Cryptography & Security

Introduction
 Cryptography is the study of encryption and encryption algorithms.
 Encryption is the conversion of messages from a comprehensible form (cleartext)
into an incomprehensible one (cipher text), and back again.
 The purpose of encryption is to render data unreadable by interceptors or
eavesdroppers who do not know the secret of how to decrypt the message.
 Encryption attempts to ensure secrecy in communications.
 Cryptography defines the techniques used in encryption.

Basic Terminologies
 Plaintext/Cleartext
o Plaintext is the original message. It has not been altered; it is the usable
information.
 Ciphertext
o Ciphertext is the opposite of plaintext; it is a message or other data that
has been transformed into a different format using a mechanism
known as an algorithm.
o It is also something that can be reversed using an algorithm and a key.
 Algorithms
o The algorithm or cipher is nothing more than a formula that includes discrete
steps that describe how the encryption and decryption process is to be
performed in a given instance.
 Keys
o A key is a discrete piece of information that is used to determine the result or
output of a given cryptographic operation.
o A key in the cryptographic sense can be thought of in the same way a key in
the physical world is: as a special item used to open or unlock something—in
this case, a piece of information.

1|Page
 o In the encryption world, the key is used to produce a meaningful result and
without it a result would not be possible.

Understanding Cryptography and Encryption

 Encryption can be used to encrypt data while it is in transit or while it’s stored on
a hard drive.
 Cryptography is the study of protecting information by mathematically
scrambling the data so it cannot be deciphered without knowledge of the
mathematical formula used to encrypt it.
 This mathematical formula is known as the encryption algorithm.
 Cryptography is composed of two words:
o crypt (meaning secret or hidden) and
o graphy (meaning writing).
 Cryptography literally means secret or hidden writing.
 Cleartext is the readable and understandable data, and cipher text is the scrambled
text as a result of the encryption process.
 Cipher text should be unreadable and show no repeatable pattern to ensure the
confidentiality of the data.

Figure: cleartext versus cipher text.

2|Page
Cryptography & Security
 There are three critical elements to data security: Confidentiality, integrity, and
authentication are known as the CIA triad.

Figure: CIA triad

 Data encryption provides confidentiality, meaning the data can only be read by
authorized users.

3|Page
 Message hashing provides integrity, which ensures the data sent is the same data
received and the information was not modified in transit.
 Message digital signatures provide authentication (ensuring users are who they
say they are) as well as integrity.
 Message encrypting and digital signatures together provide confidentiality,
authentication, and integrity.

How Cryptography Works

 Encryption algorithms can use simple methods of scrambling characters, such as
substitution (replacing characters with other characters) and transposition (changing
the order of characters).
 Encryption algorithms are mathematical calculations based on substitution and
transposition.
 Here are some early cryptographic systems:
Caesar’s Cipher

Atbash Cipher
 Used by the ancient Hebrews, Atbash (Figure below) is a substitution cipher and
works by replacing each letter used with another letter the same distance away from
the end of the alphabet; for example, A would be sent as a Z and B would be sent
as a Y.

4|Page
Types of Encryption
The two primary types of encryption are symmetric and asymmetric key
encryption.

Symmetric key encryption

 Means both sender and receiver use the same secret key to encrypt and
decrypt the data.
 A secret key, which can be a number, a word, or just a string of random
letters, is applied to the text of a message to change the content in a particular
way.
 This might be as simple as shifting each letter by a number of places in the
alphabet.
 As long as both sender and recipient know the secret key, they can encrypt and
decrypt all messages that use this key.

Advantage
 The strength of symmetric key encryption is fast, bulk encryption
Disadvantage:
o Key distribution - there is no secure way to share the key between
multiple systems.
Systems that use symmetric key encryption need to use an offline method to
transfer the keys from one system to another. This is not practical in a large
environment such as the Internet, where the clients and servers are not
located in the same physical place.
o Scalability
o Limited security (confidentiality only)
o The fact that it does not provide nonrepudiation, meaning the sender’s
identity can be proven
Examples of symmetric algorithms are as follows:

5|Page
There are currently a myriad of symmetric algorithms available:
 Data Encryption Standard (DES)
o Originally adopted by the U.S. government in 1977, the DES algorithm is still
in use today. DES is a 56-bit key algorithm, but the key is too short to be
used today for any serious security applications.
 Triple DES (3DES)
o This algorithm is an extension of the DES algorithm, which is three times
more powerful than the DES algorithm. The algorithm uses a 168-bit key.
 Blowfish
o Blowfish is an algorithm that was designed to be strong, fast, and simple in
its design.
o The algorithm uses a 448-bit key and is optimized for use in today’s 32- and
64-bit processors (which its predecessor DES was not). The algorithm was
designed by encryption expert Bruce Schneier.
 International Data Encryption Algorithm (IDEA)
o Designed in Switzerland and made available in 1990, this algorithm is seen in
applications such as the Pretty Good Privacy (PGP) system.
 MARS -This AES finalist was developed by IBM and supports key lengths of 128–
256 bits.
 RC2
o Originally an algorithm that was a trade secret of RSA Labs, the RC2
algorithm crept into the public space in 1996. The algorithm allows keys
between 1 and 2,048 bits.
o The RC2 key length was traditionally limited to 40 bits in software that was
exported to allow for decryption by the U.S. National Security Agency.
 RC4 - Another algorithm that was originally a trade secret of RSA Labs, RC4, was
revealed to the public via a newsgroup posting in 1994. The algorithm allows keys
between 1 and 2,048 bits.
 RC5 Similar to RC2 and RC4, RC5 allows users to define a key length.
 RC6 RC6 is another AES finalist developed by RSA Labs and supports key lengths of
128–256 bits.

6|Page
 Rijndael or Advanced Encryption Standard (AES) The successor to DES and
chosen by the National Institute of Standards and Technology (NIST) to be the new
U.S. encryption standard. The algorithm is very compact and fast and can use keys
that are 128, 192, or 256 bits long.
 Serpent This AES finalist, developed by Ross Anderson, Eli Biham, and Lars
Knudsen, supports key lengths of 128–256 bits.
 Twofish This AES candidate, also developed by Bruce Schneier, supports key
lengths of 128–256 bits.

Asymmetric (or public) key cryptography

 Asymmetric, or public key, cryptography is a relatively new form of cryptography
that was only fully realized in the mid-1970s by Whitfield Diffie and Martin
Hellman.
 Was created to address the weaknesses of symmetric key management and
distribution (there’s a problem with secret keys: how can they be exchanged
securely over an inherently insecure network such as the Internet?)
 Asymmetric encryption uses two related keys known as a key pair.
o A public key is made available to anyone who might want to send you an
encrypted message.
o A private key is kept secret, so that only you know it.
 Any messages (text, binary files, or documents) that are encrypted by using the
public key can only be decrypted by using the matching private key.
 Any message that is encrypted by using the private key can only be decrypted
by using the matching public key.
 This means that you do not have to worry about passing public keys over the
Internet as they are by nature available to anyone.
 A problem with asymmetric encryption, however, is that it is slower than
symmetric encryption. It requires far more processing power to both encrypt
and decrypt the content of the message.
 The relationship between the two keys in asymmetric key encryption is based on
complex mathematical formulas.

7|Page
 One method of creating the key pair is to use factorization of prime numbers.
 Another is to use discrete logarithms.
 Asymmetric encryption systems are based on one-way functions that act as a
trapdoor. Essentially the encryption is one way in that the same key cannot decrypt
messages it encrypted.
 The associated private key provides information to make decryption feasible.
 The information about the function is included in the public key, whereas
information about the trapdoor is in the private key.
 Anyone who has the private key knows the trapdoor function and can compute the
public key.
 To use asymmetric encryption, there needs to be a method for transferring
public keys.
 The typical technique is to use X.509 digital certificates (also known simply as
certificates).

 A certificate is a file of information that identifies a user or a server, and contains

the organization name, the organization that issued the certificate, and the user’s
email address, country, and public key.
 When a server and a client require a secure encrypted communication, they send a
query over the network to the other party, which sends back a copy of the
certificate. The other party’s public key can be extracted from the certificate. A
certificate can also be used to uniquely identify the holder.
 Asymmetric encryption can be used for
o Data encryption
o Digital signatures
 Asymmetric encryption can provide
o Confidentiality
o Authentication
o Nonrepudiation
 Strengths of asymmetric key encryption include
o Key distribution

8|Page
 o Scalability
o Confidentiality, authentication, and nonrepudiation
 The weakness of asymmetric key encryption:
o The process is slow and typically requires a significantly longer key. It’s only
suitable for small amounts of data due to its slow operation.

Example: How Asymmetric (or public) key cryptography Works

Alice wants to send a message to Bob and keep it secret at the same time. To do so
Alice will locate Bob’s public key and use it to encrypt her message. Once she sends the
message to Bob, he will use his private key to decrypt the message. No intermediate
party will be able to view the message since only one person, Bob, has the means to
decrypt it.

Stream Ciphers vs. Block Ciphers

 Block ciphers and stream ciphers are the two types of encryption ciphers.
Block ciphers
 Are encryption ciphers that operate by encrypting a fixed amount, or “block,” of data
 The most common block size is 64 bits of data.
 This chunk or block of data is encrypted as one unit of cleartext.
 When a block cipher is used for encryption and decryption, the message is divided
into blocks of bits.
 Blocks are then put through one or more of the following scrambling methods:
o Substitution
o Transposition
o Confusion
o Diffusion
Stream cipher
 Encrypts single bits of data as a continuous stream of data bits.
 Stream ciphers typically execute at a higher speed than block ciphers and are
suited for hardware usage.

9|Page
Digital Certificates
 Digital certificate is an electronic credential that is unique to a person, computer, or
service used to bind a key pair with a particular subscriber.

 When a party is presented with the certificate, they can view the credential, inspect
the private key, and use it to verify the private key, or more accurately, anything
that was performed with the private key.

 Digital Certificates are issued by Certificate Authority(CA).

 A digital certificate is a cryptographically sealed object that is populated with various

pieces of information. Some of the items included on the digital credential are:
■ Version
■ Serial number
■ Algorithm ID
■ Issuer
■ Validity
■ Not before
■ Not after
■ Subject
■ Subject Public Key Info
■ Public Key Algorithm
■ Subject Public Key
NB: A public key infrastructure (PKI) is necessary in order to create digital certificates.

 PKI a framework that consists of hardware; software; policies that exist to manage,
create, store, and distribute keys; and digital certificates.

 Additionally, a complete PKI solution (like the one in Figure below) involves
o symmetric algorithms,
o asymmetric algorithms,
o hashing,
o Digital authentication (usually certificates, but could also be Kerberos).

10 | P a g e
 One of the major strengths of public key encryption is its ability to facilitate
communication between parties previously unknown to each other, a process that is
made possible by the PKI hierarchy of trust relationships.

 The important parts of the PKI infrastructure are as follows:

o Digital certificates
o Certificate authorities
o Certificate generation and destruction
o Key management
Viewing a Digital Certificate
 Connect to any website that requires a login, such as a bank, webmail, or e-
commerce site.

 On the URL address, locate the padlock icon.

 Click on the icon, then click details link.

11 | P a g e
 Digital Certificate icon

12 | P a g e
Understanding Certificate Authority (CA)
 A CA creates and revokes certificates that it has in its control along with the
associated public keys.

 A CA can be controlled by a company for its internal use or by a public entity for use
by any who wish to purchase a credential from the controlling party.

 A CA is a trusted third party that is responsible for issuing, managing, identifying,

and revoking certificates as well as enrolling parties for their own certificates.

 The CA vouches for the identity of the holder of any given certificate. A CA issues
credentials to banks, webmail, VPNs, smart cards, and many other entities. The CA
gathers information, validates, and issues a credential to the requesting party if
everything checks out.

13 | P a g e
 The CA will require a party to provide information that proves identity.

 Items such as identity Number/Passport, name, address, phone, physical data such
as faxed records, and other records and personal interviews might also be required
as policy dictates.

 Once this information is obtained and validated, the CA will issue the certificate or
validate an existing certificate.

 The following process takes place

1. The request is received.
2. Background information is requested by the CA and validated.
3. The information provided by the requester is applied to the certificate.
4. The CA hashes the certificate.
5. The issuing CA signs the certificate with their private key.
6. The requester is informed that their certificate is ready for pickup.
7. The requester installs the certificate on their computer or device.

Responsibilities of CA organizations
A CA is able to perform a number of roles in addition to the validation process outlined
here. Some actions that a CA is called on to perform include the following:

 Generation of the Key Pair -When a CA goes through the process of creating
a certificate, a key pair that is made up of a public and private key is generated.
The public key is made available to the public at large whereas the private key is
given to the party requesting the digital certificate.

 Generation of Certificates- The CA generates digital certificates for any

authorized party when requested. This certificate is generated after validation of
the identity of the requesting party, as mentioned earlier.

 Publication of the Public Key -The public key is bound to each digital
certificate. Anyone who trusts the CA or requests the public key will get the key
for their use.

 Validation of Certificates -When a certificate is presented by one party to

another it must be validated. Since both parties involved typically do not know

14 | P a g e
 each other, they must rely on a third party who is trusted; this is the role of the
CA.

 Revocation of Certificates If a certificate is no longer needed or trusted, it

can be revoked before it expires.

Example of CA organizations
 Comodo ·
 CAcert.
 Thawte
 Digicert
 GeoTrust
 GoDaddy
 GlobalSign
 Trustwave

Understanding Hashing
 Hashing is one-way encryption.
 It is a form of encryption that creates a scrambled output that cannot be reversed,
or at least cannot be reversed easily.
 The process of hashing takes plaintext and transforms it into ciphertext, but does so
in such a way that it is not intended to be decrypted.
 The process outputs what is known as a hash, hash value, or message digest.
 Designed to be a one-way process, hashing is commonly used to validate the
integrity of information.
 A hash function generates a fixed-length value that is always the same length no
matter how large or small the data entering the process or algorithm is.
 The resulting output is intended to be nonreversible or very nearly impossible to
reverse.
 The fixed-length value is unique for every different input that enters the process.

15 | P a g e
 It is due to this unique property and its behavior that hashes are used to detect the
changes that can happen in data of any type.
 Hashing lets you easily detect changes in information: anything that is hashed and
then changed, even a small amount, will result in an entirely different hash from the
original.
 Hashed values are the result of information being compressed into the fixed-length
value.
 A one-way hash function is also sometimes referred to as a one-time cipher key, or
a thumbprint.

The following is a list of hashing algorithms currently in use:

o Message Digest 2 (MD2) A one-way hash function used in the privacy-
enhanced mail (PEM) protocols along with MD5.

16 | P a g e
 o Message Digest 4 (MD4) A one-way hash function used for PGP(Pretty
Good Privacy ) and other systems. MD4 has been replaced by MD5 in most
cases.

Message Digest 5 (MD5)

 The MD5 function is a cryptographic algorithm that takes an input of arbitrary
length and produces a message digest that is 128 bits long.
 The digest is sometimes also called the "hash" or "fingerprint" of the input.
 MD5 is used in many situations where a potentially long message needs to be
processed and/or compared quickly.
 The most common application is the creation and verification of digital
signatures and password encryption

 MD5 was designed by well-known cryptographer Ronald Rivest in 1991.

 MD5 hash function main purpose is to verify that a file has been unaltered.

 Used for confirming that two sets of data are identical by data. MD5 does this by
producing a checksum on both sets, and then comparing the checksums to verify
that they're the same.

 MD5 is still extremely popular in many circles, but it is being phased out due to
weaknesses that have led to the system being vulnerable.

 MD5 h is not useful for advanced encryption applications, but it's perfectly
acceptable to use it for standard file verifications

 In many cases, MD5 has been replaced with SHA2.

Secure Hash Algorithm-0 (SHA-0) Used prior to SHA-1 and has since been replaced
by SHA-1.

17 | P a g e
Secure Hash Algorithm-1(SHA-1)
 SHA-1 (160 bit) is a cryptographic hash function designed by the United
States National Security Agency and published by the United States NIST as a
U.S. Federal Information Processing Standard.
 SHA-1 produces a 160-bit (20-byte) hash value.

 A SHA-1 hash value is typically expressed as a hexadecimal number, 40 digits

long.

 SHA-1 is the most widely used of the existing SHA hash functions, and is
employed in several widely used applications and protocols.

 Examples

Secure Hash Algorithm-2 (SHA-2)

 Designed to be an upgrade to SHA-1.
 SHA2, not often used for now, is the successor of SHA1 and gathered 4 kinds of
hash functions: SHA224, SHA256, SHA384 and SHA512.
 It works the same way than SHA1 but is stronger and generate a longer hash.

Hash attacks, SHA1 and SHA2

Cryptographic Vulnerabilities & Attacks

 Cryptography has its faults and potential attacks. Attacks are designed to leverage
weaknesses in both implementation and logic in many cases.

18 | P a g e
 Types of Cryptography Attacks
 brute force attack
o Cryptographic systems are all vulnerable to what is known as a brute force
attack.
o In such an attack, every possible combination of characters is tried in
an attempt to uncover a valid key.
o This type of attack can take an extremely long time to be successful,
depending on the cryptosystem being targeted.

 Ciphertext-only Attack
o The attacker has some sample of ciphertext but lacks the corresponding
plaintext or the key.
o The goal is to find the corresponding plaintext in order to determine how the
mechanism works.
o Ciphertext-only attacks tend to be the least successful based on the fact that
the attacker has very limited knowledge at the outset.
 Known Plaintext Attack
o The attacker possesses the plaintext and ciphertext of one or more
messages.
o The attacker will then use this acquired information to determine the key in
use.
o This attack shares many similarities with brute-force attacks.
 Chosen Plaintext Attack
o The attacker is able to generate the corresponding ciphertext to deliberately
chosen plaintext.
o Essentially, the attacker can “feed” information into the encryption system
and observe the output. The attacker may not know the algorithm or the
secret key in use.
 Chosen Ciphertext Attack
o The attacker is able to decrypt a deliberately chosen ciphertext into the
corresponding plaintext.

19 | P a g e
 o Essentially, the attacker can “feed” information into the decryption system
and observe the output.
o The attacker may not know the algorithm or the secret key in use.

 Replay Attack
o Another type of successful attack involves not even cracking the key but
simply recording some traffic and replaying it later.
o This type of attack requires that the attacker record network traffic through
sniffing and then retransmit the information later or extract the key from the
traffic.
(MITM) attack
 Another related attack is the man-in-the-middle (MITM) attack, which is carried
out when the attacker gets between two users with the goal of intercepting and
modifying packets.
 Consider that in any situation in which attackers can insert themselves in the
communications path between two users, the possibility exists that the
information can be intercepted and modified.

Applications of Cryptography
Cryptography can be applied in communication of data and information, . Key areas of
application are: IPSec, SSL, and PGP

1. IPSec
 Internet Protocol Security (IPSec) is a set of protocols designed to protect the
confidentiality and integrity of data as it flows over a network.
 The set of protocols is designed to operate at the Network layer of the OSI
model and process packets according to a predefined group of settings.
 IPSec provides two mechanisms for protecting information: Authentication
Header and Encapsulating Security Payload.

 The two modes differ in what they provide:

20 | P a g e
 o Authentication Header (AH) provides authentication services
and provides a way to authenticate the sender of data.
o Encapsulating Security Payload (ESP) provides a means to
authenticate information as well as encrypt the data.
o
2. Pretty Good Privacy (PGP)
 PGP has been used to protect the privacy of e-mail, data, data storage, and
other forms of communication such as instant messaging.
 PGP was designed to provide the privacy and security measures that are not
currently present in many forms of online communication.
 The e-mail or instant message travels to the destination or recipient in this
encrypted form.
 The recipient will use PGP to decrypt the message back into plaintext.
 A PGP user can also use their private key to digitally sign outgoing mail so
that the recipient knows the mail originated from the named sender. A third
party would not have access to the private key, so the digital signature
authenticates the sender
 Sensitive data files stored on your hard drive or on removable media can
also be protected using PGP. You can use your public key to encrypt the files and
your private key to decrypt them. Some versions also allow the user to encrypt
an entire disk. This is especially useful for laptop users in the event the laptop is
lost or stolen.

3. Secure Sockets Layer (SSL)

 The SSL protocol was developed by Netscape in the mid-1990s and rapidly
became a standard mechanism for exchanging data securely over insecure
channels such as the Internet.
 SSL is supported by all modern browsers and e-mail clients transparently.
 When a client connects to a location that requires an SSL connection, the server
will present the client with a digital certificate that allows the client to identify the
server.

21 | P a g e
  The client makes sure the domain name matches the name on the CA and that
the CA has been generated by a trusted authority and bears a valid digital
signature.
 Once the handshake is completed, the client will automatically encrypt all
information that is sent to the server before it leaves the computer. Encrypted
information will be unreadable en route.
 Once the information arrives at the secure server, it is decrypted using a secret
key.
 If the server sends information back to the client, this information will also be
encrypted on the server end before being transmitted.

22 | P a g e