Cryptography

By
Amit Kumar Bhardwaj
 Agenda
• Pros and cons of data encryption
• Single key encryption
• Two-key encryption
• Combining single and two-key
encryption
• Message integrity
• Digital certificates
• PKI
Encryption is a method of changing a message so
that its content isn’t intelligible to a casual viewer.
Using something that only the sender and receiver
know, the message is turned from readable to
nonsense before it is sent and restored to readable
form when it is received. Encryption is the primary
technique for protecting the content of a data
communications message while it is traveling outside
the local network on which it originated. Encryption
can also be used to protect data stored on a hard
disk.
 Pros and cons of data
•
encryption
Encrypting and decrypting messages
consumes a lot of computing power,
slowing down data communications.
• Negotiating the type of encryption to be
used during a communications session
lengthens the time needed to set up the
session.
• Using encryption and digital certificates
for authentication requires the
development and maintenance of a PKI,
which can be costly for a small
organization.
 Cont ..
• You can’t process data in encrypted form; it must be
decrypted. If you use encryption to protect data stored
on your servers, for example, it must be decrypted
every time a user needs to search for or display data.
This can significantly increase processing time.
• The secret keys for many well-known encryption
algorithms can be cracked by today’s high-end
computers. Therefore, no encryption method should be
considered totally uncrackable, especially when the
problem is distributed among Internet users whose
computers run a brute force attack during idle periods.
 Single Key Encryption
Schemes
• The algorithmically simplest type of encryption uses a
single shared key to encrypt and decrypt a message.
Because there is only one key, it must be known to both
the sender and receiver. The result is encryption that is
conceptually simple, but possibly difficult to manage.
• Because the key used by both sender and receiver is
the same, single key encryption keys are also commonly
known as symmetric keys.
 Substitution Cyphers
• Single key encryption methods are essentially
• substitution cyphers , where one character is
substituted for another based on a transformation
that process is used to decrypt the message. When
one character is substituted for another, we call it a
stream cypher ; when a longer key is applied to a
group of characters, we call it a block cypher . Most
of the substitution cyphers in use today are block
cyphers because they are more secure than
stream cyphers.
 Data Encryption Standard
(DES)
The Data Encryption Standard (DES) was the U.S.
•
government’s first successful attempt at
standardizing the encryption used to communicate
with government agencies. It was formally adopted
as a Federal Information Processing Standard
(FIPS) in 1976.
• However, its short key length has made it
relatively easy to crack with today’s computing
power (less than 24 hours), and although you may
find it still in use commercially,
• It has been replaced for government use by AES
• DES works much like the second version of the
sample substitution cypher
 Cont ..
• The DES key is 64 bits in length, although only 56 bits actually are
used in the encryption; the remainder are parity bits used for error
checking.
• The plaintext is modified in 64-bit chunks. Each time a key is used, it
is exclusive-ORd (XORd) with the plaintext. Encrypting a single 64-
bit block of plaintext with DES is not as simple as our example,
however. It involves 16 rounds of plaintext transformations,
including breaking the plaintext into two 32-bit chunks that are
swapped repeatedly during the rounds. Each round also expands the
32- bit block to 48 bits, which are then XORd with a 48-bit subkey.
The subkey has been generated by a “key schedule,” an algorithm
that creates the 48-bit subkeys based on the original 56-bit key.
After XORing with the subkey, the 48-bit plaintext block is divided
into 6-bit chunks (S-boxes), which then output 4-bit blocks, reducing
the overall plaintext block back to its original 32-bits. (The security
of DES rests with the transformation that occurs in the S-blocks.)
Decryption is similar to encryption with the exception that the key
transformations must be generated and applied in the reverse order.
Because of its computational complexity, DES was often
implemented in hardware.
 Triple DES
The vulnerabilities in DES became very well known.
Therefore, cryptographers developed an interim
version, for use until another encryption method was
adopted, called Triple DES . Triple DES uses a 192-
bit key, three times the length of the 64-bit DES key.
The algorithm repeats the DES encryption process
three times, each time using a different 64 bits of
the 192-bit key.

Because Triple DES is essentially DES performed three

times, it is more than three times harder to crack. It
is also three times slower to implement and
therefore was never considered as a permanent
encryption standard.
 Advanced Encryption
•
Standard
The Advanced Encryption Standard (AES) was developed
in 1998 by Vincent Rijmen and Joan Daemen from their
proprietary encryption scheme named Rijndael. (AES
uses the same algorithms as Rijndael, but requires fixed
key and plaintext block sizes; Rijndael can handle keys
and block sizes in varying multiples of 32 bits between
128 and 256 bits.)
• AES is similar to DES in that it uses key transformations
for security. However, its keys are longer—128, 192, or
256 bits—and it works on 128- bit blocks of plaintext. It
also uses S-boxes to output chunks of cyphertext
through 10, 12, or 14 rounds of key transformations.
(The number of rounds corresponds to the length of the
key.)
 Two-Key Encryption
• Schemes
The serious key management issues surrounding symmetric key
encryption methods prompted the development of an encryption
method that didn’t require the presharing of a secret key. Three
researchers—Ronald L. Rivest, Adi Shamir, and Leonard Adleman—
proposed public key encryption (PKE) in 1977.
• The developers of public key encryption are the source of the
acronym RSA, the name of their company that currently acts as
one of the major issuers of digital certificates.
• PKE is sometimes also called asymmetric key encryption to
differentiate it from symmetric key encryption.
• The basic idea behind PKE is that you have different encryption and
decryption keys. You publish the encryption key freely so that
anyone can encrypt messages to send to you. However, your
secret decryption key is the only key that can decrypt the
message.
Combining Single- and Two-Key
Encryption
• Most encrypted transmissions today use a combination of
single- and
two-key encryption. The process works as follows:
1. The sender and receiver negotiate encryption methods.
2. Each generates a private symmetric encryption key (a session
key).
This key will be used to encrypt and decrypt messages for the
current
communications session only.
3. The sender and receiver encrypt the session key using PKE and
send the session keys to each other.
4. The remainder of messages in the session are encrypted using
the symmetric key.
 Ensuring Message Integrity
• Encryption ensures message privacy, preventing unauthorized people from
viewing the content of a message. It does not, however, ensure message
integrity, preventing someone from changing the message while it is in transit.
• One widely used solution is to create a message digest, or digital signature, a
compressed transformation of the message that has the property that a small
change in the input (the message) produces a large change in the output (the
message digest). The message digest is computed as the message is assembled
for transmission and attached to the message itself. The recipient then
recomputes the message digest and compares it to what was received. If the two
digests don’t match, then the message was altered during transmission.
• Most message digests are created using a process called hashing, which takes an
input string and puts it through a predefined transformation. The output is a
shorter string of some fixed length. In the case of message digests, the output of
the most widely used algorithms is between128 and 160 bits.
• Good hashing algorithms are one-way, in the
sense that you can’t reconstruct the message
from the hashed output. Having the message
digest doesn’t allow a system cracker to
determine the message in a packet. The most
common way to use message digests in a
cracking attempt is a brute force attack that runs
millions of potential messages through the
algorithm to find matching digests. When the
digests match, then the system cracker has
determined the message.
 Message Digest Algorithms
• MD5: MD5 was developed in 1991 by Ronald Rivest as a
successor to MD4 and MD2. It produces a 128-bit output
string that is generally considered quite secure. Research by
RSA indicates that it would take a computer designed
specifically to crack MD5 24 days to generate a collision.

• SHA-1: SHA-1 is an alternative to MD5 that was developed

by NIST. It produces a 160-bit output string. Because it has a
longer output string, it is considered more resilient to
bruteforce cracking attempts than MD5.

• HMAC: HMAC is an extension to both MD5 and SHA-1 that

adds a password, further increasing the security of both
algorithms.
 Checksums

Another way to ensure message integrity is

to use a checksum, a simpler form of a
message digest. Because they are not as
secure as message digests checksums are
most commonly used to indicate accidental
modifications to data during transmission,
rather than malicious modifications.
CRC Checksums