Introduction to Cryptography

Md. Manirul Islam

Director, Institute of Continuing Education
Associate Professor, Department of Computer Science
American International University-Bangladesh
• Integrity and Authenticity
• Confidentiality
• Public Key Cryptography
• Authorities and the PKI Trust
System
• Applications and Impacts of
Cryptography
Integrity and
Authenticity
Securing Communications
• Information security concerns protecting network infrastructure devices and securing
data as it travels on the network.
• Cryptography helps realize the four objectives of information security:
• Data Confidentiality - only authorized users can read the data.
• Data Integrity - the data has not been altered by unauthorized parties.
• Origin authentication - the data has actually originated at the expected source.
• Non-repudiation – the integrity of the message is irrefutable by the sender.
Cryptographic Hash Functions
• Hashes are used to verify and ensure data integrity.
• Hashing is based on a one-way mathematical function
that is relatively easy to compute, but significantly
harder to reverse.
• A hash function takes a variable block of binary data,
called the message, and produces a fixed-length,
condensed representation, called the hash.
• The resulting hash is also sometimes called the
message digest, digest, or digital fingerprint.
• With hash functions, it is computationally infeasible
for two different sets of data to come up with the
same hash output.
• Every time the data is changed or altered; the hash
value also changes.
Cryptographic Hash Operation
• Mathematically, the equation h= H(x) is used to explain how a hash algorithm operates.
• As shown in the figure, a hash function H takes an input x and returns a fixed-size string
hash value h.
• A cryptographic hash function should have the
following properties:
• The input can be any length.
• The output has a fixed length.
• H(x) is relatively easy to compute for given x.
• H(x) is one way and not reversible.
• H(x) is collision free, meaning that two different input
values will result in different hash values.
MD5 and SHA
• Hash functions are used to ensure the integrity of a message either accidentally or
intentionally.
• In the figure, the sender is sending a $100 money transfer to Alex. The sender wants to
ensure that the message is not altered on its way to the receiver.
There are four well-known hash functions:
• MD5 with 128-bit digest - A one-way function that
produces a 128-bit hashed message. MD5 is a
legacy algorithm.
• SHA-1 - Very similar to the MD5 hash functions.
SHA-1 creates a 160-bit hashed message and is
slightly slower than MD5.
• SHA-2 - If you are using SHA-2, then SHA-256,
SHA-384, and SHA-512 algorithms should be used.
• SHA-3 - Next-generation algorithms and should be
used whenever possible.
MD5 and SHA (Cont’d)
• While hashing can be used to detect accidental changes, it cannot be used to guard
against deliberate changes that are made by a threat actor.
• There is no unique identifying information from the sender in the hashing procedure.
• This means that anyone can compute a hash for any data, as long as they have the
correct hash function.
• Therefore, hashing is vulnerable to man-in-the-middle attacks and does not provide
security to transmitted data. To provide integrity and origin authentication, something
more is required.
Note: Hashing algorithms only protect against accidental changes and does not protect
the data from changes deliberately made by a threat actor.
Origin Authentication
• To add origin authentication and integrity assurance, use a keyed-hash message authentication
code (HMAC).
• HMAC uses an additional secret key as input to the hash function.
Note: Other Message Authentication Code (MAC) methods are also used. However, HMAC is used
in many systems including SSL, IPsec, and SSH.
HMAC Hashing Algorithm
• An HMAC is calculated using any cryptographic algorithm that
combines a cryptographic hash function with a secret key.
• Only the sender and the receiver know the secret key, and the
output of the hash function depends on the input data and the
secret key.
• Only parties who have access to that secret key can compute the
digest of an HMAC function.
• If two parties share a secret key and use HMAC functions for
authentication, a properly constructed HMAC digest of a
message that a party has received indicates that the other party
was the originator of the message.
Origin Authentication (Cont’d)
Creating the HMAC Value
• As shown in the figure, the sending device inputs data into the hashing algorithm and
calculates the fixed-length HMAC digest.
• This authenticated digest is then attached to the message and sent to the receiver.
Origin Authentication (Cont’d)
Verifying the HMAC Value
• In the figure, the receiving device removes
the digest from the message and uses the
plaintext message with its secret key as
input into the same hashing function.
• If the digest that is calculated by the
receiving device is equal to the digest that
was sent, the message has not been altered.
• Additionally, the origin of the message is
authenticated because only the sender
possesses a copy of the shared secret key.
The HMAC function has ensured the
authenticity of the message.
Origin Authentication (Cont’d)
Cisco Router HMAC Example
• In the figure, HMACs are used by Cisco
routers that are configured to use Open
Shortest Path First (OSPF) routing
authentication.
• R1 is sending a link state update (LSU)
regarding a route to network 10.2.0.0/16:
• R1 calculates the hash value using the LSU
message and the secret key.
• The resulting hash value is sent with the LSU
to R2.
• R2 calculates the hash value using the LSU
and its secret key. R2 accepts the update if
the hash values match. If they do not match,
R2 discards the update.
Confidentiality
Data Confidentiality
• There are two classes of encryption used to provide data confidentiality; asymmetric and
symmetric. These two classes differ in how they use keys.
• Symmetric encryption algorithms such as Data Encryption Standard (DES), 3DES, and
Advanced Encryption Standard (AES) are based on the premise that each communicating
party knows the pre-shared key.
• Data confidentiality can also be ensured using asymmetric algorithms, including Rivest,
Shamir, and Adleman (RSA) and the public key infrastructure (PKI).
• The figure highlights some differences between symmetric and asymmetric encryption.
Symmetric Encryption
• Symmetric algorithms use the same pre-shared key (secret key) to encrypt and decrypt
data.
• Symmetric encryption algorithms are commonly used with VPN traffic because they use less
CPU resources than a symmetric encryption algorithms.
• When using these algorithms, the longer the key, the longer it will take for someone to
discover the key.
• Most encryption keys are between 112 and 256 bits. Use a longer key for more secure
communications.
• Symmetric encryption algorithms are sometimes classified as a block cipher or a stream
cipher.
Asymmetric Encryption
• Asymmetric algorithms, also called public-key algorithms, are designed in a way that the
encryption and the decryption keys are different.
• Asymmetric algorithms use a public key and a private key. Both keys are capable of the
encryption process, but the complementary paired key is required for decryption.
• The process is also reversible. Data that is encrypted with the public key requires the private
key to decrypt.
• Asymmetric algorithms achieve confidentiality and authenticity by using this process.
• Asymmetric encryption can use key lengths between 512 to 4,096 bits.
• Asymmetric algorithms are substantially slower than symmetric algorithms.
Diffie-Hellman
• Diffie-Hellman (DH) is an asymmetric mathematical algorithm that allows two computers to
generate an identical shared secret without having communicated before.
• The new shared key is never actually exchanged
between the sender and receiver.
• The key can be used by an encryption algorithm
to encrypt traffic between the two systems as
both parties know it.
• Following are two examples of instances when
DH is commonly used:
• Data is exchanged using an IPsec VPN
• SSH data is exchanged
• The security of DH is based on the fact that it
uses very large numbers in its calculations.
DH operation
 Public Key
Cryptography
Using Digital Signatures
• Digital signatures are a mathematical technique used to provide authenticity, integrity,
and nonrepudiation.
• Digital signatures use asymmetric cryptography.
• Digital signatures are commonly used in the following two situations:
• Code signing - Code signing is used to verify the integrity of executable files downloaded
from a vendor website. It also uses signed digital certificates to authenticate and verify the
identity of the site that is the source of the files.
• Digital certificates - These are used to authenticate the identity of a system with a vendor
website and establish an encrypted connection to exchange confidential data.
• The Digital Signature Standard (DSS) algorithms used for generating and verifying digital
signatures are:
• Digital Signature Algorithm (DSA)
• Rivest-Shamir Adelman Algorithm (RSA)
• Elliptic Curve Digital Signature Algorithm (ECDSA)
Digital Signatures for Code Signing
• Digital signatures are commonly used to provide assurance of the authenticity and
integrity of software code.
• Executable files are wrapped in a digitally signed envelope, which allows the end user to
verify the signature before installing the software.
• Digitally signing code provides several assurances about the code:
• The code is authentic and is actually sourced by the publisher.
• The code has not been modified since it left the software publisher.
• The publisher undeniably published the code. This provides nonrepudiation of the act of
publishing.
• The purpose of digitally signed software is to ensure that the software has not been
tampered with, and that it originated from the trusted source as claimed.
Authorities and the
PKI Trust System
Public Key Management
• When establishing an asymmetric connection between two hosts, the hosts will exchange their
public key information.
• Trusted third parties on the Internet validate the
authenticity of these public keys using digital
certificates. The third-party issues credentials
that are difficult to forge.
• From that point forward, all individuals who
trust the third party simply accept the
credentials that the third-party issues.
• The Public Key Infrastructure (PKI) consists of
specifications, systems, and tools that are used
to create, manage, distribute, use, store, and Illustrates how a driver’s license is
revoke digital certificates. analogous to a digital certificate
• The Certificate Authority (CA) creates digital certificates by tying a public key to a confirmed
identify, such as a website or individual.
The Public Key Infrastructure
• PKI is needed to support large-scale distribution and identification of public encryption keys.
• The PKI framework facilitates a highly scalable trust relationship.
• It consists of the hardware, software, people, policies, and procedures needed to create, manage,
store, distribute, and revoke digital certificates.
• The figure shows the main elements of the PKI.
The PKI Trust System
• PKIs can form different topologies of trust which are as follows:
• Single-Root PKI Topology: The simplest is the single-root PKI topology. The root CA issues
all the certificates to the end users within the same organization. On larger networks, PKI
CAs may be linked using two basic architectures:
• Cross-certified CA topologies: A peer-to-peer model in which individual CAs establish trust
relationships with other CAs by cross-certifying CA certificates.
• Hierarchical CA topologies: The root CA (highest level CA), can issue certificates to end users and to a
subordinate CA.

Single-Root PKI Topology Cross-certified CA Topologies Hierarchical CA Topologies

Applications and
Impacts of
Cryptography
PKI Applications
The following provides a short list of common uses of PKIs:
• SSL/TLS certificate-based peer authentication
• Secure network traffic using IPsec VPNs
• HTTPS Web traffic
• Control access to the network using 802.1x authentication
• Secure email using the S/MIME protocol
• Secure instant messaging
• Approve and authorize applications with Code Signing
• Protect user data with the Encryption File System (EFS)
• Implement two-factor authentication with smart cards
• Securing USB storage devices
Encrypted Network Transactions
• Threat actors can use SSL/TLS to introduce
regulatory compliance violations, viruses, malware,
data loss, and intrusion attempts in a network.
• Other SSL/TLS-related issues may be associated with
validating the certificate of a web server. When this
occurs, the web browsers will display a security
warning. PKI-related issues associated with security
warnings include:
• Validity date range - The X.509v3 certificates specify
“not before” and “not after” dates. If the current
date is outside the range, the web browser displays
a message.
• Signature validation error - If a browser cannot
validate the signature on the certificate, there is no
assurance that the public key in the certificate is
authentic.
Encryption and Security Monitoring
• Network monitoring becomes more challenging when packets are encrypted.
• As HTTPS introduces end-to-end encrypted HTTP traffic (via TLS/SSL), it is not as easy
to peek into user traffic.
• Security analysts must know how to circumvent and solve these issues. Here is a list of
some of the things that a security analyst could do:
• Configure rules to distinguish between SSL and non-SSL traffic, HTTPS and non-HTTPS SSL
traffic.
• Enhance security through server certificate validation using CRLs and OCSP.
• Implement antimalware protection and URL filtering of HTTPS content.
• Deploy a Cisco SSL Appliance to decrypt SSL traffic and send it to intrusion prevention
system (IPS) appliances to identify risks normally hidden by SSL.
ice.aiub.edu ice@aiub.edu 01630-665666