Cryptography 101 By Aman Hardikar

Contents / Topics INTRODUCTION

SYMMETRIC CRYPTOGRAPHY

Block Ciphers

Introduction

Terms

Modes

Stream Ciphers

Introduction

Types

ASYMMETRIC CRYPTOGRAPHY

Introduction

Terms

Ciphers

HASH FUNCTIONS

Introduction

Merkle Damgard Technique

MAC

DIGITAL SIGNATURE

DIGITAL ENVELOPE

Skill Level:

Beginner - Intermediate

Introduction

Cryptography Securing information in a form only readable by end parties

Cryptography Primitives (building blocks of cryptographic protocols)

Encryption

• Involves the conversion of plain text to cipher text Decryption

• Involves the conversion of cipher text to plain text Signature Generation

• Involves producing a special string that can be tied to a user Signature Verification

• Involves verifying who the user is from the message Key Negotiation and Exchange

• Involves negotiation and exchange of keys between the various parties involved

Steganography Hiding information in other files

Ex: pictures, audio, video, executable files

Types

Symmetric Cryptography

One key for both encryption and decryption

Asymmetric Cryptography (Public Key Cryptography)

Two keys : One for encryption, other for decryption

Symmetric Cryptography

Advantages Small Key Size

• Size ∞ Computational Power

Disadvantages Key Management and transfer/sharing

• Number of keys required = n(n-1)/2, where n is the number of parties involved.

• If there are 5 parties, then number of keys = 10

• If there are 10 parties, then number of keys = 45

• If there are 100 parties, then number of keys = 4950

Provides Confidentiality, Integrity, Origin Authentication

[based on the Mode used]

Symmetric Crypto - Types Block Ciphers

Divides the text into blocks and acts on each of them

Stream Ciphers Acts on each bit of the text

Block Cipher Terms

Key Size

Effective Key Size

Block Size

Initialization Vector (IV)

Work Factor

Block Cipher Examples

Lucifer (64 bits), DES/DEA (56 bits), DESX (184 bits)

3DES / TDES / TripleDES (168 bits)

EEE, EDE, ….

AES/Rijndael (Variable Size)

IDEA

Serpent, Blowfish, RC6

Block Cipher Modes ECB (Electronic Code Book)

CBC (Cipher Block Chaining) CBC$

CBCC

PCBC (Propagating CBC)

CFB (Cipher FeedBack)

OFB (Output FeedBack)

CTR (CounTeR) CTR$

CTRC

Above modes provide confidentiality only.

Block Cipher Modes (2)

CMAC (Cipher based MAC) Integrity + Authentication

CCM (Counter with CBC-MAC) Integrity + Authentication

GCM (Galois/Counter Mode) Integrity + Authentication

Above modes also provide other security services in addition to confidentiality.

Block Cipher Modes (3)

Properties: Provide Confidentiality

Fast Data Storage and Retrieval

Efficient Use of Disk Space

CBC (Cipher Block Chaining)

LRW (Liskov, Rivest and Wagner)

XEX (Xor Encrypt Xor)

XTS (XEX-based Tweaked Codebook Mode)

CMC (CBC Mask CBC)

EME (ECB Mask ECB)

Above modes primarily used in Full Disk Encryption.

Stream Ciphers Uses key streams

Acts on bits of text

Most Hardware Implementations use these

Less complex than block ciphers

NOTE: Block Ciphers can also be used as Stream Ciphers.

Stream Cipher Types Synchronous

These generate random sequence of bits independent of the plain text

and cipher text.

Ex: RC4, HC-128

Asynchronous These generate key streams based on a set of former cipher text bits.

Ex: CTAK, CFB Mode Block Ciphers

Asymmetric Cryptography Advantages

Key Management

Disadvantages

Large Key Size

• Size ∞ Computational Power

Provides

Confidentiality, Integrity, Authentication, Non-Repudiation

Asymmetric Crypto Terms

Trapdoor Functions Mathematical functions that are easy to apply in one direction,

but extremely difficult in the reverse.

Asymmetric Ciphers DH (DHM)

Based on discrete logarithms

No Authentication

• Digital Signature Required

RSA

Based on factorisation of large numbers

Example Key Sizes: 512bits, 1024bits, 2048bits

Other Ciphers/Algorithms

El Gamal – Based on DH

Cramer-Shoup – Based on El Gamal

Knapsack

Elliptical Curve Cryptography Mathematical equations that use Elliptical Curves

Advantages: Small Key Size (Size ∞ Computational Power)

256 bit ECC key ≈ 3072 bit RSA/DH key; 384 bit ECC key ≈ 7680 bit RSA/DH key

Algorithms Digital Signatures

ECDSA: Elliptic Curve Digital Signature Algorithm

ECPVS: Elliptic Curve Pintsov Vanstone Signatures

ECNR: Elliptic Curve Nyberg Rueppel

Key Agreement

ECMQV: Elliptic Curve Menezes-Qu-Vanstone

ECDH: Elliptic Curve Diffie-Hellman

Encryption

ECIES: Elliptic Curve Integrated Encryption Standard

Hash Functions Provides condensed representation of a given text or message

(Message Digest)

Provides Integrity, Origin Authentication

Collision Situation when two different texts have the same hash

Examples MD5 – 128bits – Insecure – Collisions Possible

SHA1 – 160 bits –

263 Hash Operations for identifying a collision instead of 280 operations

RIPEMD-160 – 160 bits – Secure (no collisions identified yet)

SHA256 – 256 bits – Secure

Merkle Damgard Technique A method to build collision resistant hash functions

Used by common hash functions like MD5, SHA1 and SHA256

Block Ciphers - MAC

Block Ciphers can also be used as hash functions

MDC-2 – 128 bits

Whirlpool – 512 bits

Used in Message Authentication Code (MAC)

Adds a secret key to message during input

• Provides Origin Authentication

Provides Integrity

Popular Implementation: CBC-MAC

Hash Functions - MAC Hash Algorithms can also be used to produce MAC

Two Types MDx-MAC Scheme

Uses modified hash functions

SHA1, RIPEMD-160 can be used

HMAC

Unmodified hash functions

Secret key added to message

Used in IPSec, NAS, Mobiles

Ref: RFC2104, FIPS PUB 180, ISO 9797-2

Digital Signatures

Equivalent to physical signature

Provides Integrity, Origin Authentication and Non-Repudiation

Digital Signatures (2)

Software Components

Cryptographic Hash Function

Key Generation Algorithm

Signing Algorithm

Verification Algorithm

Implemented using

Public Cryptosystems: ECC, DSA, RSA, El Gamal

DSA – Digital Signature Algorithm Used in Digital Signature Standard

Ref: FIPS PUB 186, ISO 9696 and ISO 14888

Digital Envelope

Provides

Confidentiality in addition to Integrity, Origin Authentication and Non-

Repudiation

Two possible ways:

Encrypt the message and the digital signature with the recipient's public key

Encrypt the message with a secret key, then encrypt the secret key and the

digital signature with recipient’s public key

Further Presentations ….

PKI 101 PKI 201 Crypto Attacks 101

Basics of PKI

infrastructure

and

Key

Management.

Advanced PKI stuff,

which includes

various PKI

models, CRL types

and auditing PKI

infrastructure.

Discussion on

various attacks.