Cryptography Concepts:

o Network traffic is protect, traversing on Internet through cryptographic methods.

o The term cryptography is a Greek word, which means "Secret Writing".
o “Kryptos,” means hidden or secret and “Graphein” means Writing.
o Cryptography involves the process of encryption and decryption.
o Cryptography is the study and practice of hiding data and information.
o Cryptography is the art and science of making data impossible to read.
o Cryptographic algorithms start with plaintext & scramble to unreadable ciphertext.
o Encryption algorithm specify how ciphertext can be decrypted back into plaintext.
o Cryptography is essential part of providing confidentiality, integrity, & authentication.
o Cryptography is a way to keep messages and other data secret.
o Caesar cipher encryption algorithm is one of the simplest encryption algorithms.
o In this, algorithm every alphabetical character in the plain text is replaced.

Cryptography Terminologies:
Below are some important terminologies to understand Cryptography.

Plaintext:
o The information in its original form or readable data also known as cleartext.
o Plaintext is a text, in natural readable form; it is the data before it is encrypted.
o In simple words, Plaintext or cleartext is the original message or data.

Ciphertext:
o An encrypted message is called cipher text, Ciphertext is encrypted text.
o Ciphertext is unreadable until it has been converted into plain text.
o Sometimes it has the same size as plaintext, or can be larger than plaintext.
o Cipher text is unreadable by anyone except the intended recipients only.
o Cipher text is the scrambled message or data produced as output.

1 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Encryption:
o The process of changing the plaintext into ciphertext is called encryption.
o The process of converting plaintext into the ciphertext is called encryption.
o The encryption is the translation of data into a secret code.
o Encryption is two-way function; encrypted can be decrypted with proper key.
o Encryption is a two-way function that includes encryption and decryption.
o Encryption is the most effective way to achieve data security.
o The main idea of encryption is to protect data from an unauthorized person.
o Encryption needs an algorithm called a cipher and a secret key.

Decryption:
o The process of changing the ciphertext into the plaintext is called decryption.
o The process of converting cipher text back to the original plaintext is decryption.

Encryption Algorithm:
o Algorithm defines how data is transformed when plaintext data scrambled to ciphertext.
o Both data sender & the recipient must know the algorithm used for data transformation.
o Recipient should use same algorithm to decrypt ciphertext back into original plaintext data.

2 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Describe Hash:
o Cryptographic hash function is kind of algorithm that can be run on a piece of data.
o The produced value is called checksum, digest, message digest or hash value.
o It is string value, which is the result of calculation of a Hashing Algorithm.
o Hash is a number that is generated from the text through a hash algorithm.
o Hashing is one-way function that scrambles plaintext to produce unique message digest.
o There is no way to reverse the hashing process to reveal the original data or message.
o Hash Values have different uses main uses is to protects the integrity of your data.
o Protects data against potential alteration so that your data is not changed one bit.
o Sender send the data and digest; receiver takes data & runs its own hash to create digest.
o Receiver then compares digests, if the two digests are same, then data is not manipulated.
o Two methods commonly available MD5 (Message Digest) and SHA (Secure Hash Algorithm).

3 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

MD5 Hashing:
o Hashing is the technique to ensure the integrity.
o MD5, which stands for Message Digest algorithm 5.
o The Message Digest (MD5) is a cryptographic hashing algorithm.
o MD5 hash is typically expressed as a 32-digit hexadecimal number.
o MD5 or message digest algorithm will produce a 128-bit hash value.
o The input data can be of any size or length, but the output size is always fixed.
o MD5 algorithm generates a fixed size (32 Digit Hex) MD5 hash.
o The hash is unique for every file irrespective of its size and type.

SHA Hashing:
o SHA, stands for Secure Hash Algorithm, is cryptographic hashing algorithm.
o SHA used to determine the integrity of a particular piece of data.
o The Secure Hashing Algorithm comes in several flavors.
o SHA-1 and SHA-2 are two different versions of that algorithm.
o SHA1 produces a 160-bit (20-byte) hash value.
o SHA2 has option to vary digest between 224 bits to 512 bits.
o SHA224 produces a 224-bit (28-byte) hash value.
o SHA256 produces a 256-bit (32-byte) hash value.
o SHA384 produces a 384-bit (48-byte) hash value.
o SHA512 produces a 512-bit (64-byte) hash value.

For MD5 and SHA Hashing Demo, use HashCalc and WinMD5 free application.

4 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

HMAC:
o HMAC stand for Hash Message Authentication Code, Hash with plus secret key.
o HMAC use hash algorithm on data plus secret key that only sender & receiver know.
o Therefore, both parties with secret keys can calculate and verify their hash values.
o This prevents a man in the middle attacks by making it very difficult to modify data.
o This prevents a man in the middle attacks making it difficult and create a new hash.

5 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Symmetric and Asymmetric Encryption:
o There are two types of encryption keys symmetric and asymmetric encryption.
o Symmetric encryption uses a single key that needs to be shared among the people.
o Asymmetric encryption uses pair of public key & private key to encrypt and decrypt.
o Symmetric encryption is old technique while asymmetric encryption is relatively new.
o Asymmetric encryption takes relatively more time than the symmetric encryption.
o Symmetric key cryptography utilizes less resource as compared to Asymmetric key.
o Asymmetric key cryptography utilizes more resource as compared to symmetric key.
o An Asymmetric key encryption method is slower than symmetric key cryptography.
o A Symmetric key encryption method is faster than asymmetric key cryptography.

Symmetric Encryption:
o Symmetric encryption algorithms use the same key for encryption and decryption.
o Symmetric encryption means you use the same key to encrypt and decrypt the data.
o Symmetric key cryptography is called secret key cryptography or private key cryptography.
o Key must be exchanged so that both data sender & recipient can access plaintext data.
o Encryption that involves only one secret key to cipher and decipher information.
o The Symmetrical encryption is an old and best-known technique for encryption.
o It uses a secret key that can be either a number, a word or a string of random letters.
o DES, 3DES, AES, IDEA, RC2, RC4, RC5, RC6 & Blowfish are examples of symmetric encryption.
o The most widely used Symmetric Algorithm is AES-128, AES-192, and AES-256.
o The advantage of symmetric encryption is that it is extremely efficient and fast.

6 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Asymmetrical Encryption:
o Asymmetrical encryption is also known as public key cryptography.
o Asymmetric encryption uses two keys to encrypt a plain text.
o A public key is made freely available to anyone who might want to send message.
o The second private key is kept secret so that you can only know.
o A message that is encrypted using a public key can only be decrypted using a private key.
o A message encrypted using a private key can be decrypted using a public key.
o Example of Asymmetrical Algorithms are RSA, DH, DSA, ECC, etc.
o Symmetric encryption is an old technique while asymmetric encryption is relatively new.

7 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

For Symmetric and Asymmetric demo, use CrypTool 2.1 Wizard.

8 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

ECC (Elliptic Curve Cryptography):
o ECC stand for Elliptic Curve Cryptography, it is a new approach to cryptography.
o ECC is a way to encrypt data so that only specific people can decrypt it.
o ECC is a powerful approach to cryptography & alternative method from the RSA.
o It is an approach used for public key encryption by utilizing the mathematics.
o Behind Elliptic Curves (ECC) in order to generate security between key pairs.
o ECC provide the same level of security as RSA with a much smaller key size.
o Elliptic Curve Cryptography (ECC) replaces RSA signatures with the ECDSA algorithm.
o ECDSA (Elliptic Curve Digital Signature Algorithm) ECDH (Elliptic-Curve Diffie–Hellman).
o Elliptic Curve Cryptography (ECC) replaces the DH key exchange with ECDH.
o The Key size is a major factor in the importance of Elliptic Curve Cryptography.
o Elliptic Curve Cryptography has been said to be the Next Generation of Cryptography.
o ECC is a public-key cryptography based on the algebraic structure of Elliptic Curves.
o Elliptic Curve Cryptography method is used in encryption and Digital Signatures etc.

RSA Key Length (bit) ECC Key Length (bit)

1024 160
2048 224
3072 256
7680 384
15360 521

9 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

SSL and TLS:
o SSL stands for Secure Socket Layer TLS Transport Layer Security.
o Both protocols provide security between web server & web browser.
o Both SSL and TLS are protocols, which serve the same purpose.
o However, there are minor differences between SSL and TLS.
o SSL offers two basic security services: Authentication and confidentiality.
o Provides secure connection between the web browser and the web server.
o Both SSL & TLS provide encryption and authentication of data in motion.
o Common applications of such protocols are web browsing, VOIP & electronic mail.
o SSL was developed by Netscape in 1994 with an intention to protect web transactions.
o Transport Layer Security (TLS) is IETF (Internet Engineering Task Force) standardization.
o Secure Socket Layer (SSL) and TLS both Protection of normal TCP/UDP connection.
o SSL/TLS can also be used for securing other protocols like FTP, SMTP and SNTP etc.
o TLS uses stronger encryption algorithms & has the ability to work on different ports.
o SSL works mainly through using public and private key encryption on data.
o The TLS has two layers of operations while it establishes the communication.
o First, one is Handshaking to authenticate server & second is actual message transfer.
o TLS Takes a little more time than the older SSL to establish connections and transfers.
o SSL, or Secure Sockets Layer, was the original encryption protocol developed for HTTP.
o SSL was replaced by TLS, some time ago; SSL handshakes are now called TLS handshake.
o SSL is the combination of Handshake, Change Cipher Spec, Alert and Record Protocols.

Protocol Published Status

SSL 1.0 Unpublished Unpublished only for their internal testing
SSL 2.0 1995 Deprecated in 2011
SSL 3.0 1996 Deprecated in 2015
TLS 1.0 1999 Deprecation planned in 2020
TLS 1.1 2006 Deprecation planned in 2020
TLS 1.2 2008
TLS 1.3 2018

10 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

11 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717
Internet Key Exchange (IKE) Protocol:
o IKE provides framework to exchange the security parameter between two IPSec peers.
o IKE provides a framework to exchange policies between two IPSec peers.
o IKE is a protocol used to set up an IPSec Security Associations (SAs) security attributes.
o Collection of parameters that the two devices will use is called Security Associations.
o It provides encryption key, encryption algorithm, and mode, between IPSec peers.
o IKE allows IPSec peers to dynamically exchange keys and negotiate IPSec SAs.
o Using IKE, IPSec SAs can be dynamically established & removed at negotiated time, period.
o IKE has two versions, an old version IKEv1 and a new version is an IKEv2.
o IKEv1 was introduced around 1998 and superseded by IKEv2 in 2005.
o IKE is a hybrid protocol made from Oakley, SKEME and ISAKMP protocols.
o ISAKMP protocol is a framework for exchanging encryption keys and SA payloads.
o Internet Key Exchange (IKE) uses UDP, Port Number 500 for sending or receiving.
o IKE is a management protocol actually is use isakmp for key exchange.
o IKE (Internet Key Exchange) protocols is used to establish an IPsec tunnel.
o IKE is same with Internet Security Association Key Management Protocol (ISAKMP).
o IKE builds the tunnels for us but it does not authenticate or encrypt user data.

IKE Version:
o IKE has two versions, old version IKEv1 & new version is IKEv2.
o There are a number of differences between IKEv1 and IKEv2.
o IKEv1 was introduced around 1998 & superseded by IKEv2 in 2005.
o IKEv2 does not consume as much bandwidth as IKEv1.
o IKEv2 has a built-in Keepalive mechanism for tunnels.
o IKEv2 can detect whether tunnel is still alive while IKEv1 cannot.
o IKEv2 supports EAP authentication while IKEv1 does not.
o IKEv2 has built-in NAT traversal while IKEv1 does not.
o IKEv2 to be used in mobile platforms like phones.
o IKEv2 supports MOBIKE while IKEv1 does not.

12 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Internet Key Exchange (IKE) Phases:
o There are two phases to build an IPsec tunnel IKE phase 1 and IKE phase 2.
o IKEv1 Phase 1 Security Associations negotiation is for protecting IKE.
o IKEv1 Phase 2 Security Associations negotiation is protecting real user traffic.
IKEv1 Phase 1:
o In IKE phase 1, two peers negotiate about the encryption, authentication & hashing.
o In IKE Phase 1, two peers also negotiate about other protocols that they want to use.
o In IKE Phase 1, two peers also negotiate about some other parameters that are required.
o Main purpose of IKE phase 1 is to establish secure tunnel that can be used for IKE phase 2.
o In IKE Phase 1, an ISAKMP session is established.
o IKE Phase 1 also called the ISAKMP tunnel or IKE phase 1 tunnel.
o The IKE phase 1 tunnel is only use for Management Traffic.
o IKE Phase 1 tunnel as a secure method to establish the second tunnel.
o IKE phase 1 can happen in two modes main mode or aggressive mode.

IKEv1 Phase 1 Modes:

o IKEv1 Phase 1 negotiation is in two modes, either Main Mode or Aggressive Mode.
Main Mode:
o Main mode uses six messages while aggressive mode only uses three messages.
o Main mode has three pairs of messages total six messages between IPSec peers.
o The main purpose of IKEv1 Phase 1 is to establish IKE Security Associations.
o IKE Main mode is considered more secure then aggressive mode.
o The initiator peer that wants to build the tunnel will send the first message.
o Initiator send own proposal to responder for the security association.
o When the responder receives the first message from the initiator, it will reply.
o This message is used to inform the initiator that we agree upon the attributes.
o This way the responder send own proposal to initiator for the security association.
o The Initiator will start Diffie-Hellman Key Exchange Payload and Nonce payload.
o The Responder will also start Diffie-Hellman Key Exchange Payload & Nonce payload.
o Last two messages are encrypted used for identification & authentication of each peer.

13 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Aggressive Mode:
o IKEv1 Phase 1, Aggressive mode, uses only three messages to establish IKE SA.
o IKEv1 aggressive mode only requires three messages to establish the SA.
o First two messages exchange include almost everything required to form IKE SA.
o IKEv1 Phase1 Aggressive Mode is quicker than Main Mode but exchanged in cleartext.
o First message sent from the Initiator includes SA, Proposal and Transform payload.
o Main difference in Aggressive Mode is first message include DH Key Exchange.
o In addition, aggressive Mode exchange the Nonce payload in first message as well.
o Identification payload is also added in first message & sent cleartext not encrypted.
o Responder generates Diffie-Hellman shared secret & Hash for authentication purpose.
o The last message from the initiator is a hash that is used for authentication.

IKEv2 Phase 2:
o IKE phase 2 tunnel (IPsec tunnel) will be actually used to protect user data.
o IKEv2 Phase 2 negotiation is done in only one mode that is Quick Mode.
o IKEv1 Phase 2 (Quick Mode) consists of three 3-message exchanges.
o Message exchanges in Phase 2 are protected by encryption & authentication.
o IKEv1 Phase 2 Quick Mode using the keys derived in the IKEv1 Phase 1.
o When IKEv1 phase1 is successfully completed, then Phase 2 is started.
o If IKEv1 phase 1 is not successfully, completed IKEv1 Phase 2 will not start.
o Just like in IKE phase 1, the peers will negotiate about a number of items.
o Encryption Algorithm (DES, 3DES or AES)
o Authentication or Hashing Algorithm (MD5, SHA-1 or SHA-2)
o IPSec Protocol Encapsulation Protocol (AH or ESP)
o SA lifetime (Time in seconds or data transfer in kilobytes)
o Encapsulation Mode (Tunnel Mode or Transport Mode )

14 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

IKEv2 Phase Mode:
o IKEv2 does not have main or aggressive mode for phase 1 & no quick mode in phase 2.
o Internet Key Exchange (IKEv2) also has two Phase negotiation process.
o First Phase is known as IKE_SA_INIT and the second Phase is called as IKE_AUTH.
o In Internet Key Exchange (IKEv2), only four messages are required for entire exchange.
o Internet Key Exchange (IKEv2) runs over UDP ports 500 and 4500 (IPsec NAT Traversal).
o Devices configured to use IKEv2 accept packets from UDP ports 500 and 4500.
o IKEv2 IPSec Peers can be validated using Pre-Shared Keys, Certificates, or EAP.
o In IKEv2, the First message from Initiator to Responder (IKE_SA_INIT).
o Contains SA proposals, Encryption & Integrity algorithms, DH keys & Nonce.
o In IKEv2, second message from Responder to Initiator (IKE_SA_INIT).
o Contains SA proposals, Encryption & Integrity algorithms, DH keys & Nonce.
o After Messages 1 & 2, next messages are protected by encrypting & authenticating.
o Third and fourth massages (IKE_AUTH) are encrypted and authenticated.
o Over the IKE SA created by the previous Messages 1 and 2 (IKE_SA_INIT).
o IKEv2 these two messages are for Authentication.
o Initiators and responder’s identity, certificates exchange are completed at this stage.
o Third & fourth massages (IKE_AUTH) are used authenticate the previous messages.
o Validate the identity of IPSec peers and to establish the first CHILD_SA.

15 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717