270 likes | 468 Views
Encryption. By Amir Levi and Yuval Carmel. Motivation. Ever since people were seeking for privacy Classified information Share secrets. And every time someone curious was in the way The Big Brother. By Amir Levi and Yuval Carmel. Work Method. Changing user interface.
E N D
Encryption By Amir Levi and Yuval Carmel
Motivation • Ever since people were seeking for privacy • Classified information • Share secrets • And every time someone curious was in the way • The Big Brother By Amir Levi and Yuval Carmel
Work Method Changing user interface First- we used greasemonkey and firebug In order to modify user interface Afterwards- we found a way to make our javascript code into Firefox Add-On Using: http://arantius.com/misc/greasemonkey/script-compiler By Amir Levi and Yuval Carmel
Work Method cont. Changing user interface cont. We worked by convention of: Adding buttons to These buttons Implements our Encryption Method By Amir Levi and Yuval Carmel
Work Method cont. Encryption/Decryption Methods • We chose to encrypt using Hybrid cryptosystemmethod • Hybrid cryptosystem combines both symmetric and asymmetricmethods of encryption: • Symmetric-key cryptosystem: • In order to encrypt/decrypt mail content • Randomly generated, for every mail • Public-key (asymmetric) cryptosystem: • In order to encrypt/decrypt Symmetric-key • Generated once (add-on first use, after installation) • Send query to keys-server in order to get all addressees ‘ public-keys (including himself) • Encrypt symmetric-key with all these public keys By Amir Levi and Yuval Carmel
Work Method cont. Encryption/Decryption Methods cont. Algorithms We used the following Enc/Dec algorithms AES Algorithm was announced by National Institute of Standards and Technology(NIST) as U.S. Federal Information Processing Standards (FIPS) PUB 197 (FIPS 197) on November 26, 2001 It replaced the DES Algorithm (announced in 1976) as FIPS. AES block size is fixed, 128 bits block and has 3 versions 128, 192, 256 indicates key size (in bits) We chose to implement AES Because it follows FIPS And also because it is fast in both software and hardware , relatively easy to implement, and requires little memory We follows AES-128 in CBC , PKCS#7 padding standard. Symmetric Enc/Dec algorithm By Amir Levi and Yuval Carmel
Work Method cont. Encryption/Decryption Methods cont. Algorithms We used the following Enc/Dec algorithms Asymmetric Enc/Dec algorithm RSA Algorithm The algorithm was publicly described in 1978 by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT. And therefore the name of the algorithm The RSA algorithm involves three steps: Key generation Encryption Decryption We follows RSA PKCS#1 Version 1.5 with padding ECB, standard. Note: PKCS stands for Public Key Cryptography Standards. By Amir Levi and Yuval Carmel
. Work Method cont. RSA Key Generation RSA involves a public key and a private key. The public key can be known to everyone and is used for encrypting messages. Messages encrypted with the public key can only be decrypted using the private key. • The keys for the RSA algorithm are generated the following manner: • 1. Choose two distinct prime numbers p and q. • For security purposes, the integers p and q should be chosen uniformly at random and should be of similar bit-length. Prime integers can be efficiently found using a Primality test. • 2. Compute n = pq. (used as the modulus for both the public and private keys) • 3. Compute the totient: By Amir Levi and Yuval Carmel
. Work Method cont. RSA Key Generation cont. • 4. Choose an integer e such that , and e and share no divisors other than 1 (coprime). • -e is released as the public key exponent. (in our implementation e=65537) • -Choosing e having a short addition chain results in more efficient encryption. Small public exponents could potentially lead to greater security risks. • 5. Determine d (using modular arithmetic) which satisfies the congruence relation. • -Stated differently, ed − 1 can be evenly divided by the totient (p − 1)(q − 1). • -This is often computed using the Extended Euclidean Algorithm. • d is kept as the private key exponent. • The public key consists of the modulus n and the public (or encryption) exponent e. • The private key consists of the modulus n and the private (or decryption) exponent d • d must be kept secret.
Work Method cont. RSA Encryption Alicetransmits her public key (n,e) to Bob and keeps the private key secret. Bob then wishes to send message M to Alice. He first turns M into an integer 0 < m < n by using an agreed-upon reversible protocol known as a padding scheme. He then computes the ciphertext c corresponding to: This can be done quickly using the method of exponentiation by squaring. Bob then transmits c to Alice. Encryption From: Bob To: Alice Content: M By Amir Levi and Yuval Carmel
Work Method cont. RSA Decryption Alice can recover m from c by using her private key exponent d by the following computation: Given m, she can recover the original message M by reversing the padding scheme. The above decryption procedure works because Now, since , The last congruence directly follows from Euler's theorem when m is relatively prime to n. By using the Chinese remainder theorem(CRT) it can be shown that the equations hold for all m. This shows that we get the original message back: Decryption From: Bob To: Alice Content: M By Amir Levi and Yuval Carmel
Work Method cont. Authenticity method We use hash function and asymmetric cryptosystem to generate signature The hash function we used is SHA512 from SHA2 hash function family • SHA stands for Secure Hash Algorithm. • SHA hash functions are a set of cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard. • We follows RSA PKCS #1 version 1.5 signature algorithm with SHA-512 By Amir Levi and Yuval Carmel
Work Method cont. Authenticity method cont. • We perform the following steps in order to get signature, and verify it • Signing method • 1. We first digest the message M with SHA512 into Mdigested • 2. Finally sender use private key d to sign on Mdigested we get S = Mdigestedd mod N • Verifying method • 1. We use sender’s public key e to get (Mdigestedd) e mod N = Mdigestedmod N. • 2. Finally we take the original message M, digest it with SHA512 • and compare it with Mdigested . By Amir Levi and Yuval Carmel
RSA Example Alice and Bod And George Alice Bob Bob looks at AlicePublicKey (e, n) And Encrypts Alice wants to verify Bob’s signature She use BobPublicKey(e, n) Se= Mdigested Then Alice digests decrypted m, And compares them both Bob wants to send Alice private message, m Bob signs on the message(after digest it) with BobPrivateKey (d) S = Mdigestedd mod N Alice looks at AlicePrivateKey (d) And Decrypts Alice wants to decrypt Bob’s private message m Bob sends C to Alice on the internet Bob: BobPublicKey (everyone) BobPrivateKey (keep secret) Alice: AlicePublicKey (everyone) AlicePrivateKey (keep secret) Hey George Someone may be listening… Don’t worry he sees C but cannot figure m Because he doesn’t knowAlicePrivateKey By Amir Levi and Yuval Carmel
Work Method cont. Encryption with Password • First • User supplies password (at least 4 letters) • Second • We use hash function in order to generate secret key for symmetric cryptosystem • Third • With the secret key(symmetric key) we encrypt user private key, and store it in key server. • Fourth • Every time user wants to get his private key, he need to perform the following: • 1. He sends to key server query to get his encrypted private key stored in server. • 2. He also need to enter his password, that way he generates his secret key • And we decrypt the encrypted private key. • 3. Finally we get the original private key • We use symmetric cryptosystem AES-128 in CBC , PKCS7 padding standard. • And SHA1 hash function. By Amir Levi and Yuval Carmel
Work Method cont. Certificate • We support user X.509 Certificate, in order to bind it with his public key. • Thus increase privacy and authenticity. • We choose to handle X.509 certificate in the following manner: • User who wants to increase his privacy and authenticity can supply X.509 certificate • It’ll be stored in a keys server, and user will need to supply his public and private keys in order to encrypt and decrypt. • (because we cannot generate those who suits to his certificate) • And we will store his keys on the key server. • Now anyone who wants to send him encrypted mail, will be able to verify and validate sender certificate. • Thus get his public key, and encrypt by it. By Amir Levi and Yuval Carmel
Work Method cont. Certificate cont. public key certificate (also known as a digital certificate or identity certificate) is an electronic document which uses a digital signature to bind together a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual. X.509 is an ITU-T standard for a public key infrastructure (PKI) for single sign-on (SSO) and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm. By Amir Levi and Yuval Carmel
Work Method cont. X.509 version3 Certificate Structure Certificate cont. • The structure of an X.509 v3 digital certificate is as follows: • Certificate • Version • Serial Number • Algorithm ID • Issuer • Validity • Not Before • Not After • Subject • Subject Public Key Info • Public Key Algorithm • Subject Public Key • Issuer Unique Identifier (Optional) • Subject Unique Identifier (Optional) • Extensions (Optional) • ... • Certificate Signature Algorithm • Certificate Signature Issuer generated the certificate Subject use the certificate Own the public and private keys By Amir Levi and Yuval Carmel
Work Method cont. X.509 version3 Certificate Structure Certificate cont. Certificate for example Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/emailAddress=server-certs@thawte.com Validity Not Before: Aug 1 00:00:00 1996 GMT Not After : Dec 31 23:59:59 2020 GMT Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/emailAddress=server-certs@thawte.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d3:a4:50:6e:c8:ff:56:6b:e6:cf:5d:b6:ea:0c: 68:75:47:a2:aa:c2:da:84:25:fc:a8:f4:47:51:da: 85:b5:20:74:94:86:1e:0f:75:c9:e9:08:61:f5:06: 6d:30:6e:15:19:02:e9:52:c0:62:db:4d:99:9e:e2: 6a:0c:44:38:cd:fe:be:e3:64:09:70:c5:fe:b1:6b: 29:b6:2f:49:c8:3b:d4:27:04:25:10:97:2f:e7:90: 6d:c0:28:42:99:d7:4c:43:de:c3:f5:21:6d:54:9f: 5d:c3:58:e1:c0:e4:d9:5b:b0:b8:dc:b4:7b:df:36: 3a:c2:b5:66:22:12:d6:87:0d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: md5WithRSAEncryption 07:fa:4c:69:5c:fb:95:cc:46:ee:85:83:4d:21:30:8e:ca:d9: a8:6f:49:1a:e6:da:51:e3:60:70:6c:84:61:11:a1:1a:c8:48: 3e:59:43:7d:4f:95:3d:a1:8b:b7:0b:62:98:7a:75:8a:dd:88: 4e:4e:9e:40:db:a8:cc:32:74:b9:6f:0d:c6:e3:b3:44:0b:d9: 8a:6f:9a:29:9b:99:18:28:3b:d1:e3:40:28:9a:5a:3c:d5:b5: e7:20:1b:8b:ca:a4:ab:8d:e9:51:d9:e2:4c:2c:59:a9:da:b9: b2:75:1b:f6:42:f2:ef:c7:f2:18:f9:89:bc:a3:ff:8a:23:2e: 70:47 In Base64 -----BEGIN CERTIFICATE----- MIICpzCCAhCgAwIBAgIBZDANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJJRTEP MA0GA1UECBMGRHVibGluMSMwIQYDVQQDExpSU0EgVGVzdCBDQSAtIE5vIExpYWJp bGl0eTAeFw0wNDAzMDIwMTE0MzBaFw0xNDAyMjgwMTE0MzBaMEMxCzAJBgNVBAYT AklFMQ8wDQYDVQQIEwZEdWJsaW4xIzAhBgNVBAMTGlJTQSBUZXN0IENBIC0gTm8g TGlhYmlsaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoeq0xldKajeXl 3BHRaJbqZZFZzJsvpBQW5CXXrgMQHJWLasHaUkK7M6pzrZHxafotfwlJ5VMQNK4/ yTBUkBSNMGkFZcQyY3CpAYeOA/akPvNX7hfKz4U9ygZXz/PaVgRH9eJhoZuPPXTD WaHR7D54NfmMrnM5IpRyHXQZ11aqeQIDAQABo4GqMIGnMB0GA1UdDgQWBBTW+VLk nCxzznGFMlyAZlR8KIKhWjBrBgNVHSMEZDBigBTW+VLknCxzznGFMlyAZlR8KIKh WqFHpEUwQzELMAkGA1UEBhMCSUUxDzANBgNVBAgTBkR1YmxpbjEjMCEGA1UEAxMa UlNBIFRlc3QgQ0EgLSBObyBMaWFiaWxpdHmCAWQwDAYDVR0TBAUwAwEB/zALBgNV HQ8EBAMCAQYwDQYJKoZIhvcNAQEFBQADgYEAD9b27peYeZwBEdlMLsIfuAbZeVWe n6OYtJSpRUX3yzJwsR8NpMyrAsRgnTpWi0NDsj+P9cnnYK+nQ54Ct++xKtrp1Zxq AkbzAy3OtBwe0nanp7deSznrMPliFDhaf9QlF47Xxppz8Tj0J34z/Yo/TQoW2HFD 13BlkHN1HErc0Bc= -----END CERTIFICATE----- From: http://markupsecurity.com/info/dss/keys_and_certs.html Important note: In our implementation we support only certificate that encode with Bas64 without the tokens -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- By Amir Levi and Yuval Carmel From wikipedia
Work Method cont. Build up key server key server…
Work Method cont. Build up key server cont.
Work Method cont. Build up key server cont.
Mail body By Amir Levi and Yuval Carmel
Mail body cont. After we’ve got, Symmetric key encrypted for all addressee(including himself), by their Public keys And also mail content encrypted by symmetric key. We encapsulate them using delimiters -- Start of mailencrypt --- Symmetric Key encrypted for addressee Mail content encrypted --- End of mailencrypt --- Delimiter “:” to denote the mail content Mail content (subject and body separated by delimiters ) structure: --start of subject– Mail Subject example--end of subject-- Mail Body example Mail content Encrypt by symmetric key When pressing on encrypt, the following mail for encryption body is produced: Symmetric Key for all addressees(including himself) Encrypted by their public key(each one) Separated by Delimiters: --addressee– “key” –keyEnd-- Subject Encrypted Gmail Body This is an encrypted Gmail -- Start of mailencrypt --- --john_doe1@gmail.com-- gjZtM5pSZ7TDqM1T8N+mqgfcVpNOgn8fLIwzdYwOND6gPR5OaJ7BUDof58RDAqBZi2Sm4dMtv4WZvONSioSL4rRJ/jJAb4CnjLSI147U3X59QASWMHDrG3M8T1DkpnmCKbuTu5aEr+kNNIF4r+q6NpzcjGKi0V06kIAtGgsuq+E= --keyEnd-- -- john_doe2@gmail.com-- h1oktl58ZjJYen5MLRWcfinHNV+uYBZO1YlIrEJgyrYbHQbURbE2h5X7frze7TuXQk95NAeUrcIWaGLckx6xt30QrT/7tVdkxB81iexJV+ywORUSyCLaNXSFghytxLQUwv9shyhJwfCQSvl6GHd0XtW7OVCnhowRk4/spmpp69k= --keyEnd-- --amirlevi@gmail.com-- AgA2gX2zbHuqjq+yA6eKB0MV5b7Lyw8aqLVO/kRARufY18BqEUI+PNkEWuvL5AzdDtzFKuJbhikpjqFbAFfW/5J8ATRrbKCBMbfFF+ETaDyR/SKe/KXLqtauGe/5jLrK8b73nx4Twl990ftj8pEj1wYHup2w8i159a5iG65rN7M= --keyEnd– :40 5e 1e 5b 4d ed 30 18 21 56 1d 46 04 2c d3 c7$2e bcabfa 08 04 b8 d8 1a 62 55 df e2 3f 9c b4$4a fefd 8b 98 6c fe 33 02 dc b0 2e ae 6f 25 96$ac 46 2d 48 ca fd 8e 07 e7 73 19 87 36 3b 7c ad$7f c9 14 13 0a ed bf 31 37 d5 fa 04 7d 63 15 e6$fa 35 94 58 f5 1a 83 bb 29 de 94 68 56 fc 87 ec$34 82 4d b1 46 44 4f 56 51 cf 7d 95 e9 3e 1a 6c --- End of mailencrypt --- By Amir Levi and Yuval Carmel
Mail body cont. Encrypt and send Decrypt By Amir Levi and Yuval Carmel
Questions ? By Amir Levi and Yuval Carmel