8/14/2019 Lmt Cryptography
1/18
Cryptography
By
Amit Kumar Bhardwaj
8/14/2019 Lmt Cryptography
2/18
Agenda
Pros and cons of data encryption
Single key encryption
Two-key encryption Combining single and two-key
encryption
Message integrity Digital certificates
PKI
8/14/2019 Lmt Cryptography
3/18
Encryption is a method of changing a message sothat its content isnt intelligible to a casual viewer.Using something that only the sender and receiverknow, the message is turned from readable tononsense before it is sent and restored to readableform when it is received. Encryption is the primarytechnique for protecting the content of a datacommunications message while it is traveling outsidethe local network on which it originated. Encryption
can also be used to protect data stored on a harddisk.
8/14/2019 Lmt Cryptography
4/18
Pros and cons of dataencryption
Encrypting and decrypting messages
consumes a lot of computing power,slowing down data communications.
Negotiating the type of encryption to be
used during a communications sessionlengthens the time needed to set up thesession.
Using encryption and digital certificatesfor authentication requires thedevelopment and maintenance of a PKI,which can be costly for a small
organization.
8/14/2019 Lmt Cryptography
5/18
Cont ..
You cant process data in encrypted form; it must bedecrypted. If you use encryption to protect data storedon your servers, for example, it must be decryptedevery time a user needs to search for or display data.This can significantly increase processing time.
The secret keys for many well-known encryptionalgorithms can be cracked by todays high-endcomputers. Therefore, no encryption method should beconsidered totally uncrackable, especially when the
problem is distributed among Internet users whosecomputers run a brute force attack during idle periods.
8/14/2019 Lmt Cryptography
6/18
8/14/2019 Lmt Cryptography
7/18
Substitution Cyphers
Single key encryption methods are essentially
substitution cyphers , where one character issubstituted for another based on a transformationthat process is used to decrypt the message. Whenone character is substituted for another, we call it a
stream cypher ; when a longer key is applied to agroup of characters, we call it a block cypher. Mostof the substitution cyphers in use today are blockcyphers because they are more secure than
stream cyphers.
8/14/2019 Lmt Cryptography
8/18
(DES)
The Data Encryption Standard (DES) was the U.S.governments first successful attempt at
standardizing the encryption used to communicatewith government agencies. It was formally adoptedas a Federal Information Processing Standard(FIPS) in 1976.
However, its short key length has made itrelatively easy to crack with todays computingpower (less than 24 hours), and although you mayfind it still in use commercially,
It has been replaced for government use by AES
DES works much like the second version of thesample substitution cypher
8/14/2019 Lmt Cryptography
9/18
Cont .. The DES key is 64 bits in length, although only 56 bits actually areused in the encryption; the remainder are parity bits used for errorchecking.
The plaintext is modified in 64-bit chunks. Each time a key is used, itis exclusive-ORd (XORd) with the plaintext. Encrypting a single 64-bit block of plaintext with DES is not as simple as our example,however. It involves 16 rounds of plaintext transformations,including breaking the plaintext into two 32-bit chunks that areswapped repeatedly during the rounds. Each round also expands the
32- bit block to 48 bits, which are then XORd with a 48-bit subkey.The subkey has been generated by a key schedule, an algorithmthat creates the 48-bit subkeys based on the original 56-bit key.After XORing with the subkey, the 48-bit plaintext block is dividedinto 6-bit chunks (S-boxes), which then output 4-bit blocks, reducingthe overall plaintext block back to its original 32-bits. (The security
of DES rests with the transformation that occurs in the S-blocks.)Decryption is similar to encryption with the exception that the keytransformations must be generated and applied in the reverse order.Because of its computational complexity, DES was oftenimplemented in hardware.
8/14/2019 Lmt Cryptography
10/18
Triple DESThe vulnerabilities in DES became very well known. Therefore, cryptographers developed an interim
version, for use until another encryption method wasadopted, called Triple DES . Triple DES uses a 192-bit key, three times the length of the 64-bit DES key.
The algorithm repeats the DES encryption process
three times, each time using a different 64 bits ofthe 192-bit key.
Because Triple DES is essentially DES performed three
times, it is more than three times harder to crack. Itis also three times slower to implement andtherefore was never considered as a permanentencryption standard.
8/14/2019 Lmt Cryptography
11/18
v yStandard
TheAdvanced Encryption Standard(AES) was developedin 1998 by Vincent Rijmen and Joan Daemen from theirproprietary encryption scheme named Rijndael. (AESuses the same algorithms as Rijndael, but requires fixedkey and plaintext block sizes; Rijndael can handle keysand block sizes in varying multiples of 32 bits between
128 and 256 bits.) AES is similar to DES in that it uses key transformations
for security. However, its keys are longer128, 192, or256 bitsand it works on 128- bit blocks of plaintext. Italso uses S-boxes to output chunks of cyphertext
through 10, 12, or 14 rounds of key transformations.(The number of rounds corresponds to the length of thekey.)
8/14/2019 Lmt Cryptography
12/18
Schemes
The serious key management issues surrounding symmetric keyencryption methods prompted the development of an encryptionmethod that didnt require the presharing of a secret key. Three
researchersRonald L. Rivest, Adi Shamir, and Leonard Adlemanproposedpublic key encryption (PKE) in 1977.
The developers of public key encryption are the source of theacronym RSA, the name of their company that currently acts asone of the major issuers of digital certificates.
PKE is sometimes also called asymmetric key encryption todifferentiate it from symmetric key encryption.
The basic idea behind PKE is that you have different encryption anddecryption keys. You publish the encryption key freely so thatanyone can encrypt messages to send to you. However, your
secret decryption key is the only key that can decrypt themessage.
8/14/2019 Lmt Cryptography
13/18
8/14/2019 Lmt Cryptography
14/18
Ensuring Message Integrity Encryption ensures message privacy, preventing unauthorized people from
viewing the content of a message. It does not, however, ensure messageintegrity, preventing someone from changing the message while it is in transit.
One widely used solution is to create a message digest, or digital signature, acompressed transformation of the message that has the property that a smallchange in the input (the message) produces a large change in the output (themessage digest). The message digest is computed as the message is assembledfor transmission and attached to the message itself. The recipient thenrecomputes the message digest and compares it to what was received. If the two
digests dont match, then the message was altered during transmission. Most message digests are created using a process called hashing, which takes an
input string and puts it through a predefined transformation. The output is ashorter string of some fixed length. In the case of message digests, the output ofthe most widely used algorithms is between128 and 160 bits.
8/14/2019 Lmt Cryptography
15/18
Good hashing algorithms are one-way, in thesense that you cant reconstruct the messagefrom the hashed output. Having the messagedigest doesnt allow a system cracker to
determine the message in a packet. The mostcommon way to use message digests in acracking attempt is a brute force attack that runsmillions of potential messages through the
algorithm to find matching digests. When thedigests match, then the system cracker hasdetermined the message.
8/14/2019 Lmt Cryptography
16/18
Message Digest Algorithms MD5: MD5 was developed in 1991 by Ronald Rivest as a
successor to MD4 and MD2. It produces a 128-bit output
string that is generally considered quite secure. Research byRSA indicates that it would take a computer designedspecifically to crack MD5 24 days to generate a collision.
SHA-1: SHA-1 is an alternative to MD5 that was developed
by NIST. It produces a 160-bit output string. Because it has alonger output string, it is considered more resilient tobruteforce cracking attempts than MD5.
HMAC: HMAC is an extension to both MD5 and SHA-1 thatadds a password, further increasing the security of bothalgorithms.
8/14/2019 Lmt Cryptography
17/18
Checksums
Another way to ensure message integrity isto use a checksum, a simpler form of amessage digest. Because they are not as
secure as message digests checksums aremost commonly used to indicate accidentalmodifications to data during transmission,rather than malicious modifications.
8/14/2019 Lmt Cryptography
18/18
CRC Checksums