Chapter 1: Basic TerminologyEncryption is the process of turning a clear-text message (Plaintext) into a data stream which looks likea meaningless and random sequence of bits (ciphertext). The process of turning ciphertext back intoplaintext is called decryption.Cryptography deals with making communications secure. Cryptoanalysis deals with breakingciphertext, that is, recovering plaintext without knowing the key. Cryptology is a branch of mathematicswhich deals with both cryptography and cryptoanalysis.A cryptographic algorithm, also known as a cipher, is a mathematical function which uses plaintext asthe input and produces ciphertext as the output and vice versa.All modern ciphers use keys together with plaintext as the input to produce ciphertext. The same or adifferent key is supplied to the decryption function to recover plaintext from ciphertext. The details of acryptographic algorithm are usually made public. It is the key that the security of a modern cipher lies in,not the details of the cipher.Symmetric algorithms use the same key for encryption and decryption. These algorithms require thatboth the sender and receiver agree on a key before they can exchange messages securely.Some symmetric algorithms operate on 1 bit (or sometimes 1 byte) of plaintext at a time. They are calledstream ciphers. Other algorithms operate on blocks of bits at a time. They are called block ciphers.Most modern block ciphers use the block size of 64 bits.Public-key algorithms (also known as asymmetric algorithms) use two different keys (a key pair) forencryption and decryption. The keys in a key pair are mathematically related, but it is computationallyinfeasible to deduce one key from the other. These algorithms are called "public-key" because theencryption key can be made public. Anyone can use the public key to encrypt a message, but only theowner of the corresponding private key can decrypt it.Some public-key algorithms such as RSA allow the process to work in the opposite direction as well: amessage can be encrypted with a private key and decrypted with the corresponding public key. If Alice (oranyone else) can decrypt a message with Bobs public key she knows that the message must have comefrom Bob because no one else has Bobs private key. Digital signatures work this way.Chapter 2: Symmetric CryptographySymmetric encryption is the backbone of any secure communication system. Dozens of symmetricalgorithms have been invented and impemented, both in hardware and software. This chapter brieflydescribes those relevant to the Microsoft impementation of cryptography. Block CiphersBlock ciphers are cryptographic algorithms which operate on 64-bit blocks of plaintext. The encryptionprocedure usually consists of multiple and complex rounds of bit shifts, XORs, permutations andsubstitutions of plaintext and key bits. Decryption is similar to encryption except that some operations maybe performed in the reverse order. Some algorithms use fix-length keys, for others the key length mayvary.DESData Encryption Standard (DES) is a block cipher invented over 20 years ago by IBM in response to apublic request from the National Bureau of Standards. It has been a worldwide cryptographic standardsince 1976 .DES is a fixed-key-length algorithm. It uses 56-bit keys. Any 56-bit number can be a key.
DES has been remarkably resistant to cryptanalysis, but its short key length makes it vulnerable to abrute-force attack where all possible keys are tried one by one until the correct key in found.Bruce Schneier writes:"A brute-force DES-cracking machine that can find a key in an average of 3.5 hours cost only $1 million in1993. DES is so widespread that it is naive to pretend that NSA <National Security Agency> ... haventbuilt such a machine. ... DES will only become less secure as time goes on." .DES is implemented by the Microsoft Enhanced Cryptographic Provider.RC2RC2 was invented by Ron Rivest for RSA Data Security, Inc. Its details have not been published.RC2 is a variable-key-length cipher. However, when using the Microsoft Base Cryptographic Provider, thekey length is hard-coded to 40 bits. When using the Microsoft Enhanced Cryptographic Provider, the keylength is 128 bits by default and can be in the range of 40 to 128 bits in 8-bit increments.Triple DESThe idea behind Triple DES is to improve the security of DES by applying DES encryption three timesusing three different keys. This way the effective key length becomes 56 x 3 = 168 bits which makesbrute-force attacks virtually impossible.Triple DES is implemented by the Microsoft Enhanced Cryptographic Provider.Triple DES with 2 KeysIn this variation, DES encryption is still applied three times but using only 2 keys: first key 1 is applied,then key 2 and then key 1 again. The effective key length is 56 x 2 = 112 bits.Triple DES with 2 keys is implemented by the Microsoft Enhanced Cryptographic Provider.Advanced Encryption Standard (AES) aka RijndaelRijndael is a block cipher, designed by Joan Daemen and Vincent Rijmen as a candidate algorithm for theAES. Rijndael became the AES after the FIPS approval by the U.S. government in 2001. The ciphercurrently supports key lengths of 128, 192, and 256 bits. AES is implemented by the "Microsoft EnhancedRSA and AES Cryptographic Provider (Prototype)" on Windows XP and "Microsoft Enhanced RSA andAES Cryptographic Provider" on Windows 2003. Windows NT and 2000 do not support this cipher.AspEncrypt offers support for AES starting with version 2.3. Stream CiphersStream ciphers encrypt plaintext one bit (or sometimes byte) at a time. The stream of plaintext bits areXORed with the output of a keystream generator which produces a stream of bits based on a seedvalue. This seed value is the key for a stream cipher.The decryption process is identical: the ciphertext bits are XORed with the same keystream (which is thefunction of the key).RC4
RC4 was developed by Ron Rivest in 1987. It is a variable-key-size stream cipher. The details of thealgorithm have not been officially published. However, the algorithms internals have been posted on theInternet, and the book Applied Cryptography contains its detailed description. The algorithm isextremely easy to describe and program.Just like RC2, 40-bit RC4 is supported by the Microsoft Base Cryptographic provider, and the Enhancedprovider allows keys in the range of 40 to 128 bits in 8-bit increments.Chapter 3: One-way Hash FunctionA one-way hash function, also known as a message digest, fingerprint or compression function, is amathematical function which takes a variable-length input string and converts it into a fixed-length binarysequence. Furthermore, a one-way hash function is designed in such a way that it is hard to reverse theprocess, that is, to find a string that hashes to a given value (hence the name one-way.) A good hashfunction also makes it hard to find two strings that would produce the same hash value.All modern hash algorithms produce hash values of 128 bits and higher.Even a slight change in an input string should cause the hash value to change drastically. Even if 1 bit isflipped in the input string, at least half of the bits in the hash value will flip as a result. This is called anavalanche effect.Since it is computationally infeasible to produce a document that would hash to a given value or find twodocuments that hash to the same value, a documents hash can serve as a cryptographic equivalent ofthe document. This makes a one-way hash function a central notion in public-key cryptography. Whenproducing a digital signature for a document, we no longer need to encrypt the entire document with asenders private key (which can be extremely slow). It is sufficient to encrypt the documents hash valueinstead.Although a one-way hash function is used mostly for generating digital signatures, it can have otherpractical applications as well, such as storing passwords in a user database securely or creating a fileidentification system. See the Tasks section for some examples. Hash AlgorithmsThe Microsoft cryptographic providers support three hash algorithms: MD4, MD5 and SHA.MD4 & MD5Both MD4 and MD5 were invented by Ron Rivest. MD stands for Message Digest. Both algorithmsproduce 128-bit hash values. MD5 is an improved version of MD4.SHASHA stands for Secure Hash Algorithm. It was designed by NIST and NSA. SHA produces 160-bit hashvalues, longer than MD4 and MD5. SHA is generally considered more secure that other algorithms and isthe recommended hash algorithm.Chapter 4: Public-Key CryptographyUnlike symmetric cryptography, public key cryptography uses two different keys - one public and oneprivate. The keys are mathematically related, yet it is computationally infeasible to deduce one from theother. Anyone with the public key can encrypt a message but not decrypt it. Only the person with theprivate key can decrypt the message.
Bruce Schneier compares public-key cryptography with a mailbox. He writes:"Putting mail in the mailbox is analogous to encrypting with the public key; anyone can do it. Just openthe slot and drop it in. Getting mail out of a mailbox is analogous to decrypting with the private key.Generally its hard; you need welding torches. However, if you have the secret (the physical key to themailbox), its easy to get mail out of a mailbox."  Secure Communications using Public-Key CryptographyUsing public-key cryptography, Alice and Bob can communicate securely using the following simpleprotocol: • Alice and Bob agree on a public key algorithm. • Bob sends Alice his public key. • Alice encrypts her message with Bobs public key and sends it to Bob. • Bob decrypts Alices message with his private key.Notice that this protocol does not require any prior arrangements (such as agreeing on a key) for Aliceand Bob to communicate securely.In real-world implementations, public keys are rarely used to encrypt actual messages as public-keycryptography is very slow, about 1000 times slower that conventional cryptography . Instead, public-keycryptography is used to distribute symmetric keys which are then used to encrypt and decrypt actualmessages, as follows: • Bob sends Alice his public key. • Alice generates a random symmetric key (usually called a session key), encrypts it with Bobs public key and sends it to Bob. • Bob decrypts the session key with his private key. • Alice and Bob exchange messages using the session key.Systems that use both symmetric and public-key cryptography in this manner are called hybrid. Digital SignaturesCertain public-key algorithms such as RSA allow both the public and private key to be used forencryption. If a message is encrypted with someones private key it can only be decrypted with thecorresponding public key. This feature can be used to create digital signatures, as follows: • Alice encrypts the document with her private key. The encrypted document becomes her digital signature. • Alice sends the signature to Bob. • Bob decrypts the document with Alices public key thereby verifying the signature.Once again, encrypting an actual message with a private key is very inefficient. Instead of signing theentire document, the documents hash can be signed, as follows: • Alice computes a one-way hash of a document. • Alice encrypts the hash with her private key. The encrypted hash becomes the documents signature. • Alice sends the document along with the signature to Bob. • Bob produces a one-way hash function of the document received from Alice, decrypts the signature with Alices public key and compares the two values. If they match, Bob knows that: (1) the document really came from Alice and (2) the document was not tampered with during transmission.
RSARSA is by far the most popular public-key cryptography algorithm. It supports both encryption and digitalsignatures. It is also the easiest one to describe and implement. RSA has withstood years of extensivecryptoanalysis and is a de facto standard in much of the World . RSA is named after the three inventors- Ron Rivest, Adi Shamir and Leonard Adleman.In RSA, a public key is based on the product of two large prime numbers. These two numbers must bekept secret as they are used to compute the private key. The product of the two prime numbers is referredto as modulus. The security of RSA lies in the difficulty of factoring large numbers.The Microsoft Base Cryptographic Provider implements RSA with a 512-bit modulus. With the MicrosoftEnhanced Provider, the default modulus is 1024 bits, and valid moduli can be in the range of 384 bits to16,384 bits in 8 bit increments. Man-in-the Middle AttackThe hybrid communication protocol described above is vulnerable to a man-in-the-middle attack. Letsassume that Mallory, an enemy hacker, not only can listen to the traffic between Alice and Bob, but alsocan modify, delete, and substitute Alices and Bobs messages, as well as introduce new ones.Mallory can impersonate Alice when talking to Bob and impersonate Bob when talking to Alice. Here ishow the attack goes: • Bob sends Alice his public key. Mallory intercepts the key and sends his own public key to Alice. • Alice generates a random session key, encrypts it with "Bob"s public key (which is really Mallorys) and sends it to Bob. • Mallory intercepts the message. He decrypts the session key with his private key, encrypts it with Bobs public key and sends it to Bob. • Bob receives the message thinking it came from Alice. He decrypts it with his private key and obtains the session key. • Alice and Bob start exchanging messages using the session key. Mallory, who also has that key, can now read the entire conversation.A man-in-the-middle attack works because Alice and Bob have no way to verify they are talking to eachother. An independent third party that everyone trusts is needed to foil the attack. This third party couldbundle the name "Bob" with Bobs public key and sign the package with its own private key. When Alicereceives the signed public key from Bob, she can verify the third partys signature. This way she knowsthat the public key really belongs to Bob, and not Mallory.A signed package containing a persons name (and possibly some other information such as an emailaddress and company name) and his/her public key is called a digital certificate (or digital ID). Anindependent third party that everyone trusts whose responsibility is to issue certificates is called aCertification Authority (CA). Digital certificates are the topic of the next chapter.Chapter 5: Digital CertificatesA certificate is a data package that completely identifies an entity, and is issued by a CertificationAuthority (CA) only after that authority has verified the entitys identity. The data package includes thepublic key that belongs to the entity. When the sender of a message signs the message with its privatekey, the recipient of the message can use the senders public key (retrieved from the certificate eithersent with the message or available elsewhere on the network) to verify that the sender is legitimate. X.509 CertificatesThe X.509 protocol defines the following structure for public-key certificates:Version
Serial NumberSignature AlgorithmIssuer NamePeriod of Validity • Not Before Date • Not After DateSubject NameSubjects Public Key • Algorithm • Public KeyExtensionsSignatureThe version field identifies the certificate format. The serial number is unique within the CA. The SignatureAlgorithm identifies the algorithm used to sign the certificate. Issuer is the name of the CA. The period ofvalidity is a pair of dates; the certificate is valid during the time period between the two. Subject is thename of the user to whom the certificate is issued. The subjects public key field includes the algorithmname and the public key itself. The last field is the CAs signature. Certification HierarchyIn order for digital certificates to be effective, the users of the network must have a high level of trust inthe certificate. But what happens if someone doesnt trust the CA - perhaps the person has never heardof the CA before. This problem is addressed in the certifying process by something called the hierarchy oftrust.The concept of hierarchy of trust is simply that the process must begin with some certifying authority thateveryone agrees is trustworthy. This ultimate authority is called the root authority. The root authority thencan certify other CAs below it, who can then certify CAs below them, etc. This is illustrated on thefollowing diagram:
When someone receives a certificate that has been issued by a first- or second-tier CA, he or she canverify that the CA that signed the certificate has been certified by a CA at the tier above it and that, in turn,that CA has been certified by the one above it, and so on until a chain of trust exists between the lowerlevel CA (or a user certificate) and the root CA. For example, in the preceding diagram, it can be verifiedthat CA #4 was certified by CA #1 and that CA #1 was certified by the root CA. This means that when acertificate from a lower-level CA is passed along with the encrypted message, all of the certificates in itschain of trust up to the root should be passed along with it. Certificate RequestsA certificate request is a signed data package that contains a persons information such as name, emailaddress, company name etc, and his/her public key. A certificate request is generated by a personwishing to obtain a certificate from the CA. Certificate requests are signed by the persons private key toprevent tampering with during transmission.When the CA receives a certificate request it extracts a persons name and public key information andperforms a certain procedure aimed at verifying that the public key really belongs to the person whosename is included in the certificate request. If the verification process is successful, the CA issues thecertificate and sends it to the requestor. Certificate Revocation ListsCertificates can also be revoked, either because the users key has been compromised, the CAs key hasbeen compromised, or because the CA no longer wants to certify the user. Each CA maintains a list of allrevoked but not expired certificates. When Alice receives a new certificate she should check to see if ithas been revoked. She can check a database of revoked keys on the network or locally cached list orrevoked certificates.Chapter 6: Secure Mail and S/MIMESecure Multipurpose Internet Mail Extensions (S/MIME) is a de facto standard developed by RSA DataSecurity, Inc, for sending secure mail based on public-key cryptography. MIME is the industry standardformat for electronic mail, which defines the structure of the messages body. S/MIME-supporting e-mailapplications add digital signatures and encryption capabilities to that format to ensure message integrity,data origin authentication and confidentiality of electronic mail. Signed MailWhen a signed message is sent, a detached signature in the PKCS #7 format is sent along with themessage as an attachment. The signature attachment contains the hash of the original message signedwith the senders private key, as well as the signer certificate. Enveloped MailEnveloped (encrypted) mail is generated using a recipients public key. The message is actuallyencrypted using a random symmetric key, and it is that symmetric key that is encrypted using the
recipients public key and sent along with the message. If a message is being sent to multiple recipients,the symmetric key is encrypted separately by every recipients public key. The enveloped message andall encrypted symmetric keys are packaged together using the PKCS#7 format. Signed & Enveloped MailS/MIME also supports messages that are first signed with the senders private key and then envelopedusing the recipients public keys. S/MIME-Enabled Status of AspEmailThe AspEmail component, when used in conjunction with AspEncrypt, iscapable of sending S/MIME-compliant mail. The S/MIME Enabled logoindicates that the component has passed RSAs S/MIME InteroperabilityTest and is included into the S/MIME Interoperability Master Matrix.For more information on the S/MIME Enabled logo, visit RSA athttp://www.rsasecurity.com/standards/smime/about.html. S/MIME Central at RSAFor a complete set of S/MIME specifications, visit RSAs S/MIME Central at http://www.rsa.com/smime.