2. Public key cryptography
RSA public key crypto
Digital signature
Hash functions
Public key distribution
Real world protocols
Basic terminologies
Email security certificates
Transport Layer securityTLS
IP security
DNS security
3. Public-key cryptography, or asymmetric
cryptography, is a cryptographic system that uses
pairs of keys: public keys, which may be disseminated
widely, and private keys, which are known only to the
owner.
The generation of such keys depends
on cryptographic algorithms based
on mathematical problems to produce one-way
functions.
Effective security only requires keeping the private
key private;
the public key can be openly distributed without
compromising security.
4. In such a system, any person can encrypt a message using the
receiver's public key, but that encrypted message can only be decrypted
with the receiver's private key.
This allows, for instance, a server to generate a cryptographic key
intended for symmetric-key cryptography, then use a client's openly-
shared public key to encrypt that newly-generated symmetric key.
Now, the server can send this encrypted symmetric key on insecure
channels to the client, and only the client can decrypt it using the client's
private key pair to the public key used by the server to encrypt this
message.
With the client and server both having the same symmetric key now,
they can safely transition to symmetric key encryption to securely
communicate back and forth on otherwise-insecure channels.
This has the advantage of not having to manually pre-share symmetric
keys, while also gaining the higher data throughput advantage
of symmetric-key cryptography over asymmetric key cryptography.
5. With public-key cryptography,
robust authentication is also possible.
A sender can combine a message with a private
key to create a short digital signature on the
message.
Anyone with the sender's corresponding public
key can combine the same message and the
supposed digital signature associated with it to
verify whether the signature was valid, i.e. made
by the owner of the corresponding private key.
6.
7.
8. RSA (Rivest–Shamir–Adleman) is a public-key
cryptosystem that is widely used for secure data
transmission.
It is also one of the oldest.The
acronym RSA comes from the surnames of Ron
Rivest, Adi Shamir, and Leonard Adleman, who
publicly described the algorithm in 1977.
An equivalent system was developed secretly, in
1973 at GCHQ (the British signals
intelligence agency), by the English
mathematician Clifford Cocks.That system
was declassified in 1997.
9. In a public-key cryptosystem, the encryption
key is public and distinct from the decryption
key, which is kept secret (private).
An RSA user creates and publishes a public
key based on two large prime numbers, along
with an auxiliary value.
The prime numbers are kept secret.
Messages can be encrypted by anyone, via
the public key, but can only be decoded by
someone who knows the prime numbers.
10. The security of RSA relies on the practical difficulty
of factoring the product of two large prime numbers, the
"factoring problem".
Breaking RSA encryption is known as the RSA problem.
Whether it is as difficult as the factoring problem is an
open question.
There are no published methods to defeat the system if a
large enough key is used.
RSA is a relatively slow algorithm. Because of this, it is not
commonly used to directly encrypt user data.
More often, RSA is used to transmit shared keys
for symmetric key cryptography, which are then used for
bulk encryption-decryption.
11. A digital signature is a mathematical technique
used to validate the authenticity and integrity of
a message, software or digital document.
A digital signature is a mathematical scheme
for verifying the authenticity of digital messages
or documents.
A valid digital signature, where
the prerequisites are satisfied, gives a recipient
very strong reason to believe that the message
was created by a known sender (authentication),
and that the message was not altered in transit
(integrity).
12.
13. A hash function is any function that can be used
to map data of arbitrary size to fixed-size values.
The values returned by a hash function are
called hash values, hash codes, digests, or
simply hashes.
Hash functions are extremely useful and appear
in almost all information security applications.
A hash function is a mathematical function that
converts a numerical input value into another
compressed numerical value.
The input to the hash function is of arbitrary
length but output is always of fixed length.
14.
15. Public key can be distributed in 4 ways:
Public announcement,
Publicly available directory,
Public-key authority, and
Public-key certificates.
These are explained as following below.
Public Announcement:
Here the public key is broadcasted to everyone.
Major weakness of this method is forgery.
Anyone can create a key claiming to be someone else and
broadcast it.
Until forgery is discovered can masquerade as claimed user.
16.
17. Publicly Available Directory:
In this type, the public key is stored at a public
directory.
Directories are trusted here, with properties
like Participant Registration, access and allow
to modify values at any time, contains entries
like {name, public-key}.
Directories can be accessed electronically still
vulnerable to forgery or tampering.
18. Public Key Authority:
It is similar to the directory but, improve security
by tightening control over distribution of keys
from directory.
It requires users to know public key for the
directory.
Whenever the keys are needed, a real-time
access to directory is made by the user to obtain
any desired public key securely.
19. Public Certification:
This time authority provides a certificate (which binds
identity to the public key) to allow key exchange
without real-time access to the public authority each
time.
The certificate is accompanied with some other info
such as period of validity, rights of use etc.
All of this content is signed by the trusted Public-Key
or Certificate Authority (CA) and it can be verified by
anyone possessing the authority’s public-key.
20. The typical cryptographic protocols include the Secure Socket
Layer Protocol (SSL) and its variant,Transport Layer Security Protocol (TLS), the
Internet Key Exchange Protocol (IKE) and the Kerberos Authentication Protocol.
A security protocol (cryptographic protocol or encryption protocol) is an
abstract or concrete protocol that performs a security-related function and
applies cryptographic methods, often as sequences of cryptographic primitives.
A protocol describes how the algorithms should be used.
A sufficiently detailed protocol includes details about data structures and
representations, at which point it can be used to implement multiple,
interoperable versions of a program
For example,Transport Layer Security (TLS) is a cryptographic protocol that is
used to secure web (HTTPS) connections.
It has an entity authentication mechanism, based on the X.509 system; a key
setup phase, where a symmetric encryption key is formed by employing public-
key cryptography; and an application-level data transport function.
These three aspects have important interconnections.
StandardTLS does not have non-repudiation support.
21. Asymmetric Algorithm
An algorithm in which the key used for encryption is different from that
used for decryption. Also known as public key cryptography.Block Cipher
An algorithm that encrypts data in blocks, commonly of 64 bits each.
CAST
A 64-bit block cipher, developed in Canada by CarlisleAdams and
StaffordTavares.
Cipher
A cryptographic algorithm, i.e. a mathematical function used for
encryption and decryption.
Clipper
Originally the name for a tamper-resistant encryption chip designed by
the U.S. National Security Agency for voice encryption.The chip has
built-in key escrow features to facilitate wire-tapping.The term has
subsequently been applied to further attempts by the US government to
introduce key escrow provisions, the latest variation being the key
recovery plan of October 1996, dubbed Clipper 4.
22. DES
Digital Encryption Standard. A symmetric block cipher using a 56-bit key which was
originally developed by the US National Institute of Standards and Technology (NIST) in
1977 as a standard encryption algorithm. In 1999, the Electronic Frontier Foundation
(USA) developed a machine to demonstrate that DES could be broken in a few hours with a
brute-force attack. Encryption using single DES is generally no longer considered to be
secure. (SeeTriple DES)
Diffie-Hellman
A public-key algorithm, invented in 1976.
DH/DSS
A type of key used in PGP since version 5.0. Contains a Diffie-Hellman key of between 1024
and 4096 bits for encryption and a 1024-bit DSS key for digital signatures.
DSS
Digital Signature Standard. A proposed standard for digital signatures using Digital
Signature Algorithm.
Digital Signature
An encrypted message digest which is appended to a plaintext or encrypted message to
verify the identity of the sender. The signature is encrypted with the user's private key and
can only be decrypted with the corresponding public key.The same key pairs may be used
for signature and encryption purposes but separate key pairs for each purpose are usually
recommended.
23. IDEA
International Data Encryption Algorithm. It was introduced in 1992 as a potential alternative to
DES and is regarded as very secure. It is a block cipher using a symmetric algorithm based on a
128 bit key. IDEA is the data encryption algorithm used in PGP.
Key
A value that is used to encrypt or decrypt a message.
Key Escrow
A concept that originated with the Clipper Chip program, by which a secret or private key is split
and the two parts held by escrow agencies against the possibility that the key may be required for
law enforcement surveillance or national security purposes.
Key Recovery
A key escrow system which relies on a trusted party to recover a user's confidential keys for use
by law enforcement or national security agencies acting under "proper authority".The trusted
recovery party might in some cases be internal to the user's organization, but in all cases notice to
surveillance targets that their key information had been released would be prohibited. Key
recovery is central to the US government's new encryption policy announced in October 1996.
PGP
A complete public-key cryptosystem for electronic messaging that has been released to the
public domain. It was originally designed by Phil Zimmerman. It uses IDEA, CAST orTriple DES for
actual data encryption and RSA (with up to 2048-bit key) or DH/DSS (with 1024-bit signature key
and 4096-bit encryption key) for key management and digital signatures. The RSA or DH public
key is used to encrypt the IDEA secret key as part of the message.
24. PKAF
Public Key Authentication Framework. A system for authenticating digital signatures based on a
hierarchy of trusted signatures.
Private Key
The secret part of a a private key/public key pair used in public key cryptography. The Private Key
is normally known only to the key owner. Messages are encrypted using the Public Key and
decrypted using the Private Key. For digital signatures, however, a document is signed with a
Private Key and authenticated with the corresponding Public Key.
Public Key Cryptography
A concept first proposed by Diffie and Hellman in 1975 that has been largely responsible for
opening up the science of cryptography for commercial use.The encryption key is made public
but only the person who holds the corresponding private key can decrypt the message.
RSA
The best known public key algorithm, named after its inventors: Rivest, Shamir and Adleman.
RSA uses public and private keys that are functions of a pair of large prime numbers.The
algorithm is best known for its application in PGP. It is patented in the USA only.
Steganography
A method of hiding a secret message in another message, e.g. within a graphic image.
Symmetric Algorithm
An encryption algorithm where the encryption key is the same as the decryption key, or where
one key is easily calculated from the other.The sender and receiver have to agree on a key before
they can communicate securely.
Triple DES
A method of vastly increasing the security of DES by encrypting 3 times with different keys.
25. An email certificate is a digital file that is installed to your
email application to enable secure email communication.
These certificates are known by many names — email
security certificates, email encryption certificates, S/MIME
certificates, etc. S/MIME, which stands for
“secure/multipurpose internet mail extension,” is a
certificate that allows users to digitally sign their email
communications as well as encrypt the content and
attachments included in them.
Not only does this authenticate the identity of the sender
to the recipient, but it also protects the integrity of the
email data before it is transmitted across the internet.
26. In a nutshell, an S/MIME email certificate allows you to:
Encrypt your emails so that only your intended recipient
can access the content of the message.
Digitally sign your emails so the recipient can verify that
the email was, in fact, sent by you and not a phisher
posing as you.
The way that an email encryption certificate works is by
using asymmetric encryption.
It uses a public key to encrypt the email and send it so that
the recipient, who has the matching private key, can
decrypt the entire message (and any attachments)
automatically.
Asymmetric encryption is also what’s behind the SSL/TLS
protocol as well as cryptocurrencies.
27. Transport Layer Security, and its now-
deprecated predecessor, Secure Sockets
Layer, are cryptographic protocols designed
to provide communications security over a
computer network.
Several versions of the protocols find
widespread use in applications such as web
browsing, email, instant messaging, and
voice over IP.
28. Transport Layer Security, orTLS, is a widely adopted
security protocol designed to facilitate privacy and data security
for communications over the Internet.
A primary use case ofTLS is encrypting the communication
between web applications and servers, such as web browsers
loading a website.
TLS can also be used to encrypt other communications such as
email, messaging, and voice over IP (VoIP).
In this article we will focus on the role ofTLS in web application
security.
TLS was proposed by the Internet EngineeringTask Force (IETF),
an international standards organization, and the first version of
the protocol was published in 1999.
The most recent version isTLS 1.3, which was published in 2018.
29. In computing, Internet Protocol Security is a secure
network protocol suite that authenticates and
encrypts the packets of data to provide secure
encrypted communication between two computers
over an Internet Protocol network.
It is used in virtual private networks.
The IP security (IPSec) is an Internet EngineeringTask
Force (IETF) standard suite of protocols between 2
communication points across the IP network that
provide data authentication, integrity, and
confidentiality.
It also defines the encrypted, decrypted and
authenticated packets.
30. IPsec can be used to do the following things:
To encrypt application layer data.
To provide security for routers sending routing
data across the public internet.
To provide authentication without encryption,
like to authenticate that the data originates
from a known sender.
To protect network data by setting up circuits
using IPsec tunneling in which all data is being
sent between the two endpoints is encrypted, as
with aVirtual Private Network(VPN) connection.
31. DNSSEC stands for Domain Name
System Security Extensions, and it is a
technology used to protect information on
the Domain Name System (DNS) which is
used on IP networks.
It provides authentication for the origin of
the DNS data, helping to safeguard against
attacks and protect data integrity.
32. Like many Internet protocols, the DNS system was not
designed with security in mind and contains several design
limitations.
These limitations, combined with advances in technology,
have made it easy for attackers to hijack a DNS lookup for
malicious purposes, such as sending a user to a fraudulent
website that can distribute malware or collect personal
information.
DNS Security Extensions (DNSSEC) is a security protocol
created to mitigate this problem.
DNSSEC protects against attacks by digitally signing data
to help ensure its validity.
In order to ensure a secure lookup, the signing must
happen at every level in the DNS lookup process.
33. This signing process is similar to someone signing a
legal document with a pen; that person signs with a
unique signature that no one else can create, and a
court expert can look at that signature and verify that
the document was signed by that person.
These digital signatures ensure that data has not been
tampered with.
DNSSEC implements a hierarchical digital signing
policy across all layers of DNS.
For example, in the case of a ‘google.com’ lookup,
a root DNS server would sign a key for the .COM
nameserver, and the .COM nameserver would then
sign a key for google.com’s authoritative nameserver.
34. While improved security is always preferred, DNSSEC
is designed to be backwards-compatible to ensure
that traditional DNS lookups still resolve correctly,
albeit without the added security.
DNSSEC is meant to work with other security
measures like SSL/TLS as part of a holistic Internet
security strategy.
DNSSEC creates a parent-child train of trust that
travels all the way up to the root zone.
This chain of trust cannot be compromised at any
layer of DNS, or else the request will become open to
an on-path attack.