1. Cryptography
A Tutorial on Cryptography
By: Er. Chetan Goyal
Contact for more tutorials on other topics of ethical
hacking
chetangoyal36@Hotmail.com
chetangoyal36@gmail.com
Or visit
www.windowwares.blogspot.com
2. Cryptography
• This module includes
Related terms
Symmetric key cryptography
Asymmetric Key cryptography
PKI and Digital signatures
Demonstration: how SSL works..
2
3. Cipher
• Cipher is the actual algorithm.
• We can use cipher and algorithm
interchangeably.
3
4. More definitions
• Cryptosystem
• Encompasses all of the necessary components
of encryption and decryption
» Softwares
» Protocols
» Algorithms
• Plain text – readable data
• Cipher text – encrypted data
4
5. Caesar Cipher
• Julius Caesar, 49 BC
– Securely communicate with friends
• Simple Substitution cipher
– Shift alphabet 3 characters.
5
6. Caesar Cipher Example
• Substitution
6
Plaintext: ET TU BRUTE
Shift Algorithm
3 characters
Cipher text: HW WX EUXWH
7. Symmetric Encryption
• Single key
– - Shared secret
• Examples
Data Encryption Standard (DES)
– - Block Cipher, 56 bit key
– - Triple DES 112 bit key
Advanced Encryption Standard (AES)
- Rijndael Algorithm
• Belgian cryptographers, Joan Daemen and
Vincent Rijmen.
- 128, 192, 256 bit keys
7
8. Symmetric Key Encryption
• Symmetric key encryption is based on
substitution and transposition
• Each algorithm consist many substitution
and transposition “rounds”
• Symmetric key encryption is mostly used
for bulk or mass encryption.
8
9. Key and Algorithm Relationship
• Algorithm consist many static equations
(functions) or rounds these rounds are
basically mathematical formulas –
substitution and transposition.
• Key will decide which function/s or block/s,
their order, values should be used to encrypt
or decrypt data.
9
10. Key Size
• Does key size really matter ?
• Why and how
• Key space – total number of bits available
for key generation
• So for 64 bits we have 2 power 64.
• For 128 bits we have 2 power 128
• So the larger the key space, the more
values an attacker has to bruteforce.
10
11. Types of Symmetric Cipher
• Block Cipher – text is divided into blocks,
and each block is encrypted individually
• Eg: AES, DES, 3DES etc.
• Stream cipher – stream is used instead of
blocks, synchronization of encryption and
decryption ends is needed
• Eg: RC4, RC5
11
12. Symmetric Encryption Example
12
Dear Bob:
How about coming
over to my place
at 1:30?
Love, Alice
Dear Bob:
How about coming
over to my place
at 1:30?
Love, Alice
Alice Bob
decryptencrypt
011100111001001
110011100111001
001110000111111
ciphertext
13. Symmetric cipher downfalls
• Key management
• Does not provide non repudiation and digital
signature facilities
13
14. Asymmetric Key Cryptography
• Two mathematically related keys
– Unable to derive one from the other
– Encrypt with one – decrypt with other
• Public Key Cryptography
– One (public) key published for all to see
– Other (private) key kept secret
• Algorithms
– RSA - Integer Factorization (large primes)
– Diffie-Hellman - Discrete Logarithms
– ECES - Elliptic Curve Discrete Logarithm
14
15. Asymmetric Encryption Example
15
Dear Carol:
I think Alice is
having an affair
with Bob. I
need to see you
right always.
Love, Ted
Dear Carol:
I think Alice is
having an affair
with Bob. I
need to see you
right always.
Love, Ted
Mohan Jagmohan
encrypt decrypt
Jagmohan's
Private KeyJagmohan's
Public Key
011100111001001
110011100111001
001110000111111
ciphertext
16. Asymmetric Advantages
• No shared secret key
• Public key is public
– Can be freely distributed or published
– Key management is much easier
• Private key known ONLY to owner
– Less vulnerable, easier to keep secret
• Supports Non-repudiation
– Sender can not deny sending message
16
18. Non-repudiation
• Since only the sender knows their private
key, only the sender could have sent the
message.
• Authentication mechanism
• Basis for Digital Signature
18
19. Hash Function
• Hash Function are like CRC functions but
are more then CRC (mathematically)
• Hash provide integrity check
• Hash functions generate finger prints for a
given data, a little change to data will result
completely different fingerprint. (non
guessable)
• When hash function generate same
fingerprint for different data, known as
collision or birthday attack
• Hash functions are one way functions
19
21. Digital Signature
• Combines one-way secure hash functions
with public key cryptography
– Hash function generates fixed length value
– No two documents produce the same hash
value
– Secure Hash Algorithm 1 (SHA-1)
• Characteristics
– Data Integrity - hash value
– Non-repudiation – encrypted with private
key
– Does NOT provide confidentiality
21
22. Digital Signature Creation
22
Dear Mr. Ted:
We have asked the
Court to issue a
restraining order
against you to stay
away from Carol.
Sincerely,
Sue Yew
Dewey, Cheatam & Howe,
Law Firm
Dear Mr. Ted:
We have asked the
Court to issue a
restraining order
against you to stay
away from Carol.
Sincerely,
Sue Yew
Dewey, Cheatam & Howe,
Law Firm
encrypt
Sue's
Private Key
Hash
Function
Sue
0F47CEFF
AE0317DB
AA567C29
Hash
Value
0101011110000110101
1011110101111010111
Digital
Signature
23. Digital Signature Validation
23
Dear Mr. Ted:
We have asked the
Court to issue a
restraining order
against you to stay
away from Carol.
Sincerely,
Sue Yew
Dewey, Cheatam & Howe,
Law Firm
0101011110000110101
1011110101111010111
Sue's
Public Key
decrypt
0F47CEFF
AE0317DB
AA567C29
0F47CEFF
AE0317DB
AA567C29
Signature is valid
if the two hashes
match
24. Source of Public Key
• Can be on a server (common server)
• With PGP - embedded into mail
24
25. But
• How do you know for sure who is the
owner of a public key?
25
26. Public Key Infrastructure
• Public Key Infrastructure (PKI) provides
the means to bind public keys to their
owners and helps in the distribution of
reliable public keys in large heterogeneous
networks. NIST
26
27. Public Key Certificates
• Digital Certificates
– Binds a public key to it's owner
– Issued and digitally signed by a trusted third
party
– Like an electronic photo-id
• Follows X509 V3 standard – RFC 2459
27
28. X509 V3 Basic Fields
• Owner's X.500 distinguished name (DN)
– C=US;O=GOV;O=NIH;OU=CIT;CN=Mark Silverman
• Owner's public key
• Validity period
• Issuer's X.500 distinguished name
28
30. Certification Authority (CA)
• TRUSTED third party
• Issues Certificates
– Creates and signs them
– Publishes current certificates
• Issues Certificate Revocation Lists (CRLs)
– List of invalid (revoked) certificates
– Online Certificate Status Protocol (OCSP)
• Maintains archives of status information
• May retain copy of data encryption private
key, for purposes of key recovery
– government requirement
30
31. Registration Authority (RA)
• Verify certificate contents for CA
– Identity proofing
– RA's public key known to CA
• A CA may have multiple RAs
31
32. Certificate Policy (CP)
• A high level document that describes the
security policy for issuing certificates and
maintaining certificate status information.
• Describes operation of the CA.
• Defines user's responsibilities for requesting,
using and handling certificates and keys.
32
33. Certification Practice Statements (CPS)
• A highly detailed document that describes
how a CA implements a specific CP.
• Specifies the mechanisms and procedures
that are used to achieve the security policy.
• Effectively the CA's operations manual.
33
34. Conclusion
• Enabling technology for E-Gov
– Data Confidentiality
– Data Integrity
– Non-repudiation
• Technology is complicated
– But not unmanageable
• Difficulty is in establishing trust
– 20% technology – 80% policy
34