Sunteți pe pagina 1din 12

Applications of Symmetric and Public Key Encryption Algorithms

Dr. Natarajan Meghanathan


Assistant Professor of Computer Science Jackson State University, Jackson MS
E-mail: natarajan.meghanathan@jsums.edu

Applications of Encryption
Cryptographic Hash Functions
To provide integrity of the data transmitted Use one-way functions: Functions that are much easier to compute than their inverses. (Example: x2 is very much easy to compute than its inverse x2 which could be either +x or x) The one-way function will be computed based on all the bits of a file. If a bit is changed, then the value of the function should be different (idea similar to checksum). The computed function value may be encrypted using DES and sent along with the data, which may not be encrypted. MD4 and MD5 (MD-message digest) are cryptographic hash functions that condense a message of any size to a 128-bit digest. SHA (Secure Hash Algorithm) is another widely used cryptographic hash function that condenses a message of any size to a 160-bit digest. In 2005, an attack on SHA revealed that it is able to find two plaintexts that produce the same 160-bit hash digest in 263 steps. Longer the digests and longer the encryption key, the higher is the probability that the integrity of data can be checked at the receiver side.

Applications of Encryption
Exchange of Shared Key using Asymmetric Encryption
Let KPUB-S, KPRI-S denote the public and private keys of Sender S. Similarly, let KPUB-R and KPRI-R be the public and private key of Receiver R. Let K be the secret key to be shared between only S and R. S sends to R the following:
E (KPUB-R E(KPRI-S, K) )

The inner encryption guarantees that the secret key K came from S and the outer encryption guarantees that only the receiver R could open the outer encryption of the message and get access to the inner encryption.

Applications of Encryption
Diffie-Hellman Key Exchange
Used to allow two parties that have to establish a shared secret key over an insecure communication channel. Alice and Bob agree on a field size n and a starting number g. Alice generates a secret integer a and sends ga mod n to Bob. Alice sends this encrypted using its private key, so that Bob can decrypt it using Alices public key, thereby authenticating that the message came from Alice. E(KPRIa ALICE, g mod n) At the same time, Bob generates a secret integer b and sends gb mod n to Alice. Bob sends this encrypted using its private key, thereby authenticating to Alice that the message came from Bob. E(KPRI-Bob, gb mod n) When Bob gets Alices message, it computes (ga)b mod n and uses it as the secret key. Similarly, when Alice gets Bobs message, it computes (gb)a mod n and uses it as the secret key. According to Modular arithmetic, (ga)b mod n = (gb)a mod n. Hence, both Alice and Bob have agreed on a shared secret key.

Applications of Encryption
Digital Signatures
A digital signature is a protocol that produces the same effect as a real signature. It is a mark that only the sender can make, but other people can easily recognize as it of being made by the sender. Just like a real signature, a digital signature indicates the senders agreement to the message. Properties of a digital signature:
It must be unforgeable: If person P signs a message M with signature S(P, M), it is impossible for any one else to produce the pair [M, S(P, M)]. It must be authentic: If person R receives the pair [M, S(P, M)] from P, R can check that the signature is really from P. Only P could have created this signature, and the signature is firmly attached to M. It is not alterable: After being transmitted, M cannot be changed by S, R or an interceptor. It is not reusable: A previous message presented again will be instantly detected by R.

Public Key Protocol: S sends R E (KPUB-R E(KPRI-S, M) )

Certificates
Motivation: Need to verify that the public key advertised for a person actually belongs to that person. Why? An evil person C may know a public key-private key pair and advertise the public key as belonging to another entity A. Person C may then send a message encrypted using this private key (as if the message comes from A) to another person B. B will decrypt the message using the public key of A advertised (by C). As a result, B thinks that it is communicating with A, but B is actually communicating with C. Each of us adopt a trust threshold a degree to which we are willing to believe an unidentified individual. We will use the concept of vouching for by a third party as the basis of thrust in settings where two parties do not know about each other. Certification Authority (CA): Is an entity that issues digital certificates that contain a public key and the identity of the owner. The CA attests that the public key contained in the digital certificate belongs to the person (CA is a sort of digital notary).

Certificates
How it works? Assume the users of a network have a CA. The users are aware of the public key of the CA. The users basically believe something notarized by the CA Before communicating with any other user, each user needs to communicate with the CA and obtain a digital certificate for their public key. The user sends all its identification information to a registration authority that captures and authenticates the identity of the user and then submits a certificate request to the appropriate CA. public key to the CA. The CA, after getting the identification information authenticated by the registration authority, authenticates the public key submitted by the user, will compute a hash of the identification information and the public key of the user. The CA encrypts the identification information, public key and the hash with its private key and sends the encrypted message to the user. This encrypted message is now the digital certificate for the user.

Certificates
User A, now wishing to communicate with a user B, will
First encrypt the message with the private key of A Second, use the public key of B to further encrypt the above encrypted message and the digital certificate issued by the CA.

User B will first decrypt the message using its private key and extract the digital certificate issued by the CA for the public key of A. User B will decrypt the digital certificate using the public key of the CA and extract the public key of A. User B will then decrypt the message sent by A using this extracted public key. The above protocol guarantees the following:
The message really came from A No body other than B sees the digital certificate for As public key issued by the CA.

Certificates
Encrypted with KPRI-CA Digital Certificate for the Public Key of A Name: A ID for A Public key for A: KPUB-A Hash value 128C4

User A sending to user B Encrypted with KPUB-B Encrypted with KPRI-A Message to user B Encrypted with KPRI-CA Name: A ID for A Public key for A: KPUB-A Hash value 128C4

Certificates
What is user B is in another network and cannot directly accept the attestation done by the CA of A, and needs another CA to attest the public key of the CA of A? Let CA1 be the CA that could attest A. Let CA2 be the CA that needs to attest CA1 and this attestation would be believed by B. Along with the digital certificate issued by CA1 for A, CA1 needs to append the digital certificate it received from CA2 for the public key of CA1 User B need to send both these digital certificates to B. User B will first extract the public key of CA1 from the digital certificate issued by CA2, using the public key of CA2. User B will then extract the public key of user A from the digital certificate issued by CA1, using the extracted public key of CA1. User B will then use this certified public key of user A to extract the message.

Certificates
Digital Certificate for the Public Key of CA1

Digital Certificate for the Public Key of A

User A sending to user B Encrypted with KPUB-B

Certificates
In general, in addition to issuing the digital certificate for the public key of a user, a CA may send its digital certificate and the digital certificates of all its predecessors in the CA hierarchy. Depending upon the authentication level required by the other side of the communication (say user B), it may be then up to user A to only include the relevant CA digital certificates in a message to user B.

S-ar putea să vă placă și