Encryption transforms plain text into cipher text using encryption algorithms and keys to provide confidentiality, integrity, and authenticity of messages. Modern encryption uses both symmetric encryption with private keys and asymmetric encryption with public/private key pairs. Transport Layer Security (TLS) and Secure Sockets Layer (SSL) provide encrypted communication over the internet using technologies like digital certificates, the Diffie-Hellman key exchange, and algorithms like RSA and AES.

1. What is Encryption?

2. What is Encryption ?
 Encryption (enciphering) transforms original information
(plaintext) into cipher text (cipher)
 The transformed information is called cryptogram
 The technique or rules used for encryption are called
encryption algorithm
 Encryption provides:
the Confidentiality (keep the information confidential)
the Integrity (keep the accuracy of the information)
the Authenticity (information comes from an authentic
source) of a message

3. Two Basic Types of Encryption
 Transposition Ciphers
rearrange the order of the bits or the characters
NUCLEAR → LUCNARE
 Substitution Ciphers
replace the actual bits or the characters with
substitutes (next letter in the alphabet)
NUCLEAR → OVDMFBS

4. A Bible Cipher
a substitution cipher
)

5. Julius Caesar Encryption
A substitution cipher
Susceptible to frequency analysis and brute force attacks

6. The Vigenère Cipher
 French diplomat of the 16th century who invented a substitution cipher using a keyword

Yet easy to crack using the frequency analysis technique

7. The Enigma Machine
A substitution cipher using a set of rotating wheels
Used in WW II by the Germans (U-Boote) and the Japanese
Code was cracked by the Allies in 1941
(Alan Turing & Polish mathematicians)
Poor assumption: letters in plain text should not be substituted for the same letter in cipher text

8. The Protagonists
 Alice (wants to talk securely with Bob)
 Bob (Alice’s friend)
 Eve (eavesdropping the conversation)
 Mallory (a malicious person)
Plain text: Bob → Alice “I love you”
Cipher text: Nkn → Mgsbc “S gktc wky”

9. In “Real” Life: Who Are Alice & Bob ?
 Web browser/server for electronic
transactions (credit cards etc.)
 On-line banking applications
 Routers exchanging tables updates
 Corporate VPN (virtual private network)
 E-mails B2B or B2U
 Wireless connections to the network

10. There are bad guys out there
 What can they (Eve and Mallory) do ?
Eavesdropping (intercept the message)
Spoof the message (faking source or content)
Hijack the communication (insert himself)
Denial of Service (overloading resources)

11. Sniffing (Packet Analyzing)
Sniffers can capture the packets across the
network and analyze their content

12. Spoofing
Receiver “A” can’t tell if source is spoofed

13. Modern Ciphers
Four cryptographic primitives:
1. Random number generation
used to generate keys
2. Symmetric encryption (private keys)
same secret key is used to encrypt and decrypt information
3. Asymmetric encryption (private/public keys)
two keys are used: a public key and a private key,
each user has both a public key (published) and a private key (secret),
public and private key are mathematically related:
encrypt with sender’s private key, decrypt with sender’s public key
encrypt with recipient’s public key, decrypt with recipient’s private key
4. Hash functions
takes a message of any size and computes a smaller fixed-size message
called a digest (used to store passwords and signatures)

14. Symmetric Key Algorithms
2 types of algorithms used
 Stream Cipher: plain text is processed as a
stream of data
 Block Cipher: plain text is processed through
blocks with additional measures to avoid
repeating blocks

15. Diffie-Hellman Shared Symmetric Key
 Before 1975, all encryption forced the sender and receiver to have the same key
 If a thousand users had to share secrets with each other, using a secret-key system,
they needed half a million shared-keys (1000 x 1000) / 2 = 500’000 keys
 Diffie-Hellman proposed in 1975 a way to exchange secret keys across an unsecured
communication channel
 How does it work ? First assume that everybody has a three-liter bucket of yellow paint
(the shared public encryption key)
 If Alice and Bob want to agree on a secret key, each of them adds one liter of their
secret color to their own bucket (Alice: pink, Bob: red)
 Finally, Alice takes Bob’s mixture and add her secret color and Bob takes Alice’s
mixture and adds his own secret color
 Alice ends up with yellow + pink + red and Bob with yellow + red + pink in his bucket
(the shared secret encryption key)
 We have confidentiality but not authentication (everybody has a yellow color bucket)

16. Asymmetric Keys (public & private)
 Encrypting with private key, decrypting with public key provides
authenticity without confidentiality (anyone can access the public key)
 Encrypting with public key, decrypting with private key provides
confidentiality without authenticity (anyone can access the public key)
 Solution: use a mixture of both (double encryption) for the digital signature
and the public key for the message (confidentiality)

17. Public Key Cryptography

18. RSA Algorithm For Key Generation
 Based on large prime numbers:
1. Choose two large prime numbers p, q
2. Compute n = pq and z = (p - 1)(q - 1)
3. Choose e (e < n) that has no common factors with z
(e and z are relatively prime)
4. Choose d such that ed – 1 is exactly divisible by z
i.e. ed (mod z) = 1
5. Public key KB
+
is (n,e) ; private key KB
-
is (n,d)
6. Encrypt m with c = me
(mod n)
7. Decrypt c as m = cd
(mod n)
 This works because:
m = [me
(mod n)]d
(mod n)

19. Example of RSA Key Generation
 Bob chooses p = 5 and q = 7
1. then n = 5 * 7 = 35 and z = (5-1)*(7-1) = 24
2. e = 5 (relatively prime to z)
3. d = 29 (ed-1 = 144 exactly divisible by z)
4. encrypt the letter l (m = 12):
me
= 125
= 248’832
c = me
(mod n) = 248’832 (mod 35) = 17
5. decrypt (c =17):
m = cd
(mod n)=1729
(mod 35) = 4.819686 *1035
(mod 35) = 12

20. Receiver’s public key
Sender’s public key
`
`
Sender’s private key
Receiver’s private key
InternetSender
Alice
Receiver
Bob
Get the
receiver’s
public
key
Getthesender’spublickey
Encrypt the entire message using the receiver’s public key
Encrypt the signature with the sender’s private key and the receiver’s public key
Signature is double encrypted to ensure confidentiality & authentication

21. Some Useful Acronyms
 DES: Data Encryption Standard (60’s – 70’s), improved with triple DES (IBM 1978)
 Diffie & Hellman: algorithm for key exchange (1976)
 Kerberos: authentication mechanism using authentication and ticket granting server
 RSA: Rivest, Shamir & Adleman algorithm, using large prime numbers for the generation
of the keys (1982)
 X509: International Standard for Certificates (1988)
 FIPS140-2: Federal Information Processing Standard (2001)
 AES-256: Advanced Encryption Standard (2002), a sophisticated block cipher algorithm
 PKI: Public Key Infrastructure
 TLS: Transport Layer Security, used for secure Web connections
 IPsec: Protocol suite based on IP and encryption standards for use in VPN
 IBE: Identity Based Encryption, a simplified method for B2U E-mail encryption
 S/MIME: (Secure Multipurpose Internet Mail extensions), for B2B E-mail encryption
 PGP: (Pretty Good Privacy), for B2B and B2U E-mail encryption

22. Some Israeli Cryptographers
 Prof. Adi Shamir (Weizmann Institute)
 Prof. Dan Boneh (Stanford University)

23. SSL (Secure Sockets Layer) & TLS (Transport Layer Security)
 TLS provides connection security
ensuring that the connection is both
encrypted and authenticated
 Counterparty’s identity is authenticated
using asymmetric keys
 Exchange of the secret symmetric session
key is secure
 No attacker can modify the negotiated
communication without being detected

24. The SSL Handshake

25. Certificate Authority (CA)
 Repository of public keys used for encrypted
connections

26. Certificate Sample

27. E-Learning uses TLS

28. Aventail uses TLS (access the VPN)

29. Yet another way to access the VPN:
Two-Factor Authentication (PIN + Token)

30. VPN uses IPsec, TLS and RSA

31. E-mail & Web Security Appliance
 Enables to send encrypted E-mails to
a particular destination using TLS

32. ePO server - agent communication uses digital signature
(self-signed certificates)
ePO Agent
HostComp
Anti-Virus
Anti-Spyware
DesktopFW
HostIPS
NAC
HostDLP
Remediation
ePO
Management
Console
Network
VM
Secure
Gateway
Network IPS
Data Loss
Prevention
Total Protection
…future
technologies
Compliance
Reporting
Host
Compliance
Remediation

33. Endpoint Device Encryption
 Device encryption for PC/Laptop
 Device encryption for PDA’s
 Device encryption for Tablet PC
Uses FIPS 140 certified AES-256 algorithm

34. Encrypted USB Manager
 Uses FIPS140-2 certified AES-256 encryption

35. Wireless 802.11b (Wi-Fi)
 Uses radio frequencies (2.4 GHz)
 Transmission speed 5.5 Mbps (new 54 Mbps)
 WEP (Wired Equivalent Privacy) uses a
shared key between the mobile station
and the base, but has security loopholes
 IEEE 802.11i addresses the WEP
weaknesses, uses AES and block cipher
to encrypt the wireless communication

36. IronMail from Secure Computing
Policy-Based Protection for Outbound Messages
 Business-to-Business (B2B) Encryption
– SSL/TLS: Secure Sockets Layer
– S/MIME: Secure Multipurpose Internet Mail Extensions
– OpenPGP: Pretty Good Privacy for businesses
 Business-to-Users (B2U) Encryption
– Secure Mail Encryption / Push : attachment with password
– Secure Mail Encryption / Pull : mail is in a secure Web site
– Voltage IBE Server: Identity Based Encryption
– PGP Universal: Pretty Good Privacy for private users

37. IronMail Compliance Server

38. World War III via Encrypted E-mail