Cryptography

Cryptographic

Cryptographic

 Algorithms

 Algorithms

14 14thth _{May 2012 May 2012} P.R.Lakshmi Eswari P.R.Lakshmi Eswari e-Security Team e-Security Team C-DAC Hyderabad C-DAC Hyderabad

Network Security

Network Security





What is it ?

What is it ?





Why do we need it ?

Why do we need it ?



Network Security

Network Security





What is it ?

What is it ?





Why do we need it ?

Why do we need it ?



 Normal Flow  Normal Flow

Network Security Issues

 Normal Flow  Normal Flow

Interruption Interruption

Network Security Issues

 Normal Flow  Normal Flow

Interruption Interruption

Network Security Issues

Network Security Issues

Modification Modification

 Normal Flow

Interception Interruption

Network Security Issues

 Normal Flow

Interception Interruption

Network Security Issues

Fabrication Modification

 Normal Flow

Interception Interruption

Get it?

Repudiation

 No! Sent it?

Network Security Issues

Fabrication Modification

Requirement

Interception Get it?

Repudiation

 No! Sent it?

Availability

Network Security Services

Fabrication Modification

Requirement

Interception Get it?

Repudiation

 No! Sent it?

Availability

Integrity

Network Security Services

Fabrication

Requirement

Get it?

Repudiation

 No! Sent it?

Availability

Integrity

_{Confidentiality}

Network Security Services

Fabrication

Requirement

Get it?

Repudiation

 No! Sent it?

Availability

Integrity

_{Confidentiality}

Authenticity

Network Security Services

Requirement

Availability

Integrity

_{Confidentiality}

Authenticity

Non Repudiation

Security Mechanisms

 Confidentiality - Encryption

 Integrity - Hashing

  Authentication - Digital Certificates  Non-Repudiation - Digital Signatures

Cryptographic Algorithms

Types of Cryptographic algorithms

Secret key cryptography or Symmetric Key Public key cryptography or Asymmetric Key Hash functions

Types of Cryptosystems

 Secret Key or Symmetric Cryptography

DES, IDEA, AES etc

Advantages: fast, cipher text secure

Disadvantages: must distribute key in advance, key must not be divulged

 Public-key or Asymmetric Cryptography

RSA, Diffie-Hellman key agreement protocol etc

Advantages: public key widely distributable, does digital signatures

Secret Key Algorithms

Encryption algorithm

Decryption algorithm

Shared Secret Key

Plain text input Plain text output Transmitted Cipher text Confidentiality

Secret Key Encryption



Block Cipher: Operates on a block of

message or plaintext at a time

Ex: DES, IDEA)

Data Encryption Standard (DES)

Permutation Permutation Swap Round 1 Round 2 Round 16 Generate keys Initial Permutation 48-bit K1 48-bit K2 48-bit K16

Swap 32-bit halves

Final Permutation 64-bit Output

48-bit K1

64-bit Input 56-bit Key

Triple DES

 Uses 3 keys and 3 executions of DES

algorithm.

Encrypt

Encryption

Decryption

Decrypt Encrypt

Decrypt Encrypt Decrypt Plain text Cipher text Cipher text Plain text

Key1 Key2 _Key3

Key3 Key2 Key1

Other Secret key algorithms

IDEA (International Data Encryption

 Algorithm)

 128 bit key, 8 rounds

Blowfish

 Variable key length. (up to 448 bits).

Generally 128 bit key used. 16 rounds.

 Easy to implement and high execution

speed.

Other Secret key algorithms

 CAST 128

 Key size between 40 and 128 bits.  F varies from round to round.

  AES (Advanced Encryption Standard)

 Variable block length (128, 192, 256 bits)  Variable key length (128, 192, 256 bits)

 Ease of implementation in software and hardware.

Stream Cipher



 A pseudo random no. generator

continuously generates bits known as

running key or keystream.



xoring the keystream to the plain text

produces the cipher text.



e.g. RC4, SEAL, A5/1 (used in GSM)

Stream Cipher

Keystream generator

+

+

Keystream generator key key plaintext ciphertext plaintext ciphertext Encryption Decryption

Keystream Generator is a pseudo random generator like linear feedback shift register

Key Distribution



Symmetric schemes require both parties to

share a common secret key



Issue is how to securely distribute this key



Often secure system failure due to a break in

Public Key Cryptography



Uses two keys: private & public



Used for 

 Confidentiality   Authentication  Key distribution



The sender encrypts using public key of

receiver



Only the receiver can decrypt the cipher

message with his private key

Public Key Cryptography

Public Key Algorithms

Encryption algorithm Decryption algorithm Plain text input Plain text output Transmitted Cipher text Private Key Public key ring

RSA



Key Generation

 Select prime no.’s p & q  Calculate n = p x q

 Calculate (n) = (p-1)(q-1)

 Select integer e such that e is relatively

prime to (n)

 Calculate d = e-1mod (n)

(d = multiplicative inverse of e)

 Public Key = {e, n} Private Key = {d, n}

Encryption

 Plaintext M < n

 Cipher text C = Me(mod n)

Decryption

 –  Cipher text C

 –  Plaintext M = Cd(mod n)

Public Key Cryptography

Strength of Cryptographic Algorithms Identify the weakest links

 Key length: key can be broken by brute force attack.

For a 32 bit key max. possible combinations is 232_.

Hence size of key is crucial.

 Symmetric algorithms: key sizes currently used is 128 bits  Public key algorithms: require much larger key sizes since

an extra structure i.e. public key is available to

cryptanalyst. Hence keys with 1024 bits and more are safer.

Public Key Algorithms

Encryption algorithm Decryption algorithm Plain text input Plain text output Transmitted Cipher text Private Key

Public key ring

Public Key Algorithms

Encryption algorithm Decryption algorithm encrypted key Private Key Session key Shared session key

Public key ring

 Enables 2 users to exchange a secret key

securely that can be used for subsequent encryption of messages.

 If p is prime no., its primitive root a is such

that a mod p, a2 _{mod p, …a}p-1 _{mod p are}

distinct integers from 1 to p-1 in some permutation.

Key Management

Diffie Hellman key exchange

User A _{User B} prime p Public key pk₁ = x_{mod p} Public key pk₂ = y_{mod p} pk₁ pk₂

Public Key Cryptography

random no. x random no. y

Secret Key K = pk₂x_{mod p} = xy_{mod p} Secret Key K = pk₁y_{mod p} = xy_{mod p} primitive root prime p primitive root

Symmetric vs. Asymmetric



 Asymmetric

 Fastest implementation of RSA (asymmetric) can

encrypt kilobits/sec

 2048-bit key



Symmetric

 Fastest implementation of DES (symmetric) can

encrypt megabits/sec

The Hybrid Model

Very common practice: hybrid symmetric and

asymmetric

  Asymmetric encryption is used to share a secret

key, which is then used for symmetric encryption

  Advantages

Integrity



Encryption protects only against

passive attack.



Integrity

  A message digest is computed which is

appended to message using hash functions.

Hash Functions

 A public function that maps a plaintext message of any length into a fixed length hash value used as the authenticator

 Pros

 One way transformation

 Offers integrity without the cost of encryption  Message can be read when authentication is

unnecessary

 Cons

 No Confidentiality

Secure Hash Algorithm (SHA-1)

 Takes input as 512 bit blocks and produces 160 bit

message digest.

64 bits

message length

Original message zero padding

512 x m bits

Digital Signatures

 Encrypt a small block of bits that is a function of

the document (authenticator), using sender’s private key.

 This serves as signature that verifies origin and

content.

 SHA-1 can be used as this function.

Authentication

  An authentication mechanism which enables the

creator of a message to attach a code that acts as a signature



 An answer to Internet trust problem



Trusted 3

rd

 parties issue certificates to

people or companies who prove their ID

Digital Certificates

 _–

 Manage key



Used for distribution of public keys.



Public key certificate consisting of

public key and user ID of key owner is

signed by a trusted third party.



The third party is called Certificate

Digital Certificates



 A Digital Certificate typically contains

 Owner’s public key  Owner’s name

 Expiration date of the public key

 Name of the issuer (CA that issued the Digital

ID)

 Serial number of the Digital ID  Digital signature of the issuer  X.509

X.509 Authentication Service

 Part of CCITT X.500 directory service standards

 distributed servers maintaining some info database  Defines framework for authentication services

 directory may store public-key certificates   with public key of user

 signed by certification authority   Also defines authentication protocols

 Uses public-key crypto & digital signatures

X.509 Certificates

 Issued by a Certification Authority (CA), containing:   version (1, 2, or 3)

 serial number (unique within CA) identifying certificate  signature algorithm identifier

 issuer X.500 name (CA)

 period of validity (from - to dates)  subject X.500 name (name of owner)

 subject public-key info (algorithm, parameters, key)  issuer unique identifier (v2+)

 subject unique identifier (v2+)  extension fields (v3)

 signature (of hash of all fields in certificate)

Network Security Protocols



What is a protocol ?



Why do we need a network security protocol ?



 Authentication



Data integrity



Confidentiality



Key exchange

Protocol Layers

Where to Implement Security?



TCP/IP protocol stack

  Application Layer

 Transport Layer  Network Layer  Link Layer

Deployment of Cryptography

Network-Layer Encryption Application-Layer Encryption Link-Layer Encryption Link-Layer Encryption Application Layers (5-7) Transport/Network Layers (3-4) Link/Physical Layers (1-2)