Basic Cryptography and Public Key

Infastructure
Overview
• This chapter introduces the specialized terminology developed to
explain the features of cryptography. It uses this vocabulary to
explain the foundations of cryptography and expand on common
cryptographic definitions.

2
Learning Objectives
• use cryptographic terminology
• define the different types of cryptographic attack
• differentiate between types of cipher in common use
• discriminate between symmetric and asymmetric encryption
• explain why hashing is used alongside cryptography
• describe the use of cryptographic standards and protocols
• describe the ways cryptographic techniques are applied and
integrated
• Discuss Public Key Infrastructure.

3
Cryptography Terminology
• Cryptography really just refers to the writing of codes-secret
writing - whereas cryptanalysis is the deciphering of hidden
messages or codes.
• A cryptographer can take a simple message, plaintext, which is
readable in their own language, and disguise it.
• This process of disguising the text is to encipher, encrypt or
encode it.

4
Strong Cryptosystems, Algorithms
and Keys
• When learning cryptographic principles it is easy to be confused
by the use of examples based on the encoding of simple words.
For example, it is easy to guess this code, and you will quickly be
able to decipher that ‘nffu nf bu uif pme hvo usff bu njemjhiu’ is a
very simple transformation of ‘meet me at the old gum tree at
midnight'.
• The problem with this example is that it is a very weak
cryptosystem based on a simple algorithm.
• This algorithm, which was used by Julius Caesar and thus is
always known as the Caesar cipher, would not protect us in the
real world.

5
Cryptographic Attacks
• A cryptographic attack is one where a deliberate attempt is made
to break cryptography. Given enough time and data, a cryptanalyst
(hacker) can determine and break an algorithm.
• Attacks can be carried out in one or more of the following ways.

Cipher text-only attack

Plaintext attack

Brute force attack

6
Types of Cipher

7
Substitution Ciphers - Simple
• is one where an individual character or bit within a word is
replaced with another in a prearranged manner. The Caesar
cipher described earlier is a simple substitution. Figure 5.1 shows
the effect of different kinds of Simple substitutions with a shift of
+5 as the key values.

8
Substitution Ciphers - Polyalphabetic

9
Transposition Ciphers
• is one that is
accomplished in
three steps and in
which a plaintext
message is taken
and written across
a predetermined
number of
columns, then
reconstructed.

10
Product
Ciphers
• are strong ciphers
formed by
combining two
other kinds of
Cipher.

11
One-time Pad
• The one-time pad simply consists of a stream of bits (you could
think of this as a stream of random letters if this helps with
conceptualization).
• The value of the first bit of the plaintext is added to the value of
the first bit of the plaintext message and this value is recorded
(this is an X-OR operation). The length of the one-time pad is the
same as the length of the message and provides strength because
it is never used again.
• The receiver of the message is the only person to own a copy of
the pad. There is no algorithm and no key, and hence no brute
force attack can be successful against it. Weaknesses do exist, and
we examine these below when we consider how cryptography can
be attacked.

12
Running Key Ciphers
• are also non-mathematical in nature and based on books or texts
in a prearranged fashion.
• They might be based on putting an advert in the Personals column
of the Australian newspaper on a prearranged day, signed with a
name known only to the sender and receiver of a message.
• The ad contains some numbers that indicate pages in a book,
which once again are known only to the sender and receiver of a
message.
• These numbers identify words and phrases in the book that
together detail the message the sender wished to transmit. This
kind of cipher is never used in real life but occurred frequently in
the spy movies of the 1950s.

13
Steganography
• Steganography is another method of hiding data, but it does not
depend on algorithms and keys as detailed above. Steganography
involves hiding information inside a ‘container’ file and using the
least significant bits (LSB) to transport data.
• Common containers included .mp3, .gif and .jpeg graphic files and
so are actually messages hidden in pictures. If we use a 24-bit
color image as a container and use two bits to store hidden data,
the result is a 22-bit color image nearly identical to the original
and, unless an opponent is aware of the possibility of the use of
steganography, this becomes a very secure (but complex) method
of transmitting data. This means we are literally hiding our
message in a picture and, with some basic IT skills, can hide it in
such a way that it cannot be seen. It does not even affect the
quality of the picture to the naked eye.

14
Block and Stream Ciphers
• The simple substitution ciphers that we have examined are
examples of stream ciphers. They are not strong because they do
not cause confusion; an attacker can easily determine the
relationship between our plaintext, algorithm, key and cipher text
because the length of the original words, the position of short
words, double letters and spaces have not changed from the
original message. When we used a polyalphabetic cipher in figure
5.2 we were able to cause a little confusion, but not enough to
begin to deter a real attacker.
• When we considered transposition we dealt with blocks of four
characters. When we used both substitution and transposition on
a block of characters in figure 5.4 we reduced the risk of an
attacker breaking our code by using diffusion. The blocks have
moved around and are not in their original places in the message.

15
Symmetric and Asymmetric
Cryptography

16
Symmetric Cryptography
• is a simple form of encryption whose major advantage is its speed.
• To a certain extent, symmetric encryption can be used to ensure
authentication and thus to reduce the risk of sharing secret data
with a non-trusted other.
• If there is only one secret key and if this key has been shared with
only one trusted other, then it can be assumed that any response
in an encrypted transaction has actually originated with the
individual with whom the key has been shared.
• The basic issues of risk with symmetric encryption, if we wish to
compare its security to that afforded by PK encryption, are: the
longer the key and the more difficult the mathematical function is
to crack, the higher the level of protection. The longer the key and
the more difficult the mathematical function is to crack, the higher
the decryption effort becomes, so this can lead to huge
performance problems
17
18
Symmetric Encryption and Key
Management
• The best method of key management and distribution is via a
trusted third party who holds copies of all keys, in the way that a
bank is entrusted with money and accounts.
• If two individuals wish to communicate in this way they have no
common keys, but the trusted third party has a copy of each key.
When the sender needs to communicate with the receiver, they
send an open request to the trusted third party along with an
official identifier.

19
Common Symmetric Algorithms
Data Encryption Standard (DES)

• The algorithm works by iterating 16 cycles of transposition and

substitution. The algorithm works with 64-bit blocks of texts and a 64-bit
key, which is reduced mathematically to a length of 56 bits

Triple DES

• Triple DES can also be implemented in different modes. In this case there
are three modes, and each provides a 112-bit effective key length with 48
rounds of substitution and transposition iterated within the algorithm.

Advanced Encryption Standard (AES)

• The AES is built on the Rijndael algorithm. It has variable key lengths of
128, 192 and 256 bits and is a 128-bit block cipher.

20
Asymmetric Cryptography
• In asymmetric cryptography, both sender and receiver control a
public key and private key. The public key can be made widely
known and distributed to everyone with whom electronic
transactions might be made, whereas the private key must be kept
secret and does not have to be distributed.
• Asymmetric encryption is always performed with each user’s
public key whereas decryption is always carried out with the
private key. It is impossible to decipher an asymmetric encryption
algorithm with the private key if it has been encrypted with the
private key, and the same also applies for the public key.
• The two keys are mathematically related, but, although each can
be used both to encode and decode plaintext, they are not able to
be deduced or inferred from each other.

21
Asymmetric Encryption, Key
Management and Trust
• The major benefit within public-key cryptography is that security
and convenience is provided since private keys never need to be
transmitted or shared with anyone. Therefore the risks that arise
within key management of secret key cryptography can be totally
avoided.

22
Common Asymmetric Algorithms

Rivest-Shamir-Adleman (RSA) encryption

• It is based mathematically on the fact that it is hard to determine

the factors of large prime numbers.

Elliptical curve cryptography

• is a public key encryption technique based on elliptic curve theory

that can be used to create faster, smaller and more efficient
cryptographic keys. ECC is based on properties of a particular type
of equation created from the mathematical group (a set of values
for which operations can be performed on any two members of
the group to produce a third member) derived from points where
the line intersects the axes.

23
Hashing
• Hashing is used, with or without cryptography, to supply
assurance that a message has not been altered or modified in
transmission, and this can determine for us whether the number
of bits of text received are the same in length and nature as those
transmitted. Hashing is an important method of ensuring that the
risk to message integrity is reduced.
• This means we first write a message that we wish to send secretly.
In a business context this might be our personnel records or our
credit card details. We count the number of text characters in the
message and send this value (i.e. the number of characters) along
with the message. Then the receiver of the message can check and
make sure the whole message has arrived.

24
Hash Algorithms
• A hash algorithm is a mathematical expression containing one or
more hash functions. Typically a hash function is a mathematical
function that is easy to calculate but difficult to reverse engineer
so as to obtain the inverse.

25
Digital Signatures
• Digital signatures are produced in a similar fashion to that
described above. Digital signature standards combine hash
functions with PK cryptography to verify identity.
• The purpose of a digital signature is to provide authentication so
that the sender of a message can be sure that it has been sent to
the correct person.

26
How Does Digital Signing Work?
• Suppose the CEO of a small company wants to send a signed message to a
potential business partner assuring him of cooperation in some mutual
business transaction. The CEO generates a message digest by using a hash
function on the message. The message digest acts as a guarantee of
authenticity of the message. The CEO then encrypts the message digest with
his private encryption key. This encrypted message digest becomes the
digital signature for the message.
• The CEO transmits both the message and the digital signature to his business
partner. On the arrival of the message, the partner deciphers the signature
using the CEO’s public key thus displaying the message digest. To ensure the
authenticity of the message, she then hashes the message with the same hash
function that the CEO used and compares her result with the one that
accompanied the message she received from the CEO (remember she is just
comparing two numerical values here)
• If they prove to be identical, the business partner can be assured that the
message did originate with the CEO and has not been modified since he first
signed it. If the message digests do not prove to be the same the message
might have either originated elsewhere or been tampered with after it was
27
signed.
Key Exchange Protocols

Privacy Enhanced Mail

• This protocol was established to allow secure email over the Internet and within large
enterprises. It is based on both the DES and RSA algorithms. Its architecture resembles
that of PKI and is a hierarchical trust model clustered around a central authority.

Message Security Protocol

• This protocol resembles Privacy Enhanced Mail, but its algorithms have not been disclosed
by the US National Security Agency since it is used in secret and defense applications.

Pretty Good Privacy

• This protocol was implemented within freeware and allows users to develop ‘key rings’.
Each user develops trust with others and collects their public keys. Its model is not
hierarchical but resembles a Web. The model presumes that if you trust me and I trust
you, then you will trust my friends (or business partners) and I can trust yours. We can also
establish degrees of trust with different groups of users.

28
Cryptographic Authentication
Techniques
• Cryptographic techniques can be used for user authentication.
• We have seen that identification and authentication are separate
issues. Anyone can claim to be an authorized user. Identification is
the process whereby a user asserts their identity. When a user
authenticates onto a system they are being asked to prove their
identity. This proof may be provided by: asking a user to provide
ID (identification), then supply a password (user authentication);
use of magnetic cards; and recall of shared secret and PIN number.

29
Certificates
• The reason this certificate is important is that it contains the
public key linked to the personal ID of the certificate holder, and it
could include other details, such as a validity period. These details
must then be endorsed by the certification authority by
appending a digital signature. The signed combination of personal
data and public key becomes the certificate.

30
Certificate Authorities
• Certificates have to be controlled by a trusted third party who
issues and manages them. This is known as a certificate authority
(CA). An organization has the choice of implementing a complete
PKI internally or using the services of an external provider, such
as VeriSign. Certificates do not have to be kept secure or
confidential since the CA is a trusted third party and can be
proved genuine and reliable via its own public key.

31
Registration Authorities
• A registration authority (RA) is a subsection of a certification
authority. The purpose of the RA is to check the ID of a certificate
holder and manage the data in this part of the transaction. It also
provides secure communication pathways between the individual,
itself and the CA. It cannot, however, issue the certificate.

32
The PKI process
• Our CEO now wants to implement PKI for himself. He first needs to
obtain a private and public key pair. Our CEO applies to the RA for a
certificate. He needs to supply a certain amount of documentation, to
triangulate and prove his ID from public documents, such as his
driving license and birth certificate. When the RA is able to verify the
CEO’s identity it sends a request to the CA for a certificate for the CEO.
This certificate is issued and bound to the CEO’s public key and ID.
• The certificate lists such details as:
• Version
• certificate serial number (unique identifier)
• signature and algorithm ID used to produce it
• name of CA
• validity period
• username
• public key
• CNS ID
• user ID 33