Professional Documents
Culture Documents
Humanumana
Humanumana
Principles of Cryptography
• Techniques employed in protecting integrity or secrecy of
electronic messages by converting them into unreadable
(cipher text) form.
• Only the use of a secret key can convert the cipher text back
into human readable (clear text) form.
• Cryptography software and/or hardware devices use
mathematical formulas (algorithms) to change text from one
form to another.
• Two principles:
▫ Symmetric Key Cryptography (Secret Key)
▫ Asymmetric Key Cryptography (Public Key)
5
By Pavan Poudel
Mono Alphabetic
• Caesar Cipher
▫ Very old and simple symmetric key algorithm
▫ Take each alphabet in plain text and replace it by letter that is ‘k’
letters ahead.
Eg. For k=5 => ‘a’ is replaced by ‘f’, ‘x’ by ‘c’ and so on
▫ Very easy to break => only 25 values of Keys
• Monoalphabetic cipher:
▫ Any letter can be substituted by other as ling as each letter has
unique substitute letter
• Key: C1C2C2
▫ Then text “abcde” would be transmitted as “fuvix”
10
By Pavan Poudel
RSA Algorithm
1. Choose two large prime numbers p, q.
(e.g., 1024 bits each)
2. Compute n = pq, z = (p-1)(q-1)
3. Choose e (with e<n) that has no common factors
with z. (e, z are “relatively prime”).
4. Choose d such that ed-1 is exactly divisible by z.
(in other words: ed mod z = 1 ).
5. Public key is (n,e). Private key is (n,d).
K+ K-
B B
18
By Pavan Poudel
RSA Algorithm
* Given (n,e) and (n,d) as computed above
m = (m e mod n) d mod n
Magic
happens!
c
19
By Pavan Poudel
RSA Algorithm
• Encrypt Message “LOVE” using RSA Algorithm
▫ Let p=5, q=7 (Smaller numbers are selected for simplicity)
▫ Then n = pq = 5*7 = 35
▫ And z = (p-1)(q-1) = 4*6 = 24
▫ Selecting e = 5 (e < n and no common factor with z) and
d = 29 (such that : ed mod z = 1)
=> Public Key (n, e) = (35, 5)
=> Private Key (n, d) = (35, 29)
20
By Pavan Poudel
RSA Algorithm
Plain m (numeric Cipher Message
Text Representation)
me c = me mod n
L 12 248832 17 (Q)
O 15 759375 15 (O)
V 22 5153632 22 (V)
E 5 3125 10 (J)
Encryption ( LOVE => QOVJ )
c cd m = cd mod n Character
17 (Q) 1729 12 L
15 (O) 1529 15 O
22 (V) 2229 22 V
10 (J) 529 5 E
Decryption ( QOVJ => LOVE )
21
By Pavan Poudel
RSA Algorithm
- + + -
K B(K (m)) = m = K B(K B (m))
B
Digital Signature
• Cryptographic technique analogous to hand-written
signatures.
• Sender (Bob) digitally signs document, establishing he is
document owner/creator.
• Verifiable: recipient (Alice) can prove to someone that Bob,
and no one else (including Alice), must have signed
document
23
By Pavan Poudel
Digital Signature
Bob signs m by encrypting with his private
-
key KB-, creating “signed” message, KB (m)
24
By Pavan Poudel
Digital Signature
-
• Suppose Alice receives msg m, digital signature KB(m)
• Alice verifies m signed by Bob by applying Bob’s public
+ - + -
key KB to KB(m) then checks KB(KB(m) ) = m.
+ -
• If KB(KB(m) ) = m, whoever signed m must have used
Bob’s private key.
Alice thus verifies that:
Bob signed m. (Authentication)
No one else signed m.
Bob signed m and not m’. (Message Integrity)
Non-repudiation:
Alice can take m, and signature KB(m) to court and prove
that Bob signed m.
25
By Pavan Poudel
Diffie-Hellman Algorithm
• A Key Exchange Algorithm
• Exponential key agreement
• Allows two users to exchange a secret key
• Requires no prior secrets
• Real-time over an un-trusted network
• Based on the difficulty of computing discrete logarithms of
large numbers.
• Used in SSL, SSH, IPSec, Cisco encrypting routers, Sun
secure RPC and etc.
• # Alice and Bob want to share a secret key for use in a
symmetric cipher, but their only means of communication is
insecure.
26
By Pavan Poudel
Diffie-Hellman Algorithm
27
By Pavan Poudel
Diffie-Hellman Algorithm
• First, users agree on a large prime p and a nonzero integer g.
• p and g are both publicly available numbers
▫ p is at least 512 bits
• Users pick private values a and b
• Compute public values
▫ x = ga mod p
▫ y = gb mod p
• Public values x and y are exchanged
• Compute shared, private key
▫ ka = ya mod p
▫ kb = xb mod p
• Algebraically it can be shown that ka = kb
• Users now have a symmetric secret key to encrypt
28
By Pavan Poudel
Diffie-Hellman Algorithm
• Alice and Bob get public numbers
▫ P = 23, G = 9
• Alice and Bob compute public values
▫ X = 94 mod 23 = 6561 mod 23 = 6
▫ Y = 93 mod 23 = 729 mod 23 = 16
• Alice and Bob exchange public numbers
• Alice and Bob compute symmetric keys
▫ ka = ya mod p = 164 mod 23 = 9
▫ kb = xb mod p = 63 mod 23 = 9
• Alice and Bob now can talk securely!
29
By Pavan Poudel
VPN
• VPNs allow employees to securely access their company's
intranet while traveling outside the office.
• Similarly, VPNs securely connect geographically disparate
offices of an organization, creating one cohesive network.
• VPN technology is also used by Internet users to connect to
proxy servers for the purpose of protecting personal identity
and location.
39
By Pavan Poudel
IP Security(IPSec)
• Internet Protocol Security (IPsec) is a protocol suite for
securing Internet Protocol (IP) communications by
authenticating and encrypting each IP packet of a
communication session.
• IPsec uses cryptographic security services to protect
communications over Internet Protocol (IP) networks.
• IPsec can be used in protecting data flows between a pair of
hosts (host-to-host), between a pair of security gateways
(network-to-network), or between a security gateway and a
host (network-to-host).
• Two principal protocols
▫ Authentication Header (AH) protocol and
▫ Encapsulation Security Payload (ESP) protocol
40
By Pavan Poudel
IP Security(IPSec)
• When a source host sends secure datagrams to a destination
host, it does so with either the AH protocol or with the ESP
protocol.
• The AH protocol provides source authentication and data
integrity but does not provide secrecy.
• The ESP protocol provides data integrity and secrecy.
Providing more services, the ESP protocol is naturally more
complicated and requires more processing than the AH
protocol.
41
By Pavan Poudel
IPSec elements
IPSec contains the following elements:
• Encapsulating Security Payload (ESP): Provides
confidentiality, authentication, and integrity.
• Authentication Header (AH): Provides authentication and
integrity.
• Internet Key Exchange (IKE): Provides key management and
Security Association (SA) management.
42
By Pavan Poudel
WEP
• WEP relies on a secret key which is shared between the
sender and the receiver.
▫ Sender : Mobile station (eg: laptop with wireless ethernet)
▫ Receiver : Access Point (eg: base station)
• Secret Key is used to encrypt packets before they are
transmitted
• Integrity check is used to ensure packet are not modified in
transit.
• WEP encryption uses a stream cipher based on the Ron's
Code 4 (RC4) algorithm. RC4 was designed by Ronald
Rivest and kept secret until it leaked out and was posted to
the Internet in 1994 .
• In WEP, RC4 generates a key stream that is XORed with the
plaintext to form the cipher text.
45
By Pavan Poudel
WEP
46
By Pavan Poudel
WEP
• WEP uses RC4 encryption algorithm known as “stream
cipher” to protect confidentiality of its data
• uses the RC4 stream cipher, using a 64 or 128-bit key
consisting of:
▫ A 24-bit Initialization Vector (IV)
▫ A 40 or 104 -bit secret key
• The Secret Key is shared among the stations and every time
new IV is selected
• Initialization Vector(IV):
▫ Used to avoid encrypting two ciphertext with same key stream
▫ Used to produce different RC4 key for each packet
47
By Pavan Poudel
Firewall
• A firewall is a combination of hardware and software that
isolates an organization's internal network from the Internet at
large, allowing specific connections to pass and blocking
others.
• Organizations employ firewalls for one or more of the
following reasons:
▫ To prevent intruders from interfering with the daily
operation of the internal network.
denial of service attack, SYN FIN Attack
▫ To prevent intruders from deleting or modifying information
stored within the internal network.
▫ To prevent intruders from obtaining secret information.
48
By Pavan Poudel
Firewall Types
• Packet Filtering
• Application Level Gateway
49
By Pavan Poudel
Packet Filtering
• Work at the network layer.
• Internal network connected to Internet via router firewall.
• Router filters packet-by-packet and compares to a set of
criteria before it is forwarded.
• Filtering Based on
▫ Source/Destination IP address.
▫ TCP or UDP source and destination port.
▫ ICMP message type. Should arriving packet
▫ Connection initialization datagrams be allowed in? Departing
using the TCP ACK bit packet let out?
50
By Pavan Poudel
Packet Filtering
• Example 1: block incoming and outgoing datagrams with IP
protocol field = 17 and with either source or dest port = 23.
▫ All incoming and outgoing UDP flows and telnet
connections are blocked.
• Example 2: Block inbound TCP segments with ACK=0.
▫ Prevents external clients from making TCP connections
with internal clients, but allows internal clients to connect to
outside.
51
By Pavan Poudel
Thank You !