Lecture Information systems security - Chapter 5 (part 1): Cryptography basics

Chapter 5 (part 1) include objectives: Explain general cryptography concepts, explain basic hashing concepts, basic encryption concepts, explain and implement protocols, explain core concepts of public key cryptography.

Objectives

* Explain general cryptography concepts

* Explain basic hashing concepts

* Basic encryption concepts

* Explain and implement protocols

Cryptography

aaa

* Cryptography — science of encrypting information

* “scrambles” (xao tron) data so only authorized parties can “unscramble” and read data using two methods

* Can substitute — change one letter with a different letter (thay thé)

* Can transpose — scramble the order of letters, without actually

changing one for another (chuyén vi)

- a method of storing and transmitting data

In a form only intended for authorized parties to read or process

- science of studying,

breaking, and reverse engineering algorithms and keys

— the method of transforming data

(plaintext) into an unreadable format

— the format (usually

readable) of data before being encrypted

Cryptographic Terminology

* Decryption (giai ma) — the method of turning cipher text

back into plain text

“ Encryption algorithm — a set or rules or procedures that dictates how to encrypt and decrypt data Also called an encryption “cipher”

“ Key — (crypto variable) a values used in the encryption

Cryptographic Terminology

* Key space (khong gian khoa) — the range of possible values used to construct keys * example: * ifa key can be 4 digits (0-9) * key space = 10,000 (0000 — 9999) * If it can be 6 digits * key space = 1,000,000 (000,000 — 999,999)

“ Key Clustering — Instance when two different keys generate the same cipher text from the same plaintext

Các mục tiêu cúa mã hóa

LLL

| confidentiality/privacy (Tinh bi mat)

| Integrity (Tinh toan ven)

' Authentication (Tinh xac thuc)

Cryptography History

Transposition (hoan vi) Cipher

Transposition Cipher

Moon beams are nice

| In this example, text is

|_ Moon} | Beams | | Are} |_Nice grouped in five-character blocks

| onMo | | amsBe | | reA || ceNi |

Steganography (an thong tin)

yaaa

“ Hiding one message in another

Vigenere Cipher

* The Vigenere cipher is named for Blaise de Vigenère, although Giovan Battista Bellaso had invented the cipher

earlier Vigenere did invent a stronger autokey cipher

* Vigenere cipher is a method of encrypting alphabetic text

by using a series of different Caesar ciphers based on the

letters of a keyword It is a simple form of polyalphabetic Substitution

For example, suppose that the plaintext to be encrypted Is: The person sending the message chooses a keyword and repeats it until it matches the length of the plaintext, for

example, the keyword "LEMON":

The first letter of the plaintext, A, is enciphered using the alphabet in row L, which ts the first letter of the key This is done by looking at the letter in row L and column A of the

Vigenere square, namely L The rest of the plaintext is enciphered in a similar fashion

Plaintext:

Encryption Modes - Block

Block (ECB encryption) Plaintext Plaintext Plaintext anyone — màn

Block Cipher Block Cipher Block Cipher

Key —*_ Encryption Key ——>k Encryption Key —> Encryption

EEEEEEE- EETTTETT1 ESE4 Bì BỊ E E4 Em

Ciphertext Ciphertext Ciphertext

Solving Block Encryption Problems

* Often with block encryption, we include a value in addition to the key that changes for each block, so we don't get

repetitive cipher text blocks This is called Cipher Block

Chaining (see next slide)

“ XOhing is a Boolean mathematical “function” which

creates an output bit based on two input bits It outputs a 1 IF and ONLY if one bit of input is 1 and the other is a O

INPUT1T INPUT 2 XOR OUTPUT

0 0 = 0

0 1 = 1

1 0 = 1

Stream Encryption (Mã hóa luồng)

“ [he “key” Is used as a key stream generator, which

creates a series of bits each are is mathematically

combined with the bit stream of plaintext to produce cipher

text This is done for small pieces of information, or information not In blocks

“ Keyboard input

“ Morse code

One Time Pad

* 1011 — plain text

“ 0101 — pad

* 1110 — cipher text

One Time Pad

* A “perfect cryptosystem”

* Unbreakable if implemented properly * The key is a series of bits (O and 1) “ The plain text is converted to bits

* The message is XORed with the pad/key to generated the

cipher text

One Time Pad considerations

* The pad must be used only one time * The pad must be shared by both sides * The pad must be as long as the message * The pad must be securely distributed

Symmetric Encryption

LLL 66g

* Called Symmetric or “Private Key encryption”

%* Must securely distribute keys to both parties

© %s Chicken in the egg situation with networks

oe

* Anyone with the key can either encrypt or decrypt

© %s Very Fast to encrypt or decrypt

Symmetric Algorithms - DES

* Data Encryption Standard (1976)

“ Developed from at NIST request for an encryption standard

* Chosen algorithm was called “Lucifer” from IBM

“ Block Cipher

* Fixed sized blocks of 64 bits

* Key size 64 bits, effective size is 56 bits

* 16 rounds of substitution and transposition

AES (Advanced Encryption Standard) -

Tiêu chuẩn mã hóa tiên tiến

* Developed as a replacement to DES, 1998

RCS LLL * Ronald Rivest , 1994 * Block cipher * Block size 32, 64, 128

* Key Size up to 2048 bits

Nee

cac 6

RC4

* Stream cipher — what was that again?

* Was proprietary, but released on Internet in 1994, “ARC4” is the “open version of RC4”

* Key length 8 — 2048 bits

IDEA

* International Data Encryption Algorithm (Thuat toan Ma hoa DU liéu QuOc té)

* James Massey, Xuejia Lai, 1991 * Proposed AES candidate

* Block cipher

* 64 bit blocks * 128 bit keys

* Not free, Patent expires soon though

Symmetric

<<

* That’s Symmetric Encryption

* Understand the concept (shared keys)

Enter Non-Repudiation (Khong thoai

⁄

(| @

* Non-Repudiation — being able to definitively prove someone said or wrote something

* Proves they actually sent a message

* Proves the message was not altered

“ How do we provide non-repudiation? We'll see soon after

Asymmetric Encryption

* Called Public key encryption

* Requires 2 related keys

* Public key — given to anyone * Private key — kept secret

* Public key is used to encrypt message * Private key is used to decrypt message

* Private key is used to sign messages

Asymmetric Encryption

* Key exchange Is simple!

* Asymmetric Encryption is SLOW, not suitable for encrypting large amounts of data

Diffie-Hellman

ae © Whitfield Diffie , Martin Hellman, 1976

* The original Asymmetric algorithm * Used with SSL, VPNs, ssh

* Used ONLY for key exchange

Asymmetric Algorithms - RSA

* Ron Rivest, Adi Shamir , Len Adleman, 1977, MIT

“ Can be 100 times slower than DES

* Can be used for encryption, key exchange and digital

signatures

ECC - Elliptic Curve Cryptography

[LLL LLL ẻ' 'ẻẻẻẽ

* Neal Koblitz, Victor S Miller, 1985

* Encryption, key exchange or digital signatures

* Security based on analyzing elliptic curves in finite fields

Asymmetric Overview

* Uses 2 keys, one for encryption, one for decryption

* This mitigates the key management, key distribution

problem (kind of )

* Is VERY slow (orders of magnitude slower)

* Can provide integrity and proof of sender (non-repudiation) * Often used in a hybrid system (along with private key

encryption)

“ Encrypt symmetric keys using asymmetric algorithms

Hashing - Bam

E911 * Hashing is similar to encryption but different

* Hashing Is a one way operation

* Take input message

* Put through hashing function

* Retrieve fixed length value (hash digest)

Hashes

* Once hashed, no way to get

back the original message

Hashes

Hashing can provide integrity (assuming no MIM (next

slide))

Hashes can be combined with a_ private key to provide

protection against MIM attacks (visualization in a few slides

next slide)

© %s

© %s

© %s The more bits in the digest, generally the more secure (less

change for collision generally)

© %s One Example of a hash that you are probably familiar with

Normal use of Hash _—“ ư*> |msg 4 hash “g digest “Rene =>

Alice creates a message, and computes the hash digest and send both to Sam

=

2 S hash

xổ 6 digest

Hash MiM attack (phase

Alice sends Sam a message and the

hash digest of the message

Hash MiM attack (phase 2)

Hacker sends the altered message

and hash digest to Sam

Sam recieves the message, computes the

hash, verifies it's matches the hash he

recieved and thinks that the message from

HMAC

function hmac (key, message)

if (length(key) > blocksize) then

key = hash(key) // keys longer than

blocksize are shortened

end if

if (length(key) < blocksize) then

key = key || zeroes(blocksize -

length(key)) // keys shorter than blocksize are zero-padded

end if

Hash algorithms - SHA

“ Secure Hash Algorithm

* Designed/Published by NIST and NSA

MD2

* Developed by Ronald Rivest (of RC and RSA fame) * Optimized to run on 8 bit computers

* 128 bit digest

MD5

© %s Similar to MD4, but more secure

Hash overview a : “ Know what a hash ts * Concept

* Fixed length digest

“* What is a hash used for “* Know what a collision is

** Know it’s susceptible to MiM

“* Know what HMAC is, and what it tries to accomplish * Be familiar with MDx, and SHA-x

Digital Signatures

Digital Signing

“ Generally when | digital sign something | don’t encrypt the whole message Instead

“ Run message through hash algorithm, generated message digest

* Sign the “message digest”