cryptography101
TRANSCRIPT
Cryptography 101 By Aman Hardikar
Contents / Topics INTRODUCTION
SYMMETRIC CRYPTOGRAPHY
Block Ciphers
Introduction
Terms
Modes
Stream Ciphers
Introduction
Types
ASYMMETRIC CRYPTOGRAPHY
Introduction
Terms
Ciphers
HASH FUNCTIONS
Introduction
Merkle Damgard Technique
MAC
DIGITAL SIGNATURE
DIGITAL ENVELOPE
Skill Level:
Beginner - Intermediate
Introduction
Cryptography Securing information in a form only readable by end parties
Cryptography Primitives (building blocks of cryptographic protocols)
Encryption
• Involves the conversion of plain text to cipher text Decryption
• Involves the conversion of cipher text to plain text Signature Generation
• Involves producing a special string that can be tied to a user Signature Verification
• Involves verifying who the user is from the message Key Negotiation and Exchange
• Involves negotiation and exchange of keys between the various parties involved
Steganography Hiding information in other files
Ex: pictures, audio, video, executable files
Types
Symmetric Cryptography
One key for both encryption and decryption
Asymmetric Cryptography (Public Key Cryptography)
Two keys : One for encryption, other for decryption
Symmetric Cryptography
Advantages Small Key Size
• Size ∞ Computational Power
Disadvantages Key Management and transfer/sharing
• Number of keys required = n(n-1)/2, where n is the number of parties involved.
• If there are 5 parties, then number of keys = 10
• If there are 10 parties, then number of keys = 45
• If there are 100 parties, then number of keys = 4950
Provides Confidentiality, Integrity, Origin Authentication
[based on the Mode used]
Symmetric Crypto - Types Block Ciphers
Divides the text into blocks and acts on each of them
Stream Ciphers Acts on each bit of the text
Block Cipher Terms
Key Size
Effective Key Size
Block Size
Initialization Vector (IV)
Work Factor
Block Cipher Examples
Lucifer (64 bits), DES/DEA (56 bits), DESX (184 bits)
3DES / TDES / TripleDES (168 bits)
EEE, EDE, ….
AES/Rijndael (Variable Size)
IDEA
Serpent, Blowfish, RC6
Block Cipher Modes ECB (Electronic Code Book)
CBC (Cipher Block Chaining) CBC$
CBCC
PCBC (Propagating CBC)
CFB (Cipher FeedBack)
OFB (Output FeedBack)
CTR (CounTeR) CTR$
CTRC
Above modes provide confidentiality only.
Block Cipher Modes (2)
CMAC (Cipher based MAC) Integrity + Authentication
CCM (Counter with CBC-MAC) Integrity + Authentication
GCM (Galois/Counter Mode) Integrity + Authentication
Above modes also provide other security services in addition to confidentiality.
Block Cipher Modes (3)
Properties: Provide Confidentiality
Fast Data Storage and Retrieval
Efficient Use of Disk Space
CBC (Cipher Block Chaining)
LRW (Liskov, Rivest and Wagner)
XEX (Xor Encrypt Xor)
XTS (XEX-based Tweaked Codebook Mode)
CMC (CBC Mask CBC)
EME (ECB Mask ECB)
Above modes primarily used in Full Disk Encryption.
Stream Ciphers Uses key streams
Acts on bits of text
Most Hardware Implementations use these
Less complex than block ciphers
NOTE: Block Ciphers can also be used as Stream Ciphers.
Stream Cipher Types Synchronous
These generate random sequence of bits independent of the plain text
and cipher text.
Ex: RC4, HC-128
Asynchronous These generate key streams based on a set of former cipher text bits.
Ex: CTAK, CFB Mode Block Ciphers
Asymmetric Cryptography Advantages
Key Management
Disadvantages
Large Key Size
• Size ∞ Computational Power
Provides
Confidentiality, Integrity, Authentication, Non-Repudiation
Asymmetric Crypto Terms
Trapdoor Functions Mathematical functions that are easy to apply in one direction,
but extremely difficult in the reverse.
Asymmetric Ciphers DH (DHM)
Based on discrete logarithms
No Authentication
• Digital Signature Required
RSA
Based on factorisation of large numbers
Example Key Sizes: 512bits, 1024bits, 2048bits
Other Ciphers/Algorithms
El Gamal – Based on DH
Cramer-Shoup – Based on El Gamal
Knapsack
Elliptical Curve Cryptography Mathematical equations that use Elliptical Curves
Advantages: Small Key Size (Size ∞ Computational Power)
256 bit ECC key ≈ 3072 bit RSA/DH key; 384 bit ECC key ≈ 7680 bit RSA/DH key
Algorithms Digital Signatures
ECDSA: Elliptic Curve Digital Signature Algorithm
ECPVS: Elliptic Curve Pintsov Vanstone Signatures
ECNR: Elliptic Curve Nyberg Rueppel
Key Agreement
ECMQV: Elliptic Curve Menezes-Qu-Vanstone
ECDH: Elliptic Curve Diffie-Hellman
Encryption
ECIES: Elliptic Curve Integrated Encryption Standard
Hash Functions Provides condensed representation of a given text or message
(Message Digest)
Provides Integrity, Origin Authentication
Collision Situation when two different texts have the same hash
Examples MD5 – 128bits – Insecure – Collisions Possible
SHA1 – 160 bits –
263 Hash Operations for identifying a collision instead of 280 operations
RIPEMD-160 – 160 bits – Secure (no collisions identified yet)
SHA256 – 256 bits – Secure
Merkle Damgard Technique A method to build collision resistant hash functions
Used by common hash functions like MD5, SHA1 and SHA256
Block Ciphers - MAC
Block Ciphers can also be used as hash functions
MDC-2 – 128 bits
Whirlpool – 512 bits
Used in Message Authentication Code (MAC)
Adds a secret key to message during input
• Provides Origin Authentication
Provides Integrity
Popular Implementation: CBC-MAC
Hash Functions - MAC Hash Algorithms can also be used to produce MAC
Two Types MDx-MAC Scheme
Uses modified hash functions
SHA1, RIPEMD-160 can be used
HMAC
Unmodified hash functions
Secret key added to message
Used in IPSec, NAS, Mobiles
Ref: RFC2104, FIPS PUB 180, ISO 9797-2
Digital Signatures
Equivalent to physical signature
Provides Integrity, Origin Authentication and Non-Repudiation
Digital Signatures (2)
Software Components
Cryptographic Hash Function
Key Generation Algorithm
Signing Algorithm
Verification Algorithm
Implemented using
Public Cryptosystems: ECC, DSA, RSA, El Gamal
DSA – Digital Signature Algorithm Used in Digital Signature Standard
Ref: FIPS PUB 186, ISO 9696 and ISO 14888
Digital Envelope
Provides
Confidentiality in addition to Integrity, Origin Authentication and Non-
Repudiation
Two possible ways:
Encrypt the message and the digital signature with the recipient's public key
Encrypt the message with a secret key, then encrypt the secret key and the
digital signature with recipient’s public key
Further Presentations ….
PKI 101 PKI 201 Crypto Attacks 101
Basics of PKI
infrastructure
and
Key
Management.
Advanced PKI stuff,
which includes
various PKI
models, CRL types
and auditing PKI
infrastructure.
Discussion on
various attacks.