Cryptography
Short Description
"Secret code" redirects here. For the Aya Kamiki album, see Secret Code. "Cryptology" redirects her...
Description
Cryptographic Algorithms 14th May 2012
P.R.Lakshmi Eswari e-Security Team C-DAC Hyderabad
Network Security
What is it ?
Why do we need it ?
How is it provided ?
Network Security
What is it ?
Why do we need it ?
How is it provided ?
Network Security Issues
Normal Flow
Network Security Issues
Normal Flow
Interruption
Network Security Issues
Normal Flow
Modification
Interruption
Network Security Issues
Normal Flow
Modification
Interruption
Interception
Network Security Issues
Normal Flow
Modification
Fabrication
Interruption
Interception
Network Security Issues
Normal Flow
Interruption
Modification
Interception No!
Get it?
Sent it?
No! Fabrication
Repudiation
Network Security Services
Availability Requirement
Modification
Interception No!
Get it?
Sent it?
No! Fabrication
Repudiation
Network Security Services
Availability Requirement
Integrity Interception No!
Get it?
Sent it?
No! Fabrication
Repudiation
Network Security Services
Availability Requirement
Integrity
Confidentiality No!
Get it?
Sent it?
No! Fabrication
Repudiation
Network Security Services
Availability Requirement
Integrity
Confidentiality No!
Get it?
Authenticity
Sent it?
No! Repudiation
Network Security Services
Availability Requirement
Integrity
Confidentiality
Authenticity
Non Repudiation
Security Mechanisms
Confidentiality
- Encryption
Integrity
- Hashing
Authentication
- Digital Certificates
Non-Repudiation - Digital Signatures
Cryptographic Algorithms
Types of Cryptographic algorithms Secret key cryptography or Symmetric Key Public key cryptography or Asymmetric Key Hash functions
Symmetric Cryptography
Asymmetric Cryptography
Types of Cryptosystems
Secret Key or Symmetric Cryptography DES, IDEA, AES etc
Advantages: fast, cipher text secure
Disadvantages: must distribute key in advance, key must not be divulged
Public-key or Asymmetric Cryptography RSA, Diffie-Hellman key agreement protocol etc
Advantages: public key widely distributable, does digital signatures
Disadvantages: slow
Secret Key Algorithms Shared Secret Key
Decryption algorithm
Encryption algorithm
Plain text input
Transmitted Cipher text
Confidentiality
Plain text output
Secret Key Encryption Types
Block Cipher: Operates on a block of message or plaintext at a time Ex: DES, IDEA)
Data Encryption Standard (DES) 56-bit Key
64-bit 48-bitInput K1
Generate keys Permutation Round 1 Round 2 …...
Round 16 Swap Permutation 64-bit Output
Initial Permutation 48-bit K1 48-bit K2 48-bit K16
Swap 32-bit halves Final Permutation
Secret Key Encryption Triple DES
Uses 3 keys and 3 executions of DES algorithm. Key1 Encrypt
Plain text
Decrypt
Key3 Encrypt
Encryption Key3
Cipher text
Key2
Decrypt
Key2 Encrypt
Decryption
Cipher text
Key1 Decrypt
Plain text
Secret Key Encryption Other Secret key algorithms IDEA (International Data Encryption Algorithm)
128 bit key, 8 rounds
Blowfish
Variable key length. (up to 448 bits). Generally 128 bit key used. 16 rounds. Easy to implement and high execution speed.
Secret Key Encryption Other Secret key algorithms
CAST 128
Key size between 40 and 128 bits.
F varies from round to round.
AES (Advanced Encryption Standard)
Variable block length (128, 192, 256 bits)
Variable key length (128, 192, 256 bits)
Ease of implementation in software and hardware.
Secret Key Encryption Stream Cipher
A pseudo random no. generator continuously generates bits known as running key or keystream. xoring the keystream to the plain text produces the cipher text. e.g. RC4, SEAL, A5/1 (used in GSM)
Secret Key Encryption Stream Cipher key
Keystream generator
Encryption
key
Keystream generator
plaintext
+
ciphertext
ciphertext
+
plaintext
Decryption Keystream Generator is a pseudo random generator like linear feedback shift register
Key Distribution
Symmetric schemes require both parties to share a common secret key Issue is how to securely distribute this key Often secure system failure due to a break in the key distribution scheme
Public Key Cryptography
Uses two keys: private & public
Used for
Confidentiality
Authentication
Key distribution
Public Key Cryptography
Confidentiality
The sender encrypts using public key of receiver Only the receiver can decrypt the cipher message with his private key
Public Key Algorithms
Public key ring Private Key
Decryption algorithm
Encryption algorithm
Plain text input
Transmitted Cipher text
Confidentiality
Plain text output
Public Key Cryptography
RSA
Key Generation
Select prime no.’s p & q
Calculate n = p x q
Calculate
(n) = (p-1)(q-1)
Select integer e such that e is relatively prime to (n) Calculate d = e-1mod
(n)
(d = multiplicative inverse of e)
Public Key = {e, n} Private Key = {d, n}
Public Key Cryptography RSA Encryption
Plaintext M < n
Cipher text C = Me(mod n)
Decryption –
–
Cipher text C Plaintext M = Cd(mod n)
Cryptography Strength of Cryptographic Algorithms Identify the weakest links
Key length: key can be broken by brute force attack. For a 32 bit key max. possible combinations is 232. Hence size of key is crucial.
Symmetric algorithms: key sizes currently used is 128 bits Public key algorithms: require much larger key sizes since an extra structure i.e. public key is available to cryptanalyst. Hence keys with 1024 bits and more are safer.
Public Key Algorithms Public key ring
Private Key
Decryption algorithm
Encryption algorithm
Plain text input
Transmitted Cipher text
Authentication
Plain text output
Public Key Algorithms
Public key ring
Private Key
Session key
Encryption algorithm
encrypted key
Decryption algorithm
Key Exchange
Shared session key
Key Management Diffie-Hellman Key Exchange
Enables 2 users to exchange a secret key securely that can be used for subsequent encryption of messages. If p is prime no., its primitive root a is such that a mod p, a2 mod p, …ap-1 mod p are distinct integers from 1 to p-1 in some permutation.
Public Key Cryptography Diffie Hellman key exchange
User A
prime p primitive root random no. x
prime p primitive root random no. y
Public key pk1 = xmod p
Public key pk2 = ymod p
Secret Key pk2xmod p K = pk 2 = xymod p
Secret Key ymod 1 K = pk1pk p = xymod p
User B
Symmetric vs. Asymmetric
Asymmetric
Fastest implementation of RSA (asymmetric) can encrypt kilobits/sec
2048-bit key
Symmetric
Fastest implementation of DES (symmetric) can encrypt megabits/sec
56-bit key
The Hybrid Model Very common practice: hybrid symmetric and asymmetric
Asymmetric encryption is used to share a secret key, which is then used for symmetric encryption Advantages
Speed of symmetric, flexibility of asymmetric
Integrity
Encryption protects only against passive attack. Integrity
A message digest is computed which is appended to message using hash functions.
Hash Functions A public function that maps a plaintext message of any length into a fixed length hash value used as the authenticator
Pros
One way transformation
Offers integrity without the cost of encryption
Message can be read when authentication is unnecessary
Cons
No Confidentiality
Can be altered by attackers to match altered message
Integrity Secure Hash Algorithm (SHA-1)
Takes input as 512 bit blocks and produces 160 bit message digest.
Original message
zero padding
512 x m bits
message length
64 bits
Authentication Digital Signatures
An authentication mechanism which enables the creator of a message to attach a code that acts as a signature Encrypt a small block of bits that is a function of the document (authenticator), using sender’s private key. This serves as signature that verifies origin and content. SHA-1 can be used as this function.
Digital Certificates
An answer to Internet trust problem Trusted 3rd parties issue certificates to people or companies who prove their ID
Digital Certificates – Manage key
Used for distribution of public keys. Public key certificate consisting of public key and user ID of key owner is signed by a trusted third party. The third party is called Certificate Authority(CA).
Digital Certificates
A Digital Certificate typically contains
Owner’s public key Owner’s name Expiration date of the public key Name of the issuer (CA that issued the Digital ID) Serial number of the Digital ID Digital signature of the issuer X.509
X.509 Authentication Service
Part of CCITT X.500 directory service standards
Defines framework for authentication services
distributed servers maintaining some info database directory may store public-key certificates with public key of user signed by certification authority
Also defines authentication protocols Uses public-key crypto & digital signatures
algorithms not standardised, but RSA recommended
X.509 Certificates
Issued by a Certification Authority (CA), containing: version (1, 2, or 3) serial number (unique within CA) identifying certificate signature algorithm identifier issuer X.500 name (CA) period of validity (from - to dates) subject X.500 name (name of owner) subject public-key info (algorithm, parameters, key) issuer unique identifier (v2+) subject unique identifier (v2+) extension fields (v3) signature (of hash of all fields in certificate) Notation CA denotes certificate for A signed by CA
X.509 Certificates
Network Security Protocols
What is a protocol ?
Why do we need a network security protocol ?
Authentication
Data integrity
Confidentiality
Key exchange
Cipher Suite Negotiation
Protocol Layers Where to Implement Security?
TCP/IP protocol stack
Application Layer
Transport Layer
Network Layer
Link Layer
Deployment of Cryptography Application-Layer Encryption Application Layers (5-7)
Network-Layer Encryption Transport/Network Layers (3-4)
Link/Physical Layers (1-2)
Link-Layer Encryption
Link-Layer Encryption
Evolution of Security Protocols
View more...
Comments