Cryptography and Security

Technologies

Internet and Computer Network

 Road Map

1. Basic Concepts
2. Introduction to Cryptography
3. Digital Signature
4. Digital Certificate and Certification
Authority

2
Basic Concepts

3
 How are things done?

 In the E-Commerce world, transactions are

performed between computers in different
locations.
Product

Payment and
other info.
Merchant Customer

Our focus: Information Security

4
 Four Objectives of
Information Security
 Confidentiality: Ensure that information is not
disclosed or revealed to unauthorized persons.
 Integrity: Ensure consistency. Prevent
unauthorized creation or alteration of data.
 Authentication: Verify the identity of the
sender.
 Non-repudiation: One cannot deny that he/she
has taken part in the transaction.

5
 Examples in Physical World

Confidentiality Sealed letter

Opaque envelope
Invisible Ink
Integrity Indelible ink

Authentication Photo ID card

Driving license

Non-repudiation Notarized signature

Certified or registered mail
6
 Among the Four Security
Concerns….
1. Confidentiality – protection against?
2. Integrity – protection against?
3. Authentication – protection against?
4. Non-repudiation – protection against?
Therefore, non-repudiation is
fundamentally different from other
security services.
7
Introduction to Cryptography

8
 Cryptosystem

Encryption Decryption
Key Key



Encryption Decryption

Cipher text
Plain Plain
Information Information

9
 What is Encryption?

 Encryption is a process of scrambling

(mutating) a message such that it becomes
unreadable to unintended receivers.
 Decryption is simply a process to recover the
cipher text into readable form.
 Obviously, a cryptosystem provides
confidentiality.

10
 Symmetric Cryptosystem

 Uses the same key for encryption and

decryption.



Encryption Decryption

Cipher text
Plain Plain
Information Information
11
 Symmetric Key Cryptography
 The key must be secretly held between
the sender and receiver.
 How many keys are needed when we
have a community of n users?
 Ans: n(n – 1)/2, or order of n2.
 Direct Implication:
 Distribution and key management.
 Does not support spontaneous transaction.

12
 Symmetric Cryptosystems
 Normally operates either as block cipher or
stream cipher.
 Block cipher: input text is divided into fixed-size
blocks of n-bits. The encryption function is then
applied. The cipher text blocks are also n-bits in
length. Typically, n = 64 bits.
 Stream cipher: processes the data as a sequence
of characters.
 Common symmetric cryptosystems:
DES, Triple-DES, RC2, RC4, RC5, etc.
13
 The Data Encryption Standard
(DES)
 Developed by IBM in the 1970s, and was
adopted as a US federal standard in 1977.
 Uses 56-bit key on 64-bit blocks of data.
 Encryption and decryption involves 16 rounds
of permutations, letter substitutions, and
exclusive-OR operations.
 The output displays no correlation to the input.
 Every bit of the output depends upon every bit
of the input and the key.
14
 How Good is DES?
 No general guideline on attack except brute-
force search (i.e., exhaustively search the key
space).
 For DES, that means 256  70 million billion
trials.
 Using 1994 technology, a US$1 million
investment can crack the key in 3.5 hours.
 That’s why we need Triple-DES and others!

15
 Other Services…..
 Authentication and integrity: uses integrity
check-value.
Transmitted Message

Plaintext Plaintext Plaintext

Compute Compute
integrity integrity
Equal? Confirm
check Integrity check
Shared check-value or indicate
Key failure

16
 Integrity Check Value
 Can it check for integrity?
 Yes, because the computed value must be consistent
with the transmitted value.
 Can it authenticate the sender?
 Yes, because only 2 users hold the secret key. The
recipient knows that it is sent by the other key
holder.
 Can it prevent repudiation?
 NO! What if one user generates the message by
himself and claim that it was done by the other user?
17
 Public Key Cryptosystems
 Uses a pair of related keys: one for
encryption and one for decryption.
 One key, called the private key, is kept only
to the owner.
 The other key, called the public key, can be
made publicly known.
 Given the public key, one cannot derive the
private key and vice versa.
18
 Public Key Cryptosystems
Recipient’s Recipient’s
public key private key




Plaintext A Cipher text A Plaintext A




Plaintext B Cipher text B Plaintext B

19
 Alternatively…..

Sender’s
private key




Plaintext Plaintext
Cipher text A
Sender’s
public key

20
 Public Key Cryptosystems

 Confidentiality: (let p be our message)

Public-KeyRecipient(p) = cipher text
Private-KeyRecipient(cipher text) = p
 Authentication, integrity, non-repudiation:
Private-KeySender(p) = cipher text
Public-KeySender(cipher text) = p
 Commonly used public key systems include
RSA and PGP (Pretty Good Privacy).
21
 The RSA Algorithm
 Developed by Ron Rivest, Adi Shamir, and
Len Adleman of MIT.
 Based on modular arithmetic and prime
number operations.
 While multiplying two prime numbers is
easy, factoring the product of such numbers is
difficult, especially when the product is large!

22
 Modular Arithmetic

 a  b (mod n) if a differs from b by an exact

multiple of n.
 That is, a  b + Ln, L being an integer.
 Examples:
242  2 (mod 10)
164  4 (mod 5)
146  3 (mod 11)

23
 The RSA Algorithm

1. Find two prime numbers, p and q, and

compute their product, n.
2. Find a pair of integers d and e such that
de  1 (mod (p – 1)(q – 1)).
3. Now, for any message m not being multiple
of p or q,
Encryption: c  me (mod n)
Decryption: cd (mod n)  m
24
 The RSA Algorithm

 The two numbers, n and e, form the public

encryption key. d is the private decryption
key.
 Example: try p = 5, q = 7, n = 35, e = d = 5.
de = 25 = 1 (mod (p – 1)(q – 1)) = 1 (mod 24)
Let’s say the message m is 3,
c = 35 (mod 35) = 33
335 (mod 35) = 3 = m.
25
 Performance of RSA
Rough estimates:
 In year 2000, attacker with US$25,000 can
factor a 425-bit public modulus (n).
 US$25 million can factor a 619-bit modulus.
 In year 2020, US$25,000 will be able to factor
a 515-bit modulus, while 25 million can factor
799-bit modulus.
 In any case, a 1024-bit modulus should be
sufficient for the coming years.
26
 Public Key Cryptosystems

 Advantages:
 Higher security
 Easy key distribution

 Supports spontaneous transactions

 Weaknesses:
 Processing costs (e.g., time requirements
for encryption/decryption).

27
 How to Make Things Better?
 Use a hybrid approach that combines the
strengths of secret-key (symmetric key) and
public-key based encryption techniques.
 Encrypt message with secret key, and then
encrypt the secret key using public key.
 Transmitted Message = Secret-key(m) +
Public-keyreceiver(Secret-key)
 The Second term is called a Digital Envelope.

28
Digital Signature

29
 What is Digital Signature?

 A data item that accompanies a digitally

encoded message and that can be used to:
 ascertain the identity of the sender.
 ensure the message has not been altered during
transmission.
 Normally involves a sign and a verify
operation.

30
 Digital Signature
Sender Transmitted Message Receiver

Plaintext Plaintext Plaintext

Sign Verify
Digital Verified?
Signature Yes/No

Sender’s Sender’s
Private Key Public Key
31
 But……

 This is very similar to the integrity check

value in the symmetric key system!
 Difference: now it supports non-repudiation,
because the private key is only held by the
sender.
 Notice that the signature itself does not
provide confidentiality.

32
 RSA Digital Signature

 Apply the sender’s private key to the entire

message to create the signature.
 Encryption and decryption have to be
applied to the entire message. Signature
length is the same as the message itself.
 Implication:
 High processing and communication overhead
costs.
33
 Any Help?
 One-way Hash function: maps values from a
very large domain (the message) into a
relatively small range.
 Any change in the original message, even just
one single bit, will result in a different value.
 For security applications, normally hashes to
fixed length data (e.g., 128 bits) known as
message digest.

34
 Digital Signature with Hashing
Sender
Transmitted Message Receiver

Plaintext
Plaintext Plaintext
Hash Hash
Sign Decrypt
Message Digital
digest Signature Expected Computed
digest digest
Sender’s
Sender’s
Public Key Are they equal?
Private Key
35
Digital Certificate and
Certification Authority

36
 Distribution of Public Key

 Confidentiality is not required.

 How about integrity? What if an intruder
substitutes the key with his own public key?
 In that case, all four security objectives are
achieved, but you are simply dealing with a
wrong person!
 That’s why we need a trusted third party to
notarize the public key and its owner.

37
 Digital Certificate
 A digital ID card that notarizes the
connection between a public-key and its
owner.
 Issued by certification authorities (CA).
 Contains a public-key value and information
that uniquely identifies the holder.
 Digitally signed by the issuing CA.
 Implication?
 Must trust the CA for the certificate to be useful.
38
 Digital Certificate
 Advantage:
 Easy distribution without the need to worry about
confidentiality, integrity, and authentication.
 User simply needs to trust the CA. No need to store
the keys or certificates of other users.
 However, practically, no CA can handle all
users.
 Therefore, we need a chain-like model to link
up multiple CAs hierarchically. This is called
a certification path.
39