Cryptography

Cryptography is technique of securing information and communications through use of codes so that
only those person for whom the information is intended can understand it and process it. Thus
preventing unauthorized access to information. The prefix “crypt” means “hidden” and suffix graphy
means “writing”.

Principals
Confidentiality:
Information can only be accessed by the person for whom it is intended and no other person except
him can access it.

Integrity:
Information cannot be modified in storage or transition between sender and intended receiver
without any addition to information being detected.

Authentication:
The identities of sender and receiver are confirmed. As well as destination/origin of information is
confirmed.

Types Of Cryptography:
In general there are three types Of cryptography:
Symmetric Key Cryptography:
It is an encryption system where the sender and receiver of message use a
single common key to encrypt and decrypt messages. Symmetric Key Systems
are faster and simpler but the problem is that sender and receiver have to
somehow exchange key in a secure manner. The most popular symmetric key
cryptography system is Data Encryption System(DES).
Hash Functions:
There is no usage of any key in this algorithm. A hash value with fixed length is
calculated as per the plain text which makes it impossible for contents of plain
text to be recovered. Many operating systems use hash functions to encrypt
passwords.
Asymmetric Key Cryptography:
Under this system a pair of keys is used to encrypt and decrypt information. A
public key is used for encryption and a private key is used for decryption.
Public key and Private Key are different. Even if the public key is known by
everyone the intended receiver can only decode it because he alone knows the
private key.
What is DES?
The Data Encryption Standard (DES) is a symmetric-key block cipher. In the year 1977, DES is
published by the National Institute of Standards and Technology (NIST). It is based on the Feistel
structure in which the plaintext is separated into two halves. It takes input as 64-bit plaintext and
a 56-bit key to produce 64-bit ciphertext. Before processing, the entire plain text is separated into
two pieces of 32 bits each, and the same operations are done on each portion. Each piece goes
through 16 rounds of operations before the final permutation is used to obtain the 64-
bit ciphertext.

What is AES?
Advanced Encryption Standard (AES) is also a symmetric key block cipher.
The National Institute of Standard and Technology published AES
in 2001. Because DES utilises a relatively short cipher key and the algorithm was quite
slower, AES was introduced to replace it.

It is currently one of the most popular symmetric block cipher algorithms. It is at

least six times faster than triple-DES encryption. Unlike DES, it is based on
the "Substitution and Permutation'. It takes a step-by-step method.
In AES, bytes are used instead of bits.

Why AES Replaced DES Encryption?

One of the primary objectives for the DES replacement algorithm from the National Institute
of Standards and Technology (NIST) was that it had to be proficient in both software as
well as hardware implementation. (DES was originally only practical in hardware
implementations). C and Java reference implementation were used for performance analysis of all
the algorithms.

AES was chosen in an open competition that included 15 candidates from as many research teams
as possible from around the world, and the overall number of resources allocated to that process
was enormous.

Finally, in October 2000, the National Institute of Standards and

Technology (NIST) announced Rijndael as the proposed Advanced Encryption
Standard (AES).

Substitution Cipher
Hiding some data is known as encryption. When plain text is encrypted it becomes unreadable and is
known as ciphertext. In a Substitution cipher, any character of plain text from the given fixed set of
characters is substituted by some other character from the same set depending on a key. For
example with a shift of 1, A would be replaced by B, B would become C, and so on.

Note:

Special case of Substitution cipher is known as Caesar cipher where the key is taken as 3.
Mathematical representation

The encryption can be represented using modular arithmetic by first transforming the letters into
numbers, according to the scheme, A = 0, B = 1,…, Z = 25. Encryption of a letter by a shift n can be
described mathematically as.

Distribution of Public Key:

In cryptography, it is a very tedious task to distribute the public and private keys between sender
and receiver. If the key is known to the third party (forger/eavesdropper) then the whole security
mechanism becomes worthless. So, there comes the need to secure the exchange of keys.

There are two aspects for Key Management:

Distribution of public keys.

Use of public-key encryption to distribute secrets.

The public key can be distributed in four ways:

- Public announcement
- Publicly available directory
- Public-key authority
- Public-key certificates.

These are explained as following below:

1. Public Announcement: Here the public key is broadcasted to everyone. The major weakness of
this method is a forgery. Anyone can create a key claiming to be someone else and broadcast it.
Until forgery is discovered can masquerade as claimed user.
2. Publicly Available Directory: In this type, the public key is stored in a public directory. Directories
are trusted here, with properties like Participant Registration, access and allow to modify values at
any time, contains entries like {name, public-key}. Directories can be accessed electronically still
vulnerable to forgery or tampering.

3. Public Key Authority: It is similar to the directory but, improves security by tightening control over
the distribution of keys from the directory. It requires users to know the public key for the directory.

Whenever the keys are needed, real-time access to the directory is made by the user to obtain any
desired public key securely.

4. Public Certification: This time authority provides a certificate (which binds an identity to the
public key) to allow key exchange without real-time access to the public authority each time. The
certificate is accompanied by some other info such as period of validity, rights of use, etc. All of this
content is signed by the private key of the certificate authority and it can be verified by anyone
possessing the authority’s public key. First sender and receiver both request CA for a certificate
which contains a public key and other information and then they can exchange these certificates and
can start communication.

Transposition Cipher
Transposition Cipher is a cryptographic algorithm where the order of alphabets in the plaintext is
rearranged to form a cipher text. In this process, the actual plain text alphabets are not included.

Example
A simple example for a transposition cipher is columnar transposition cipher where each character
in the plain text is written horizontally with specified alphabet width. The cipher is written vertically,
which creates an entirely different cipher text.
Consider the plain text hello world, and let us apply the simple columnar transposition technique as
shown below

The plain text characters are placed horizontally and the cipher text is created with vertical format
as : holewdlo lr. Now, the receiver has to use the same table to decrypt the cipher text to plain text.

Diffie-Hellman algorithm
The Diffie-Hellman algorithm is being used to establish a shared secret that can be used for secret
communications while exchanging data over a public network using the elliptic curve to generate
points and get the secret key using the parameters. Steps in the algorithm: 1 Alice and Bob agree on
a prime number p and a base g. 2 Alice chooses a secret number a, and sends Bob ( g^a mod p). 3
Bob chooses a secret number b, and sends Alice ( g^b mod p). 4 Alice computes (( g^b mod p ) a mod
p). 5 Bob computes (( g^a mod p ) b mod p). Both Alice and Bob can use this number as their key.
Notice that p and g need not be protected

Example of deffie hellman:- Alice and Bob agree on p = 23 and g = 5. 2 Alice chooses a = 6 and sends
5 6 mod 23 = 8. 3 Bob chooses b = 15 and sends 515 mod 23 = 19. 4 Alice computes 19 6 mod 23 = 2.
5 Bob computes 815 mod 23 = 2. Then 2 is the shared secret. Clearly, much larger values of a, b, and
p are required. An eavesdropper cannot discover this value even if she knows p and g and can obtain
each of the messages.

RSA ALGORITHM AND RSA SECURITY

Asymmetric Algorithm
RSA algorithm is asymmetric cryptography algorithm. Asymmetric actually means that it works on
two different keys i.e. Public Key and Private Key. As the name describes that the Public Key is given
to everyone and Private key is kept private.

Let's take an example

A client (for example browser) sends its public key to the server and requests for some data.

The server encrypts the data using client’s public key and sends the encrypted data.

Client receives this data and decrypts it.

Since this is asymmetric, nobody else except browser can decrypt the data even if a third party has
public key of browser.

The idea of RSA is based on the fact that it is difficult to factorize a large integer. The public key
consists of two numbers where one number is multiplication of two large prime numbers. And
private key is also derived from the same two prime numbers. So if somebody can factorize the large
number, the private key is compromised. Therefore encryption strength totally lies on the key size
and if we double or triple the key size, the strength of encryption increases exponentially. RSA keys
can be typically 1024 or 2048 bits long, but experts believe that 1024 bit keys could be broken in the
near future. But till now it seems to be an infeasible task.

RSA algorithms:
● Select two large prime numbers, p and q.

● Multiply these numbers to find n = p x q, where n is called the modulus for encryption and
decryption.

● Choose a number e less than n, such that n is relatively prime to (p - 1) x (q -1). It means that e and
(p - 1) x (q - 1) have no common factor except 1. Choose "e" such that 1< φ (n), e is prime to φ (n),

● If n = p x q, then the public key is . A plaintext message m is encrypted using public key . To find

Cipher text from the plain text following formula is used to get cipher text C.

Here, m must be less than n. A larger message (>n) is treated as a concatenation of messages, each
of which is encrypted separately.

● To determine the private key, we use the following formula to calculate the d such that:

● The private key is . A ciphertext message c is decrypted using private key . To calculate plain text m from the ciphertext c following

formula is used to get plain text m.

Electronic mail security-pretty good

privacy (PGP)
PGP is a remarkable phenomenon

Largely the effort of a single person, Phil Zimmermann, PGP provides a confidentiality and
authentication service that can be used for electronic mail and file storage applications.

In essence what Zimmermann has done is the following:

1. Selected the best cryptographic mechanisms (algorithms) as building blocks.

2. Integrated these algorithms into a general purpose application that is independent of operating
system and processor and that is based on a small set of easy to use commands.

3. Made the package and its source code freely available via the Internet, bulletin boards, and
commercial networks such as America On Line (AOL).

4. Entered into an agreement with a company (Viacrypt, now Network Associates) to provide a fully
compatible low cost commercial version of PGP.
Pretty Good Privacy (PGP)

1. It is available free worldwide in versions that run on many different platforms, Windows, UNIX,
Mac etc. In addition the commercial version satisfies those who want vendor support.

2. It is based on algorithms that have survived extensive public review and are considered secure.
Specifically, the package includes RSA, DSS and DiffieHellman for public-key encryption; CAST-128,
IDEA, and 3DES for symmetric encryption; and SHA-1 for hash coding.

3. It has a wide range of applicability, from corporations that wish to select and enforce a
standardised scheme for encrypting files and messages to individuals who wish to communicate
securely with others worldwide over the Internet.

4. It was not developed by, nor is it controlled by, any government or standards organisation. For
those with an instinctive distrust of “the establishment”, this makes PGP attractive. In the last few
years commercial versions have become available

5. PGP is now on an Internet standards track (RFC 3156). Nevertheless, PGP still has an aura of an
anti-establishment endeavour

PGP consists of the following five services:

1. Authentication:-

○ the sender generates a message and a random number to be used as a session key for this
message only.

○ the message is encrypted using CAST-128, IDEA or 3DES with the session key.

○ the session key is encrypted with RSA (or another algorithm known as ElGamal) using the
recipients public key and is prepended to the message3. Compression:-

2. Confidentiality:-

First, a signature is generated for the plaintext message and prepended to the message. Then the
plaintext message plus signature is encrypted using CAST-128 (or IDEA or 3DES), and the session key
is encrypted using RSA (or ElGamal). This sequence is preferable 120 Chapter 12 Pretty Good Privacy
(PGP) to the opposite: encrypting the message and then generating a signature of the encrypted
message. It is generally more convenient to store a signature with a plaintext version of a message.
Furthermore, for purposes of third party verification, if the signature is performed first, a third party
need not be concerned with the symmetric key when verifying the signature.

3. Compression:-

1. The signature is generated before compression for two reasons:

(a) It is preferable to sign an uncompressed message so it is free of the need for a compression
algorithm for later verification.

(b) Different version of PGP produce different compressed forms. Applying the hash function and
signature after compression would constrain all PGP implementation to the same version of the
compression algorithm.
2. Message encryption is applied after compression to strengthen cryptographic security. Because
the compressed message has less redundancy than the original plaintext, cryptanalysis is more
difficult. The compression algorithm used is called ZIP which is described in the recommended text.

4. E-mail compatibility:-

Many electronic mail systems only permit the use of blocks consisting of ASCII text. When PGP is
used, at least part of the block to be transmitted is encrypted. This basically produces a sequence of
arbitrary binary words which some mail systems won’t accept. To accommodate this restriction PGP
uses and algorithm known as radix64 which maps 6 bits of a binary data into and 8 bit ASCII
character. Unfortunately this expands the message by 33% however, with the compression
algorithm the overall compression will be about one third (in general).

5. Segmentation:-

E-mail facilities are often restricted to a maximum message length. For example, many of the
facilities accessible throughout the Internet impose a maximum length of 50,000 octets. Any
message longer than that must be broken up into smaller segments, each of which is mailed
separately.

Kerberos X.509
Authentication service
The X.500 series of recommendations that define a directory service. The directory is, in effect, a
server or distributed set of servers that maintains a database of information about users. X.509
defines a framework for the provision of authentication services by the X.500 directory to its users.
The directory may serve as a repository of Public Certificates

Each certificate contains the public key of a user and is signed with the private key of a Trusted
Certificate Authority (CA). X.509 is based on the use of public key cryptography and digital signatures
(e.g. RSA and different hash functions such as MD5 etc.).

X.509 was initially issued in 1988. The standard was subsequently revised to address some of the
security concerns; a revised recommendation was issued in 1993. A third version was issued in 1995
and revised in 2000. The user certificates which are at the heart of X.509 are assumed to be created
by some trusted Certificate Authority (CA) and placed in the directory by the CA or by the user.

The Directory Server itself is not responsible for the creation of the public keys or for the
certification function; it merely provides an easily accessible location for users to obtain certificates.

Any user with access to the public key of the CA can recover the user public key that was certified No
party other than the CA can modify the directory
● Serial Number: An integer value, unique within the issuing CA, that is unambiguously associated
with this certificate;

● Signature: The algorithm used to sign the certificate, together with any associated parameters; this
has little utility due to a repeat of this information in the Signature field.

● Issuer name: X.500 name of the CA that created and signed this certificate;

● Period of validity: Two dates, the first and last on which the certificate is valid;

● Subject name: The name of the user to whom the certificate refers;

● Subject’s public key information: The public key of the subject plus an identifier of the algorithm
for which the key is to be used together with any associated parameters;

● Issuer unique identifier: An optional bit string field used to identify uniquely the issuing CA in the
event the X.500 name has been reused for different entities;

● Subject’s unique identifier: An optional bit string field used to identify uniquely the subject in the
event the X.500 name has been reused for different entities;

● Extensions: A set of one or more extension fields; these were added in version

● Signature: Covers all of the other fields of the certificate. It contains the hash code of the other
fields, encrypted with the CA’s private key. This field includes the signature algorithm identifier.
● The Subject field is inadequate to convey the identity of a key owner to a public key user. X.509
names may be relatively short and lacking in obvious identification details that may be needed by
the user.

● The subject field is also inadequate for many applications, which typically recognise entities by an
Internet e-mail address, a URL, or some other Internet related identification.

● There is a need to indicate security policy information. This enables a security application or
function, such as IPSec, to relate an X.509 certificate to a given policy

● There is a need to limit the damage that can result from a faulty or malicious CA by setting
constraints on the applicability of a particular certificate.

● It is important to be able to identify separately different keys used by the same owner at different
times. This feature supports key life cycle management, in particular the ability to update key pairs
for users and CAs on a regular basis or under exceptional circumstances.

Digital Certificate
A digital certificate is a file or electronic password that proves the authenticity of a device, server, or
user through the use of cryptography and the public key infrastructure (PKI). A digital certificate
contains identifiable information, such as a user’s name, company, or department and a device’s
Internet Protocol (IP) address or serial number. Digital certificates contain a copy of a public key
from the certificate holder, which needs to be matched to a corresponding private key to verify it is
real. A public key certificate is issued by certificate authorities (CAs), which sign certificates to verify
the identity of the requesting device or user.

Benefits of Digital Certification?

Digital certificates can be requested by individuals, organizations, and websites. To do so, they
provide the information to be validated and a public key through a certificate signing request. The
information is validated by a publicly trusted CA, which signs it with a key that provides a chain of
trust to the certificate.

This enables the certificate to be used to prove the authenticity of a document, for client
authentication, or to provide proof of a website’s credential.

HIDDEN TRUTH BEHIND THE DIGITAL CERTIFICATE

There are three different types of public key certificates: a transport layer security (TLS)/SSL
certificate, a code signing certificate, and a client certificate. TLS/SSL Certificate A TLS/SSL certificate
sits on a server— such as an application, mail, or web server—to ensure communication with its
clients is private and encrypted. The certificate provides authentication for the server to send and
receive encrypted messages to clients. The existence of a TLS/SSL certificate is signified by the
Hypertext Transfer Protocol Secure (HTTPS) designation at the start of a Uniform Resource Locator
(URL) or web address. It comes in three forms:

Domain Validated

A domain validated certificate is a quick validation method that is acceptable for any website. It is
cheap to obtain and can be issued in a matter of minutes.

Organization Validated
This provides light business authentication and is ideal for organizations selling products online
through e-commerce.

Extended Validation

This offers full business authentication, which is required by larger organizations or any business
dealing with highly sensitive information. It is typically used by businesses in the financial industry
and offers the highest level of authentication, security, and trust.

Code Signing Certificate

A code signing certificate is used to confirm the authenticity of software or files downloaded through
the internet. The developer or publisher signs the software to confirm that it is genuine to users that
download it. This is useful for software providers that make their programs available on third-party
sites to prove that files have not been tampered with.

Client Certificate

A client certificate is a digital ID that identifies an individual user to another user or machine, or one
machine to another. A common example of this is email, where a sender signs a communication
digitally and its signature is verified by the recipient. Client certificates can also be used to help users
access protected databases.

Who Can Issue a Digital Certificate?

Digital certificates are issued by CAs, which sign a certificate to prove the authenticity of the
individual or organization that issued the request. A CA is responsible for managing domain control
verification and verifying that the public key attached to the certificate belongs to the user or
organization that requested it. They play an important part in the PKI process and keeping internet
traffic secure.

DIGITAL SIGNATURE HISTORY

A digital signature is a mathematical scheme for verifying the authenticity of digital messages or
documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high
confidence that the message was created by a known sender (authenticity), and that the message
was not altered in transit (integrity)

Digital signatures are a standard element of most cryptographic protocol suites, and are commonly
used for software distribution, financial transactions, contract management software, and in other
cases where it is important to detect forgery or tampering.

Digital signatures are often used to implement electronic signatures, which includes any electronic
data that carries the intent of a signature,but not all electronic signatures use digital signatures
Electronic signatures have legal significance in some countries, including Canada South Africa the
United States, Algeria Turkey India, Brazil, Indonesia, Mexico, Saudi Arabia, Uruguay,Switzerland,
Chile and the countries of the European Union

Digital signatures employ asymmetric cryptography. In many instances, they provide a layer of
validation and security to messages sent through a non-secure channel: Properly implemented, a
digital signature gives the receiver reason to believe the message was sent by the claimed sender.
Digital signatures are equivalent to traditional handwritten signatures in many respects, but properly
implemented digital signatures are more difficult to forge than the handwritten type. Digital
signature schemes, in the sense used here, are cryptographically based, and must be implemented
properly to be effective. They can also provide non-repudiation, meaning that the signer cannot
successfully claim they did not sign a message, while also claiming their private key remains secret.
Further, some non-repudiation schemes offer a timestamp for the digital signature, so that even if
the private key is exposed, the signature is valid. Digitally signed messages may be anything
representable as a bit string: examples include electronic mail, contracts, or a message sent via
some other cryptographic protocol.