cryptography - guceee.guc.edu.eg/courses/communications/comm1003... · cryptography – the idea of...

Cryptography

Spring 2017

Dr. Fatma

Newagy

Cryptography General Concepts

Spring 2016 - COMM 1003 3

General Idea

Cryptography –

the idea of storing and

transmitting data in a form that only the

authorized parties can interpret.


What services cryptosystems provide

Cryptosystems provide the following services

• Confidentiality - secret

• Integrity – ensure things do not change

• Authentication – message comes from who you say it does

• Authorization – upon authentication, a user can be provided with a password to access a resource

• Non repudiation – ensure that no one can deny someone sent a message.


Definitions and Concepts

• Cryptography - a method of storing and transmitting data in a form only intended for authorized parties to read or process.

• Cryptanalysis - science of studying, breaking, and reverse engineering algorithms and keys.

• Cryptology - the study of secret codes or ciphers and the devices used to create and decipher them

(includes both terms above)


Cryptography Definitions

• Cryptosystem – A system or product that provides encryption and decryption

• Encryption – the method of transforming data (plaintext) into an unreadable format.

• Plaintext – the format (usually readable) of data before being encrypted

• Cipher text – the “Scrambled” format of data after being encrypted.


Cryptography Definitions – cont.

• Decryption – the method of turning cipher text back into plaintext.

• Encryption algorithm – a set or rules or procedures that dictates how to encrypt and decrypt data.

• Key – (crypto variable) a values used in the encryption process to encrypt and decrypt.


Cryptosystem Definitions

• Key space – the range of possible values used to construct keys

• Key Clustering – Instance when two different keys generate the same cipher text from the same plaintext

• Work factor – estimated time and resources to break a cryptosystem


Basic Process

Spring 2017 - COMM 1003 10

Types of Encryption Ciphers

Substitution

– Replaces one letter with another

Transposition

-

Move letters around

Spring 2017 - COMM 1003 11

Kerckhoffs Principal • The only secrecy involved with a cryptosystem should

be the key.

• Key Protection is CRITICAL.

• Key management:

– Key lengths should be long enough to provide the necessary level of protection

– Keys should be stored and transported in a secure means

– Keys should be extremely random and use the full spectrum of the key space

– Keys lifetime should correspond with the sensitivity of the data to be protected

– The more the key is used the shorter it’s lifetime should be.

Spring 2017 - COMM 1003 12

Cryptography history

Historical encryption algorithms

– Caesar cipher –

just shift a few characters.

– Simple substitution cipher –

It is an improvement

to the Caesar Cipher. This scheme uses some

permutation of the letters in alphabet.

Spring 2017 - COMM 1003 13

Cryptography history -

cont.

– Vigenere Cipher –

This scheme of cipher uses a

text string (say, a word) as a key, which is then

used for doing a number of shifts on the plaintext.

• For example, let’s assume the key is ‘point’. Each alphabet of the key is converted to its respective numeric value: In this case,

• p - > 16 , o - >

15 , i - > 9 , n - >

14 , and t - > 20 .

• Thus, the key is: 16 15 9 14 20 .

Spring 2017 - COMM 1003 14

Cryptography history - cont.

• Transposition Cipher – the order of the alphabets

in the plaintext is rearranged to create the cipher text.

The actual plaintext alphabets are not replaced.

– ‘simple columnar transposition’ cipher where the plaintext is written

horizontally with a certain alphabet width. Then the cipher text is read

vertically as shown.

– For example, the plaintext is “golden statue is in eleventh cave” and

the secret random key chosen is “five”.

Spring 2017 - COMM 1003 15

Methods of Encryption

There are multiple “methods” of encryption

• Symmetric

• Asymmetric

• Hashes

Symmetric Encryption

Spring 2016 - COMM 1003 17

Symmetric Encryption

Idea same key is used to BOTH encrypt and decrypt data!

Spring 2016 - COMM 1003 18

Symmetric Pros

• Fast

• Hard to break if using a large key size

• Provides Confidentiality

Spring 2016 - COMM 1003 19

Symmetric Cons

• Keys must be shared

– This is difficult to really do.

– Requires secure mechanism to deliver keys

– Number of keys becomes needed becomes crazy

large as number of people involved increases

– Does Not provide Authenticity or Non - repudiation

Spring 2016 - COMM 1003 20

Types of Symmetric Ciphers

• Block –

break down message into fixed sized

blocks, equal to the size of the key.

• Stream –

do not break into blocks, instead

take one character of the message at a time.

Spring 2016 - COMM 1003 21

Block

• Encrypt each block with the key.

• For example, the schemes DES ( Data Encryption

Standard)

and AES ( Advanced Encryption Standard)

have block sizes of 64

and 128 , respectively.

Spring 2016 - COMM 1003 22

FEISTEL BLOCK CIPHER

• Feistel Cipher is

not a

specific

scheme of

block cipher .

It is

a

design model from

which many

different block

ciphers are

derived .

DES is

just one

example of

it . A

cryptographic system

based on

it

structure uses

the same

algorithm

for both

encryption and

decryption .

• The number

of rounds

used

depends on

desired security

from

the system .

More number

of rounds

provide more

secure system

but

slow processes .

Spring 2016 - COMM 1003 23

Block Cipher MODES OF OPERATION

• These are procedural rules for a generic block

cipher.

• Interestingly, the different modes result in

different properties being achieved which add

to the security of the underlying block cipher.

Spring 2016 - COMM 1003 24

Electronic Code Book (ECB) Mode

• This mode is a most straightforward way of

processing a series of sequentially listed

message blocks.

Spring 2016 - COMM 1003 25

Cipher Block Chaining (CBC) Mode

• CBC mode of operation provides message

dependence for generating cipher text and

makes the system non - deterministic.

Spring 2016 - COMM 1003 26

Cipher Feedback (CFB) Mode

• In this mode, each ciphertext block gets ‘fed

back’ into the encryption process in order to

encrypt the next plaintext block.

Spring 2016 - COMM 1003 27

Output Feedback (OFB) Mode

• It involves

feeding the

successive output

blocks from

the underlying

block

cipher back

to it .

These feedback

blocks provide

string of

bits to

feed the

encryption algorithm

which act

as the

key - stream generator

as in

case of

CFB mode .

• The key

stream generated

is XOR - ed

with the

plaintext blocks .

The OFB

mode requires

an IV

as the

initial random

n - bit input

block .

Spring 2016 - COMM 1003 28

Stream

• The

“key”

is

used

with

a

“key

stream

generator”

to

create

a

stream

of

bits .

• These

bits

are

XORed

with

the

plaintext

to

create

cipher

text .

Keystream

Generator

Plaintext XOR Cyphertext

Spring 2016 - COMM 1003 29

Stream Cipher considerations

• Stream ciphers

are

hard

work,

better

done

in

hardware .

• “key

stream

generator”

should

not

generate

repeating

patterns .

• “key

stream

generator”

should

not

product

predictable

output

• “key

stream

generator”

should

not

produce

a

key

stream

related to

the

key

• The number

of

0 ’s

and

1 s

in

the

key

stream

should

be

about

equal .

Asymmetric Encryption

Spring 2017 - COMM 1003 31


Rather than use the same key for encryption and decryption, you use a different key for encryption and decryption

• These keys are mathematically related to each other

These keys are called

– Public Key – given to everyone

– Private Key – stays secret

Spring 2017 - COMM 1003 32

Asymmetric Encryption -

Public Key Cryptography

Spring 2017 - COMM 1003 33


Private and Public keys can actually do the

reverse, you can use the private key to encrypt

plaintext then the resultant cipher text can

only be decrypted by the corresponding

“public key”

Spring 2017 - COMM 1003 34

Asymmetric Encryption (signing)

Spring 2017 - COMM 1003 35

Signing

This process of using a private key to encrypt

something that can only be decrypted with

your public key is call “signing” and is used for

authentication and non - repudiation

• If someone can read something you signed it

proves that your private key was used.

Spring 2017 - COMM 1003 36

One way function

An important concept in asymmetric encryption is a “One way function”

A one way function is an operation that is faster to complete in one direction than the other.

Example: if you drop a glass it breaks instantly to “undo” this would take much more time.

Asymmetric algorithms use this concept.

Spring 2017 - COMM 1003 37

One way functions

• With Asymmetric encryption, a message is encoded with a one way function. This function supplies a trapdoor (knowledge of how to undo the one way function faster). The private key can be used to retrieve this “trapdoor” and then use the trapdoor to put things back in order.

• Asymmetric algorithms use mathematical operations that are easier to do in one direction, than the other.

Spring 2017 - COMM 1003 38

Asymmetric Pros/Cons

Pros

• Key distribution is easy

• Scalable due to that

• Can provide authentication and non

repudiation

Cons

• Very mathematically intense

• Slow due to that

Spring 2017 - COMM 1003 39

Asymmetric RSA Cryptosystem

• This cryptosystem

is

one

the

initial

system .

It

remains

most

employed cryptosystem

even

today .

The

system

was

invented

by three

scholars

Ron

Rivest ,

Adi

Shamir ,

and

Len

Adleman

and hence,

it

is

termed

as

RSA

cryptosystem .

• We

will

see

two

aspects

of

the

RSA

cryptosystem,

firstly

generation

of

key

pair

and

secondly

encryption - decryption

algorithms .

Spring 2017 - COMM 1003 40

Generation of RSA Key Pair • Each person or a party who desires to participate in

communication using encryption needs to generate a pair of keys, namely public key and private key. The process followed in the generation of keys is described below:

Generate the RSA modulus (n)

- Select two large primes, p and q.

- Calculate n=p*q. For strong unbreakable encryption, let n be a large number, typically a minimum of 512 bits.

Find Derived Number (e)

- Number e must be greater than 1 and less than (p − 1)(q − 1).

- There must be no common factor for e and (p − 1)(q − 1) except for 1. In other words two numbers e and (p – 1)(q – 1) are co-prime.

Spring 2017 - COMM 1003 41

Generation of RSA Key Pair –

cont.

Form the public key

- The pair of numbers (n, e) form the RSA public key and is made public.

- Interestingly, though n is part of the public key, difficulty in factorizing a large prime number

ensures that attacker cannot find in finite time the two primes (p & q) used to obtain n. This is strength of RSA.

Generate the private key

- Private Key d is calculated from p, q, and e. For given n and e, there is unique number d.

- Number d is the inverse of e modulo (p − 1 )( q – 1 ) . This means that d is the number less than (p − 1 q − )( 1 ) such that when multiplied by e, it is equal to 1 modulo (p − 1 )( q − 1 ) .

- This relationship is written mathematically as follows:

ed = 1 mod (p − 1 )( q − 1 )

• The Extended Euclidean Algorithm takes p, q, and e as input and gives d as output.

Spring 2017 - COMM 1003 42

• An example

of

generating

RSA

Key

pair

is

given

below .

( For

ease of

understanding,

the

primes

p

&

q

taken

here

are

small

values . Practically,

these

values

are

very

high) .

Spring 2017 - COMM 1003 43

RAS -

Encryption and Decryption

• Once

the

key

pair

has

been

generated,

the

process

of

encryption and

decryption

are

relatively

straightforward

and

computationally easy .

• Interestingly, RSA

does

not

directly

operate

on

strings

of

bits

as

in

case

of

symmetric

key

encryption .

It

operates

on

numbers modulo

n .

Hence,

it

is

necessary

to

represent

the

plaintext as

a

series

of

numbers

less

than

n .

Spring 2017 - COMM 1003 44

Hashes


• Hash functions are extremely useful and appear in almost all information

security applications.

• A hash function is a mathematical function that converts a numerical input

value into another compressed numerical value. The input to the hash

function is of arbitrary length but output is always of fixed length.

• Values returned by a hash function are called message digest or simply

hash values.


Features of Hash Functions • Fixed Length Output (Hash Value) o Hash function coverts data of

arbitrary length to a fixed length. This process is often referred to as hashing

the data.

o In general, the hash is much smaller than the input data, hence hash

functions are sometimes called compression functions and digest.

• Efficiency of Operation

o Generally for any hash function h with input x, computation of h(x) is a

fast operation. They are much faster than a symmetric encryption.


Properties of Hash Functions

• Pre-Image Resistance o This property means that it should be

computationally hard to reverse a hash function. If a hash function h

produced a hash value z, then it should be a difficult process to find any input

value x that hashes to z.

o This property protects against an attacker who only has a hash value and

is trying to find the input.

Properties of Hash Functions – cont.

• Second Pre-Image Resistance o This property means given an input and

its hash, it should be hard to find a different input with the


same hash. If a hash function h for an input x produces hash value h(x), then it

should be difficult to find any other input value y such that h(y) = h(x).

o This property of hash function protects against an attacker who has an

input value and its hash, and wants to substitute different value in place

of original input value.

Properties of Hash Functions – cont.

• Collision Resistance

o This property means it should be hard to find two different inputs of any

length that result in the same hash. This property is also referred to as

collision free hash function. For a hash function h, it is hard to find any

two different inputs x and y such that h(x) = h(y).


o Since, hash function is compressing function with fixed hash length, it is

impossible for a hash function not to have collisions. This property of

collision free only confirms that these collisions should be hard to find.

o This property makes it very difficult for an attacker to find two input

values with the same hash. Also, if a hash function is collisionresistant

then it is second pre-image resistant.

Design of Hashing Algorithms


• Hashing algorithm involves rounds of above hash function like a block

cipher. Each round takes an input of a fixed size, typically a combination of

the most recent message block and the output of the last round.

Applications of Hash Functions

• Password Storage


Hash functions provide protection to

password storage.

– Instead of storing password in

clear, mostly all logon processes

store the hash values

of passwords in the file.

– The Password file consists of a

table of pairs which are in the

form (user id, h(P)).

• Data Integrity Check

Spring 2016 - COMM 1003 10

It is used to generate the checksums on data files. This application provides

assurance to the user about correctness of the data.

MESSAGE AUTHENTICATION

• Message Authentication Code MAC algorithm is a symmetric key

cryptographic technique to provide message

Spring 2016 - COMM 1003 11

authentication. For establishing MAC process, the sender and receiver share

a symmetric key

K.

• Essentially, a MAC is an encrypted checksum generated on the underlying

message that is sent along with a message to ensure message

authentication.

Spring 2016 - COMM 1003 12

Spring 2016 - COMM 1003 13

Digital Signatures

• Digital signatures are the public-key primitives of message authentication.

In the physical world, it is common to use handwritten signatures on

handwritten or typed messages. They are used to bind signatory to the

message.

• Similarly, a digital signature is a technique that binds a person/entity to the

digital data. This binding can be independently verified by receiver as well

as any third party.

• Digital signature is a cryptographic value that is calculated from the data and

a secret key known only by the signer.

Digital Signature

Spring 2016 - COMM 1003 14

Spring 2016 - COMM 1003 15

PKI Generic Idea

• Public Key Infrastructure (PKI) is a series of programs, data formats,

procedures, protocols, policies and public key (asymmetric) encryption. In

order to provide secure communications for an organization.

• Provides

– Authentication

– confidentiality

– No repudiation

– Integrity

Spring 2016 - COMM 1003 16

PKI • Key management refers to the secure administration of cryptographic keys. Key

management deals with entire key lifecycle as

Spring 2016 - COMM 1003 17

PKI components • Each person has a digital “certificate*” which has information about a person,

including a persons “public” key.

• The certificates are signed by a Certificate Authority*. By signing the

Certificate the Certificate authority “vouches” for this persons certificate.

• A registration authority (RA) – establishes and confirms the identification of

an individual. Once registered, the CA actually assignees, holds and

distributes the Certificates.

• Certificate Authority signs certificates, and also provides a “Certificate

Revocation List”.

Spring 2016 - COMM 1003 18

PKI steps

1. User makes a request to RA

2. RA requests certain info from the user (like drivers license, address etc)

3. RA verifies user is who he says he is, and sends a request to create a cert

to the CA.

4. CA creates a cert with users public key and identity information.

5. Now when someone requests users info, the CA sends the certificate

6. The requesting user can extract the public key and knows that the

information is valid as the CA also has signed the certificate.

Spring 2016 - COMM 1003 19

PKI pros/cons

• PKIs can provide the whole package of authentication, confidentiality,

integrity and non-repudiation.

• They are complex and hard to setup

Future of Cryptography

• Quantum computation is the new phenomenon. While modern computers

store data using a binary format called a "bit" in which a "1" or a "0" can be

stored; a quantum computer stores data using a quantum superposition of

multiple states. These multiple valued states are stored in

Spring 2016 - COMM 1003 20

"quantum bits" or “qubits". This allows the computation of numbers to be

several orders of magnitude faster than traditional processors.

• Consider RSA-640, a number with 193 digits, which can be factored by eighty

2.2GHz computers over the span of 5 months, one quantum computer

would factor in less than 17 seconds. Numbers that would typically take

billions of years to compute could only take hours or even minutes with a

fully developed quantum computer.

cryptography - guceee.guc.edu.eg/courses/communications/comm1003... · cryptography – the idea of...

Documents