implementations in software, which
tend to be slow by comparison during that time.
• Modern computers are so fast that satisfactory software
implementations for DES are possible.
• DES is the most widely used symmetric algorithm despite
claims whether 56 bits is long enough to guarantee security.
• Using current technology, 56-bit key size is vulnerable to a
brute force attack.
16. CRYPTOGRAPHY
DES
• Cracking: The most basic method of attack for any cypher is
brute force - trying every possible key in turn.
• The length of the key determines the number of possible
keys, and hence the feasibility of the approach.
• DES is not adequate with this regard due to its key size
• In academia, various proposals for a DES-cracking machine
were advanced.
• In 1977, Diffie and Hellman proposed a machine costing an
estimated US$20 million which could find a DES key in a single day.
• By 1993, Wiener had proposed a key-search machine costing US$1
million which would find a key within 7 hours.
• However, none of these early proposals were ever
implemented.
17. CRYPTOGRAPHY
DES
• The vulnerability of DES was practically demonstrated in
1997, where RSA Security sponsored a series of contests,
offering a $10,000 prize to the first team that broke a
message encrypted with DES for the contest. That contest
was won by the DESCHALL Project, led by Rocke Verser,
Matt Curtin, and Justin Dolske, using idle cycles of
thousands of computers across the Internet.
• The feasibility of cracking DES quickly was demonstrated
in 1998 when a custom DES-cracker was built by the
Electronic Frontier Foundation (EFF), a cyberspace civil
rights group, at the cost of approximately US$250,000. Their
motivation was to show that DES was breakable in practice
as well as in theory.
18. CRYPTOGRAPHY
DES
• A variant of DES, Triple DES (3-DES), provides enhanced security by executing
the core algorithm three times in a row.
• With triple length key of three 56-bit keys K1, K2 & K3, encryption is:
Encrypt with K1
Decrypt with K2
Encrypt with K3
• Decryption is the reverse process:
Decrypt with K3
Encrypt with K2
Decrypt with K1
• Setting K3 equal to K1 in these processes gives us a double length key K1, K2.
• Setting K1, K2 and K3 all equal to K has the same effect as using a single-length
(56-bit key).
• Thus it is possible for a system using triple-DES to be compatible with a system
using single-DES.
19. CRYPTOGRAPHY
Asymmetric/Public key/ Cryptography
• Also called public-key cryptography
keys for encryption and decryption are different but form a unique pair
P = DKD [EKE (P) ]
Only one of the keys need to be private while the other can be public
• Invented by Diffie and Hellman in 1976
• It is a revolutionary concept since it avoids the need of using a
secure channel to communicate the key
• It has made cryptography available for the general public and made
many of today’s on-line application feasible
20. CRYPTOGRAPHY
Public-key Cryptography
• Which one of the encryption or decryption key
is made public depends on the use of the key
If Hana wants to send a confidential message to
Ahmed
She encrypts the message using Ahmed’s public key
Send the message
Ahmed will then decode it using his own private key
On the other hand, if Ahmed needs to make sure that
a message sent by Hana really comes from her, how
can he make that?
21. CRYPTOGRAPHY
Public-key Cryptography
• Using digital signature
Hana has to first encrypt a digital signature using her
private key
Then encrypt the message (signature included) with
Ahmed’s public key
Sends the encrypted message to Ahmed
Ahmed decrypts the message using his private key
Ahmed then decrypts the signature using Hana’s
public key
If successful, he insures that it comes from Hana
22. CRYPTOGRAPHY
Public-key Cryptography
• Summary
A pair of keys (private, public)
If you have the private key, you can easily
decrypt what is encrypted by the public key
Otherwise, it is computationally infeasible to
decrypt what has been encrypted by the
public key
23. CRYPTOGRAPHY
Public-key Cryptographic algorithm: RSA
• RSA is from R. Rivest, A. Shamir and L. Aldleman
• Principle: No mathematical method is yet known to efficiently
find the prime factors of large numbers
• In RSA, the private and public keys are constructed from very
large prime numbers (consisting of hundred of decimal digits)
• One of the keys can be made public
• Breaking RSA is equivalent to finding the prime factors for large
numbers: this is know to be computationally infeasible
• It is only the person who has produced the keys from the prime
number who can easily decrypt the messages
24. CRYPTOGRAPHY
RSA
• The RSA algorithm
Used both for public key encryption and digital
signatures.
• Major Activities
Key Generation
Encryption
Digital signing
Decryption
Signature verification
25. CRYPTOGRAPHY
RSA- Key Generating Algorithm
1. Choose/generate two distinct prime numbers p and q.
2. Compute n = pq.
3. Compute φ(n) = (p – 1)(q – 1), where φ is Euler's totient function.
4. Choose an integer e such that 1 < e < φ(n) and gcd(e, φ(n)) = 1.
5. Determine d (1<d<phi) such that φ(n) divides ed-1.
Result:
Keep all the values d, p, q and φ secret
e is known as the public key exponent
d is known as the private key exponent
26. CRYPTOGRAPHY
RSA- Encryption
Sender A does the following
Obtains the recipient B's public key (n, e)
Represents the plaintext message as a positive integer m
Computes the cipher-text c = me mod n
Sends the cipher-text c to B
RSA- Decryption
Recipient B does the following
Uses his private key (n, d) to compute m = cd mod n
Extracts the plaintext from the message representative m
27. CRYPTOGRAPHY
RSA- Key Generation Simple Example
1. Select primes p=11, q=3.
2. n = pq = 11*3 = 33
phi = (p-1)(q-1) = 10*2 = 20
3. Choose e=3
Check gcd(e, phi) = gcd(e, (p-1)(q-1)) = gcd(3, 20) = 1
4. Compute d (1<d<phi) such that phi divides ed-1 (20 divides 3d-1.)
Simple testing (d = 2, 3 ...) gives d = 7
Check: ed-1 = 3*7 - 1 = 20, which is divisible by phi (20).
5. Public key = (n, e) = (33, 3)
Private key = (n, d) = (33, 7).
28. CRYPTOGRAPHY
RSA- Encryption Example
Now say we want to encrypt the message m = 7
c = me mod n = 73 mod 33 = 343 mod 33 = 13
Hence the ciphertext c = 13
To check decryption we compute
m = cd mod n = 137 mod 33 = 7
RSA- Decryption Example
Given: Public key = (n, e) = (33, 3)
Private key = (n, d) = (33, 7)
How do we encrypt and decrypt?
29. CRYPTOGRAPHY
RSA- More Meaningful Example
Message: ATTACKxATxSEVEN
Grouping the characters into blocks of three and
computing a message representative integer for each block:
ATT ACK XAT XSE VEN
In the same way that a decimal number can be represented as the
sum of powers of ten, e.g. 135 = 1 x 102 + 3 x 101 + 5, we could
represent our blocks of three characters in base 26 using A=0, B=1,
C=2, ..., Z=25
ATT = 0 x 262 + 19 x 261 + 19 = 513
ACK = 0 x 262 + 2 x 261 + 10 = 62
XAT = 23 x 262 + 0 x 261 + 19 = 15567
XSE = 23 x 262 + 18 x 261 + 4 = 16020
VEN = 21 x 262 + 4 x 261 + 13 = 14313
30. CRYPTOGRAPHY
RSA- More Meaningful Example – Key Generation
1. We "generate" primes p=137 and q=131
2. n = pq = 137*131 = 17,947
phi = (p-1)(q-1) = 136*130 = 17680
3. Select e = 3
check gcd(e, (p-1)(q-1)) = gcd(3, 17680 ) = 1, OK
4. Compute d such that phi divides ed-1 (17680 divides 3d-
1.)
Simple testing (d = 2, 3 ...) gives d = 11787
Check: ed-1 = 3* 11787 - 1 = 35,3600, which is divisible by
phi (17680).
5. Hence
public key, (n, e) = (17947, 3) and
private key (n, d) = (17947, 11787).
31. CRYPTOGRAPHY
To encrypt the first integer that represents "ATT“ (513),
we have
c = me mod n = 5133 mod 17947 = 8363
We can verify that our private key is valid by decrypting
m = cd mod n = 836311787 mod 17947 = 513
Using:
Public key = (n, e) = (17947, 3)
Private key = (n, d) = (17947, 11787)
Overall, our plaintext is represented by the set of integers m
(513, 62, 15567, 16020, 14313)
We compute corresponding cipher text integers c = me mod n
(8363, 5017, 11884, 9546, 13366)
32. CRYPTOGRAPHY
Hash functions
• One application of cryptography is the use of
hash functions
• A hash function H takes a message m of arbitrary
length and produces a bit string h, h= H (m)
• When the hash value h is sent with the message m,
it enables to determine whether m has been
modified or not
33. CRYPTOGRAPHY
Hash functions
• Properties of hash functions
One-way function: It is computationally
infeasible to find m that corresponds to a known
output of h
It is computationally infeasible, given m and H, to find
m’ ≠ m such that H(m) = H(m’)
Given H, it is computationally infeasible to find any two
different input values m and m’, such that H(m) = H(m’)
35. CRYPTOGRAPHY
Digital Signature for Message Integrity and Confidentiality
• Principles of Digital Signature
User A signs digitally a message m using
cryptographic hash of the message m with the private
key of A and attach it to the message m.
Anybody can then decrypt A’s digital signature using
A’s public key and compare it with the cryptographic
hash of the message m to verify that m was signed by
A and m was not altered.
36. CRYPTOGRAPHY
Digital Signature Using Public Key Cryptosystem
Notation: KX
- : Private key of X
KX
+ : Public key of X
• When Hanna sends her message m to Ahmed,
she encrypts it with her private key Kh
-(m)
• If she wants to keep the message content a
secret, she can use Ahmed’s public key and send
Ka
+(m, Kh
-(m))
• Hanna is protected against modification by
Ahmed since if Ahmed produces m’, he has to
find Kh
-(m’)
37. CRYPTOGRAPHY
Digital Signature Using Message Digest
• H = H (m) is sent along m, where H is a cryptographic
hash function
• Kh
-(H(m)) (or Ka
+(m, Kh
-(H(m)))) is sent so that Ahmed
knows that it comes from Hanna by decrypting it
• Ahmed hashes the message m and compares it with H
that he has received from Hanna
• Hash/Message Digest: Short “signature” of the
message, 128–512 bits.
• It is extremely improbable that unequal messages have
same hash
Example: MD5 (Message Digest version 5) and SHA-1
38. CRYPTOGRAPHY
Digital Signature and RSA
• Recipient B does the following
Uses sender A's public key (n, e) to compute integer v = se mod n
Extracts the message digest from this integer
Independently computes the message digest of m that has been signed
If both message digests are identical, the signature is valid
Signature Verification
• Sender A does the following
Creates a message digest of the information to be sent
Represents this digest as an integer m
Uses his/her private key (n, d) to compute the signature
s = md mod n.
Sends this signature s along with encrypted m to the recipient B.
39. CRYPTOGRAPHY
Key Distribution: Verifying Someone’s Public Key
• Even with public-key cryptosystems and digital
signatures, we still have the problem of authentication:
binding users to keys.
• Early days articles proposed phonebook-like database
with Name and Public Key entries.
• Attacker can put in his own key for someone else, and
start signing fake contracts (and even checks!).
• Maybe we can secure the phonebook, but then it kills the
idea of keys widely and easily available (publicly) .
• Problem: How secure is that database itself?
40. CRYPTOGRAPHY
Key Distribution: Problems
• Distribution of a key is a difficult matter!
• Solution: Certification/Certificate Authority (CA)
that signs (certifies) the public key
• For public key, we need a body that certifies the
public key is that of the party we need to
communicate with
• For a symmetric cryptosystem, the initial key must
be communicated along a secured channel(?)
41. CRYPTOGRAPHY
Certification
• A certificate is a public key and some naming “stuff”, digitally signed
by someone you trust (third party) - Certification Authority (CA).
• Remark: Just because they are CAs doesn’t mean you should trust them.
• The critical thing is that the name in the certificate must match the
alleged name.
• Common solution to public key distribution today is to have trusted
third party to sign the user’s public encryption key.
• Resulting certificate will contain information like user’s name/ID,
user’s public key, name of CA, start date of certificate, and length of
time it is valid.
• User publishes certificate with the X.509 standard (for formatting
certificates).
42. CRYPTOGRAPHY
Certification - Associated Overheads
• An important issue is the longevity of certificates
• Lifelong certificates are not feasible
• Therefore, we need a way to revoke certificates
Certificate Revocation List (CRL) published regularly
45. CRYPTOGRAPHY
Applications – Security in Electronic Payment
• General requirements
In cash based systems (using ATM), the main issue is
authentication
Use of card
Electronic money
Protection against fraud
It should not be possible to use the money more than once
It should not be possible to use forged money
Credit card or check based system
No tampering/alteration
Protection against repudiation (the buyer denies having made
the order)
46. CRYPTOGRAPHY
Applications – Secure Electronic Transaction (SET)
• SET is the result of efforts by VISA, Mastercard, etc.
to develop a standard way of purchasing goods over a
network using a credit card
• SET is an open standard: entire protocol is published
• Dual signature is used in order to avoid
The merchant from knowing the detail of the payment
information
The Bank from knowing about the order information
47. Applications – Secure Electronic Transaction (SET)
NETWORK SECURITY
• Protect credit card transaction on the Internet.
• Companies involved:
MasterCard, Visa, IBM, Microsoft, Netscape, RSA,
Terisa and Verisign
• Not a payment system but enables users to
employ the existing credit card payment
infrastructure on an open network (Internet) in a
secure manner.
• Set of security protocols and formats.
CRYPTOGRAPHY
48. Applications: SET Services
NETWORK SECURITY
• Provides a secure communication channel in a
transaction.
• Key Features of SET:
Confidentiality of information
Integrity of data
Cardholder account authentication
Merchant authentication
CRYPTOGRAPHY
49. Application: SET Participants ...
NETWORK SECURITY
• Customer : Authorized holder of Payment Card
• Merchant: Has goods to sell to the Cardholder.
• Issuer: Financial institution (such as bank) – connected with
the Customer.
• Acquirer: Verifies that a card account is active and the
proposed purchase does not exceed the credit limit –
Connected with the Merchant.
• Payment gateway: Operated by the acquirer or a designated
third party that processes merchant payment messages
• Certification Authority: Trusted entity to issue the X.509V3
public key certificate for customers, Merchants and payment
gateways.
• The success of SET depends on CA.
CRYPTOGRAPHY
50. Applications: SET (Sequence of events for transactions)
NETWORK SECURITY
1. Merchant sends merchant certificate and bank certificate
(encrypted with CA’s private key)
2. Customer decrypts certificates, obtains public keys
3. Customer generates order information (OI) and payment
info (PI) encrypted with different session keys and dual-
signed
4. Merchant sends payment request to bank encrypted with
bank-merchant session key
5. Bank sends authorization request to issuing bank
6. Bank sends approval to merchant
7. Merchant sends acknowledgement to customer
CRYPTOGRAPHY
52. Applications: SET - Dual Signature
NETWORK SECURITY
• Dual signature is an important innovation by SET
• Used to link two messages that are intended for two different
recipients.
• The customer wants to send Order Information (OI) to the
merchant and Payment Information (PI) to the bank.
• Merchant – Does not need to know details of customer’s
payment information.
• Bank – Does not need to know details of customer’s order.
• Privacy!!
• The two items, however, must be linked somehow to prove
that the payment is intended for this order and not for some
other.
CRYPTOGRAPHY
56. CRYPTOGRAPHY
Cryptanalysis
• comes from the Greek word kryptós, "hidden", and
analýein, "to loosen" or "to untie"
• It is the art of recovering original data (the
plain text) that has been encrypted or turned into
cipher text without having access to the correct key
used in the encryption process
• When new encryption algorithms are introduced,
cryptanalysis determines how hard it is to break the
code (study)
57. CRYPTOGRAPHY
Cryptanalysis
• It is also used to refer to any attempt to avoid the
security of other types of cryptographic algorithms
and protocols in general, and not just encryption.
• This process is mathematically challenging and
complex as cryptography.
• Cryptanalysis contains various ways to achieve its
goal and uses a number of attack strategies
58. CRYPTOGRAPHY
Cryptanalysis – Ciphertext-Only Attack
• an attack model which is used by cryptanalyst in
which without knowing the plain text, he works on
cipher text
• The intention will be to find the corresponding plain
text or a key
• E.g. attack on PDF data encryption using default
RC4 algorithm
59. CRYPTOGRAPHY
Cryptanalysis – Known-plaintext Attack
• It is an attack model (used by cryptanalyst) where
both sample plaintext and cipher text is used by
attacker to find out the secret key
Cryptanalysis – Chosen-plaintext Attack
• It is an attack model where the cryptanalyst specify
his own plain text and encrypt it.
• This can be used to learn characteristics about the
encryption algorithm(public key algorithms)
• For example he can provide an empty text, a text
which consists of one ‘a’ or two ‘aa’ characters.
60. CRYPTOGRAPHY
Cryptanalysis – Brute force attack
• A strategy used to break down passwords
• It is the most common method which tries all
possible permutations of the password until the
correct one is found but starts cracking with the
commonly used passwords(Dictionary attack)
• The time required to find a password depends on:
1. How long the password is
2. How many characters are allowed in each
position (upper case, lower case, numbers,
special characters)
61. CRYPTOGRAPHY
Summary
• Advantage of private/secret key cryptography is that
it provides better secrecy but needs prearranged key
exchange.
• Advantage of public-key cryptography is that it
allows for secrecy between two parties who have not
arranged in advance to have a shared key (or trusted
some third party to give it to them) and the
disadvantage is overhead and speed.
• Therefore, in practice, hybrid systems use both!!