170 likes | 336 Views
Introduction to Cryptology Based on Gallo and Hancock: “Computer Communications and Networking Technologies, Brooks/Cole 2002. CS480 Computer Science Seminar Fall, 2002. Definition. Cryptology: the study of secret communication. Cryptography: the practice or art of encoding message.
E N D
Introduction to CryptologyBased on Gallo and Hancock: “Computer Communications and Networking Technologies, Brooks/Cole 2002 CS480 Computer Science Seminar Fall, 2002
Definition • Cryptology: the study of secret communication. • Cryptography: the practice or art of encoding message. • Plaintext: unencrypted data. • Cipher text: the encrypted text.
A simple example: letter substitution cipher • Assuming the agreed “key” between parties: A-O, B-D, C-C, D-I, E-S, F-V, G-A, H-P, I-Y, J-M, K-F, L-R, M-Z, N-X, O-E, P-B, Q-G, R-N, S-K, T-W, U-H, V-Q, W-U, X-J, Y-T, Z-I, ,-#. • Then: “DEAR JANE, NOT GETTING ANY BETTER, HURRY HOME” is encoded as “ISON MOXS# XEW ASWWYXA OXT DSSWWSN# PHNNT PEZS”
Two types of cryptography • Symmetric cryptography: a secret key is exchanged between communication parties. N people requires n(n-1)/2 keys; relevant when number of parties is small. One example is the DES data encryption standard. • Asymmetric cryptography: each party (person) maintains two key, one private and one public. The pair must be used in tandem. If A want to send B a message, A uses B’s public key to encode the message (the message can also be encoded using the private key) and B used his/her private key to decode the message. Examples include PGP (Pretty Good Privacy) and RSA.
PKI infrastructure • PKI involves the process of issuing, delivering, managing, and revoking public keys. A typical scenario: a secured Web connection (using secure socket layer or SSL session) involves the exchange of keys as follows. Prior to a secured connection, the browser (client) first requests a copy of the server’s security certificate, which contains the server’s public key. After verifying server’s authenticity, the browser generates a symmetric key, which is uses to encrypt its data. This key is also encrypted using server’s public key. Both the encrypted data and the encrypted symmetric key are transmitted to the server. • For the server to decrypt the encoded message, it must first decode the encoded symmetric key using its private key. It will also use this symmetric key to encode any data that it transmit to the browser.
DES or Data Encryption Standard • Developed by IBM and NIST in the 1970s, DES is a math model or algorithm that is used to encode data. It is the most widely used commercial encryption algorithm. • The key for DES user consists of any one of 256 possible keys. It can be implemented both in hardware and software. • In its first 20 years, DES was never cracked! But in 1998, Gilmore and Kocher broke the code with a supercomputer that ran for 56 hours. • One suggestion is to increase the bits from 56 to 1024. In a competition, many other suggestions for an “advance encryption standard or AES) are being considered by NIST (http://www.nist.gov/aes). The winner was announced in October, 2000 to be Rijindael (Joan Daemen and Rijmen of Belgium).
Pretty Good Privacy (PGP) • A public key written by Philip Zimmerman. PGP contains three algorithms: RSA (the first initials of three desingers-Rivest, Shamir, Adleman; will be discussed); IDEA (International Data Encryption Algorithm; similar to DES); and MD5 (Message Digest algorithm, version 5; a hashing algorithm). • PGP provides both encryption and digital signature (to “sign” a document) services. • PGP was once the source of much attention by many US legislators, When it was first released, encryption algorithms with key sizes greater that 40 bits in length were prohibited from being exported outside the US (it uses 128-bit key space). It also involved patent infringement (RSA was patented), which was later resolved in 1994. • It still may not be exported without a export license (subject to rules of the International Traffic in Arms Regulations). In the U.S., the DOC (Department of Commerce) sets rules on crypto-technologies. The rules can be very complex from country to country. Additional information can be found in http://www.pgp.com.
The RSA Public Key system • Widely accepted and implemented for public key encryption. • The RSA algorithm is based on prime numbers, as illustrated in the following slides.
The RSA algorithm • Math background • Prime numbers: a positive integer, excluding 1, is divisible only by 1 and itself; there are infinite number of primes. • Composite number: an integer p > 1 that is not a prime. • The GCD (Greatest Common Divisor): e.g., GCD(15, 36) = 3, GCD(8, 15) = 1. • If the GCD(p, q) = 1, then p and q are said to be relative prime. Thus, 8, 15 are relative prime. • Based on number theory: any natural number is either a prime or can be expressed as a product of prime factors. • Euclid’s algorithm is efficient to find GCD of p, q. • Modulo system: a math system that cyclically repeats itself. Modulo-m system contains [0, 1, 2, 3, …, 7] eight elements. Any number that is greater than or equal to m is expressed as a = b[mod m], where b is the remainder of the modulo division of a by m. Thus 23 = 7[mod 8] and 916 = 20mod[32].
The RSA algorithm continued • The strength of RSA is based on the fact that it is easy to generate very large primes, but very hard to factor such large primes. • Algorithm • Generating two keys, one public, one private • Encrypting the message using either key • Decrypting the message using the other key The steps are illustrated in the following example
RSA: a simple example • Step 1: randomly generating two large primes • Select p = 5, q = 11 (In practice, p and q are very large, may each contain several hundred digits!.) • Find n = pq, in the example n = 5 x 11 = 55 • Find m = (p-1)(q-1) = 4 x 10 = 40 (this intermediate step is known as Euler’s phi, denoted by (n).) • Find a small odd integer that is relative prime to m, i.e., GCD(e, m) = 1. In this example, when e = 3, GCD(3, 40) = 1, so we let e = 3. • Find integer d so that de = 1(mod m) and d < m. It is equivalent to solving de = 1 + am, where a >= 0. Thus d = (a + am)/e. Since in the example, the numbers we are working with are small, we try to use trial and error. • a = 0, then d = (1+0x40)/3 = .333 (reject, not an integer) • a = 2, then d = (1+2x40)/3 = 27, thus d = 27
RSA: a simple example continued • Step 1continued • Let the public key = (e, n) = (3, 55) is the example, which is published. • Let the private key = (d, n) = (27, 55) in the example, which is kept secret to the holder. • Step 2: Message encryption • E(s) = s ^ e (mod n), where s is the message, e and n are from the public key. • As an example, assuming the total number of bits in a message frame (let is be 4) is the message, then E(s) = 4 ^ 3 (mod 55) = 64 (mod 55) = 9, thus E(s) = 9, which gets transmitted.
RSA: a simple example continued • Message decryption • s = [E(s)] ^ d (mod n) • In the example, s = [E(s)] ^ d (mod 55) = 9 ^ 27 (mod 55) = 4, thus we have successfully decrypted the encrypted message • More information can be found in IEEE P1363 Standard Specification for Public Key Cryptography at http://grouper.ieee.org/groups/1363
Authentication and access control • A form of identification verification: a process of identifying a claimed identity, which may include sender’s or receiver’s identity or the identity of the message. • Several ways: • Processing a badge which contain user ID and password • A known individual (third party) vouching for the person • The person reciting a secret code. All of the above can be encrypted for added security.
Digital certificate • Functions as an electronic passport • Biometric devices: still expensive today • Have someone both the sender and receiver have some level of trust to identify certain attributes of parties involved. The third party issues the user a numerical value, pattern, or key called a digital certificate. Digital certificate is available from a wide variety of trusted parties such as VeriSign.
Kerberos • Kerberos: based on DES encryption is an Internet standard that uses three-pronged approach for authentication: a database that contains users’ rights, an authentication server,and a ticket-granting server. It name is derived from Cerberus, a three-headed dog in Greek mythology that guarded the gates to Hades. • For more information: • http://www.securityserver.com • http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1510.txt
How Kerberos works • Scenario: assuming we want to access a data file stored on one of our company’s primary servers. • When we first log on and request to access the file, the authentication server searches the database for our access rights. • One the server confirm these rights include the requested service, it generates an encrypted “ticket” which enables our workstation to access the ticket-granting server. The authenticating server also returns the “key” that was used to encrypt something called an “authenticator”, which contains our name, network address, and the current time. • Our workstation then sends the ticket and authenticator to the ticket-granting server, which decrypts both pieces of data. If they match, the ticket-granting server generates a ticket for the requested service and returns it to the workstation, which is used to access the data file