1. Secure Communications with Cryptography
• Secure Communications
• Encryption
• Public & Private Keys
• Public Key Infrastructure (PKI)
Concepts
• You want to send a message to a business partner
• But you don’t want anyone else to read the message
• You are sending the message over email, which could be intercepted by anyone
The Scenario
2. Secure Communications with Cryptography
Not a New Problem
Hey Cleo, want to get lunch today?
Khb Fohr, zdqw wr jhw oxqfk wrgdb?
This is known as Symmetric Encryption
The Caesar Cipher
Key = 3
3. Secure Communications with Cryptography
Encryption & Cryptography
Encryption is the process of transforming information in such a
way that an unauthorized third party cannot read it;
a trusted person can decrypt data and access it in its original form.
Cryptography is the science of hiding information in plain sight
What’s the difference between these two terms?
4. Secure Communications with Cryptography
Encryption Basics
Double, double toil and trouble;
Fire burn, and caldron bubble.
Scale of dragon; tooth of wolf;
Witches' mummy; maw and gulf
Of the ravin'd salt-sea shark;
Root of hemlock digg'd i the dark;
Plaintext
wcBMA4SjJ0nqPGCqAQf5AcVPrTQTmXyfJI3TQUHv4u15klbEC1WLhRJ/O1es
tIW4Om5o0wtUe3jLwCpQENVjupqmFhTdvPqT6nWdI6n9ad5CQGoPK2xykWY3
95/B4dpz0NDGfA/LsJcQQcsoBV/UfymBTI+03ZhN3hPhqLNsGYkKPSDPwXX+
cj86FX2VzyHdlVgt120oTVN7rUReuaamrR3TB61hMSqRLd0VaGcCwfhtVg+G
VkDrUYQqGcbT/chHwrHfoKMG+Ufi9k2Ku+k/ii4Iz5W/CCM1neqpHXmnbvBe
LVJ5JhF1hqQufEhtBWzim5ujgELp7B54u5igqY/VKhgGkylqzvbQjWCbJ5vW
K9LAQQFvXnEYA12E3A4oA9NI3C9Bq+ZU+ia0WZQ8ENn/gjclv6ohnLSLyKw1
lgWBXN9JsNOj3nia25LGP9ZiXnq/3y5AI/MuYPK6hwhIGmZeQ6SX3UrT01xy
3CvkqL/TOeznuwaugXmxQbUL0U1pTHQwCSpA17kl6HZdoAA0T2sI2TRu7PmU
NH3PNjCeRdVPrUP39KTMtMmjPCgC8LK/BuAo/fO9c7DS3mnaiW+im83ijIgk
o/0nVm9oippne/DSTBXjLz3Qf5HhkB8W8OrADSnMMpHdfuvL7jM9VTnKejtk
F2wJhuosuAAT2JpN5PdojYKbWzWH0092Z+2BohHgW71gMmsL
Ciphertext
Encryption Algorithm
A very large number generated by factoring large prime numbers.
The longer, the better. Estimated it would take 10,000,000,000,000 years to
try all of the possible 128 bit keys used in the original PGP.
As computers get more powerful, this goes down – but it’s still Pretty Good
5. Secure Communications with Cryptography
Pretty Good Privacy (PGP)
• Created by Phil Zimmermann in 1991
• Investigated by US government for “exporting munitions without a license”,
since encryption products stronger than 40 bits were considered a munition
• Uses a set of “keys” which are mathematically linked
Public Key is known to
everyone and used to
encrypt the message
Private Key is known
only by you and used to
decrypt the message
This is known as Asymmetric Encryption
What’s the difference between Symmetric and Asymmetric?
6. Secure Communications with Cryptography
Public Internet
Bob writes an email
and sends it to Alice
Alice receives the
fake email, believing
it to be from Bob
Eve intercepts the email
and changes its contents,
then forwards it on to Alice
The Problem
7. Secure Communications with Cryptography
Sending Secure Email: Generating a Key Pair
Alice uses a special program to generate her key pair
She supplies a secret “passphrase” known only to her – the longer the better!
“The square of the hypotenuse is equal to the sum of the squares of the other two sides”
Alice sends her PUBLIC KEY to Bob.
It doesn’t matter if Eve intercepts – it’s public!
Note that you have to generate and publish a Public Key before someone can send you a message
8. Secure Communications with Cryptography
What does a Public Key Look Like?
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Mailvelope v0.9.0
xsBNBFQU/usBB/97SrwahMOluR0D5lXHchIEaLpcBXGaFial4kub4jBGC1FZ
LJEkdwKmb1dYFtdgset+I7DYem3/zHs9LVBuT7ivo+/Eq9hLCS9adYbRtSNs
s/gxH/b8j3pV3YEv5/7hIjnrwmq0LOP8wvoC2/Oz+8ufXo0GLIBnGjZO9COg
jnOKMfeeuKhenJLGbMacv0r6iA12fb1ApNc+CCP8DEdwp/iKIXN0qFGbJ4Rr
eKXANs7GdVE++C6mrQ6Wg241ENqxUh3aaAosO3tKq3dxME9sQTllEKhZjt+7
TTyUenY0N2Gk5ZrTOJwUvDlJTtccvcWBQkHz+QlIPoDHxm2SwDRoQoX1ABEB
AAHNHERhbiA8ZGhhc3RpbmdzOTU0QGdtYWlsLmNvbT7CwHIEEAEIACYFAlQU
/vIGCwkIBwMCCRCT1rYq53XuswQVCAIKAxYCAQIbAwIeAQAA5DAH/iaX4Kwe
ihWy3EXn3rx40BNaMrGQH9ijBS+BHNHJ1gdivlbmImOcTNeOhkskXoBRNTW1
JNsY6jY70FuIPFWPFH7XJ3Y0oMBUxMgyFmlyE0i/7VVHWuAyecKdsp4r9Jjp
WHpUfH2f2IqnTzXp0QeLth6A+1D+pCoMV7SQOwUpHv6ya8C14l/hVpVgaKQW
ZnqCsaxU7JmVjvUDXlX5+b5SDh7ytf1ad4uzacf1JYI9UIh/0dWo61a3FTnj
BlRF65oVpfk6msqY6hktwaDvExStguClyG8zUU18ZnFDxE4wbb86SqReuiVB
KyM/NY6alSUJaHwr+tnAgipdWCRk3j2zRZ/OwE0EVBT+8gEIAMi3/YmLBSSI
LEV5TAutN4A7CKCKhF/9BZfBmz1GXKmXUMLd/Hd6lMNYNfszoZlcp50mE/O8
jATpubnGCubuRkvn+9qMclDc95l9fabaPpw4NTzaU/tSP7WvQtT5HVg8JGkZ
ZkJVGTng1KYqB00Gjh3wU71r00O5YlY9rJLEcBplYktOucH7cBiFRaWzLnLJ
0LWVX8twmeF2YGhZN4fue7/ceGH1dTCFkVEgj9Weo+eM5J1N7LLmi1fFOYHs
0MpepYXqmUQthcnpcQCS6J12Jag3ZayXx/RWOiqbOOsOdtU5q49aSW9W5fXx
5XhuQKt8mWQpbjxGgrT06sFsX1sBEmkAEQEAAcLAXwQYAQgAEwUCVBT++gkQ
k9a2Kud17rMCGwwAAEzFB/9PrHFAdHb07bNW0lbOh9pKwnZHVG2w7N0NO8j1
jqL279LyAc8sg7oL/N9sRm7d7MLPYEeR4PcLlytsYgu2FMgX+wJUNOg8wWVO
kRyTWfGa1pfZG9AFonfsmr1+poCRdBRJgmAbHmqnaeRlFGHqPVUzkBGTAbit
Oliqkzb7eOrH16XKV4UxIqLiayqNFhf3szFsd36174BKRKkiWLoGWgP+J34b
sokxl/3KQyklAV7VWhE6LrpSCdWzn8PE9j1zOZITtMt8klbznKNEQujVbGRh
qmD6w1ptz4Uhx0iJFazXmlmec3dx2f95jDRaes+3eJdLGm6seTIWSheY7EbJ
cycz
=8lKW
-----END PGP PUBLIC KEY BLOCK-----
9. Secure Communications with Cryptography
Public Internet
Bob writes an email,
then encrypts it with
Alice’s Public key, and
sends it to Alice
The Solution
Eve intercepts the email but
she can’t read or change it!
Alice receives Bob’s
email, and decrypts it
with her Private key
& passphrase
10. Secure Communications with Cryptography
Any Problems With This Scenario?
• Since key is public, Eve could send a fake email claiming to be from Bob
• Need to first get a copy of Alice’s public key before I can send her a message
• If you forget your passphrase you can never retrieve it!!!!!
Solutions:
• Use private key to “sign” a message – proves it can only have come from sender;
anyone can use your public key to verify
• PKI – Public Key Infrastructure -- Trusted party holds public keys
• Use trusted Digital Certificates from a Certification Authority (CA)
11. Secure Communications with Cryptography
Sources:
http://blog.kaspersky.com/encrypt-your-data/
http://www.garykessler.net/library/crypto.html
https://www.carillon.ca/library/pkitutorial.php
Fingerpuppet Theatre: PKI over the Web
https://www.carillon.ca/library/enrolment_by_web_1.1.pdf?page=tutorials
Everything you need to know about Internet Security in 2 minutes
https://www.youtube.com/watch?v=hd2kEJoQmOU&index=7&list=PL5C68BD7DB4F7CD74
Caesar Cipher generator
http://rumkin.com/tools/cipher/
If you’ve got 1 hour to spare, this covers a lot on Encryption and SSL:
http://youtu.be/I3WS-5_IbnM
Chapter 1 of Hacking Secret Ciphers with Python – and your very own Caesar Cipher decoder ring
http://inventwithpython.com/hacking/chapter1.html
CISSP Training – Cryptography (30 mins)
http://youtu.be/5BVehsUS7Y4?list=PLxwhLRvJxyn4WbjZAGsRCJVk-6wH8Err6