This document provides an introduction to encryption. It discusses why encryption is used, including for secure communications, payment gateways, and digital rights management. It then defines encryption as encoding a message so that it is only readable by authorized persons. Several historical encryption methods are described, such as the Caesar cipher, Vigènere cipher, and the one-time pad. Modern symmetric ciphers like the Data Encryption Standard (DES) and Advanced Encryption Standard (AES) are also covered. The document concludes with an overview of public/private key cryptography and recommendations for password storage and encryption in PHP.

1. Introduction to
Encryption
6th Feb 2014

2. Who am I?
PHP Developer
@faffyman
@phpbelfast

3. What’s this talk about?
Mostly the Why and the What
And just a little bit of the How

4. What this talk is not about
Probability Theory behind encryption
encryption model definitions

5. Why Encrypt?
Secure communications
- TLS Email
- SSL web
Payment Gateways
-Credit Cards
-Bitcoins
Filesystems
-DVD
-Memory Cards
Cable TV Signals
Online Voting
DRM
WEP
Skype Calls

6. What is Encryption?
Είναι όλα ελληνικά για μένα
It’s all Greek to me

7. *Encryption is…
“An algorithm that can encode a message
such that it is only readable by authorized
persons”
*Generally speaking.

8. *Encryption is… a Cipher..
“A pair of algorithms such that the output
ciphertext of the encoding algorithm can be
efficiently transformed back to the original text
by the decoding algorithm”
*not always true

9. Examples of
Encryption through
history

10. The Caesar Cipher
Also known as the shift cipher
Or substitution cipher

11. Shift 3 chars left
Plain : ABCDEFGHIJKLMNOPQRSTUVWXYZ
Cipher: XYZABCDEFGHIJKLMNOPQRSTUVW
Ciphertext: QEB NRFZH YOLTK CLU GRJMP LSBO QEB IXWV ALD
Plaintext: the quick brown fox jumps over the lazy dog

12. The Vigener Cipher
16th Century Rome
Is a Modulo shift cipher

13. Create a repeating key the same length as the message
Plain : PHP BELFAST ENCRYTION TALK
Key : BLI NKSTUDI OSBLINKST UDIO
Cipher: RTY PPEZVWC TEEDHHTHH OEUZ
P = 16 + B=2 = 18 = R
H = 8 + L=12 = 20 = T
L = 12 + S=19 = 31 % 26 = 5 = E

14. Playfair Mr Kennedy
Famous WWII message involving JFK
PHBEL
FASTC
DGIKM
NOQRU
VWXYZ
http://j.mp/pFAIR
IN TR OD UC TI ON TO EN CR YP TI ON
DQ KY NG ZM SK QO AR PR TU VE SK QO

15. The One Time Pad
1917, Vernam
Symantically secure, practically useless
Very fast encode / decode
Stream Cipher

16. The One Time Pad
Uses A Random Key of equal length to the message
AJDPWNCGS82NCPS03NCBS72HGTWX1EZMBLHPY04YDVS2D

17. Rotor Machines
Lorenz Cipher (a.k.a. Tunny)
Enigma
“Nothing to report”

18. Encryption is just XOR?
There is a lot if it - yes
M: 0 1 1 0 1 1 1
Ke: 1 0 1 1 0 0 1
C: 1 1 0 1 1 1 0
Kd: 1 0 1 1 0 0 1
M: 0 1 1 0 1 1 1

19. Symmetric Ciphers
D ( K, E(k, m) ) = M
Decryption of Encrypted Message = Original Message

20. Symmetric Ciphers
2 Identical Inputs = 2 different outputs

21. Making It Practical
Stream Ciphers
And
Block Ciphers
In danger of getting complex now…

22. Pseudo Randomness
Pseudo Random Key
PRF – Pseudo Rand Function
PRG – Pseudo Rand Generator
PRP – Pseudo Rand Permutation

23. Pseudo Random Keys
Short Input => Long Output

24. Data Encryption Standard
DES
1970 – 1976 - IBMs Lucifer cipher approved as Fed. Standard
1997 - DES is broken by exhaustive search
Internet search – took 3 months
1998 – Deep Crack does it in 3 days (cost $250K)
1999 – combined search 22 hours
2000 – New Fed Standard adopted. Rijndael or AES

25. Feistel Network
Common Block Cipher Construction
DES is a 16 round Fiestel construction
http://j.mp/feistDES

26. Advanced Encryption Standard
AES
Uses block cipher – But NOT a Fiestel Construction
1997: DES Broken NIST requests proposal for new std
1999: 5 shortlisted options
2000: Rijndael chosen to be new AES

27. AES

28. Side Channel Attacks
•
•
•
•
j.mp/1c9v9Vi
Timing Attacks
Power Attacks
Sound Attacks
Replay Attacks

29. ECB
Electronic Code Book
Encrypted with ECB
j.mp/1kONKMk
Encrypted in other modes
show pseudo randomness

30. CBC
Chain Block Cipher
j.mp/1kONKMk

31. CTR
Counter Mode

32. MICs and MACs
Message Integrity or Authentication Code
Basically - Hash Functions
MD5 - weak
SHA-1 - weak
SHA-256 - better
Anti-Tamper codes

33. Authenticated Encryption
Encrypt then MAC
- always provides A.E.
MAC then Encrypt is open to CCA attacks
- it’s ok IF you use rand-CBC or rand-CTR mode
- still open to padding attacks

34. Key Exchange

35. Public/Private Keys
Public key used to encrypt
Private key used to decrypt
Uses large primes (600+ digits) and modulus of the
powers of factors of that prime

36. Public/Private Keys
ALICE
Generate array of
public & private keys
Alice decrypts with Secret key
To obtain Bobs random number
BOB
Bob chooses one
public key
Chooses a random
secret {0,1}128
encrypts it using
Public Key
They now have a shared secret or key (Bobs
number) with which to encrypt future
messages

37. PHP – password storage
•
•
•
•
•
•
•
Raw / Plaintext – do people really do this?
Roll your own encryption mechanism
MySQL Encrypt()
MD5() – no collision too common
SHA and store salt
bcrypt – No salt storage required
phpass – no salt storage required
j.mp/1nPFttR

38. Golden Rule:
Libraries, libraries, libraries
Always use a tried & tested library
*NEVER*
Roll your own

39. PHP – MAC
hash_hmac()
hash_hmac ($algo, $data, $key [$raw_output = false])
hash_hmac(’sha256’,’phpbelfast rocks', ’MySecret');
php.net/hash_hmac

40. PHP crypt()
j.mp/1nPFttR

41. PHP – openssl library
openssl_get_cipher_methods()
openssl_cipher_iv_length()
openssl_encrypt()
openssl_decrypt()
j.mp/1dp8OTq

42. PHPass – for php v 5.4-
j.mp/phpass

43. PHP password_hash()
v5.5+
password_hash( $password, $algo [, $options] )
password_verify( $password, $hash )
php.net/password_hash
j.mp/1err98n

44. Credits
Cover image -Enigma Machine by Skittledog
http://flic.kr/p/9VjJz5
Creative Commons
http://creativecommons.org/licenses/by-nc-sa/2.0/
Fiestel Network Diagram
Dan Boneh, Stanford Unversity (Coursera – Cryptography I course)
Link Bundle
j.mp/1iq3xA5

45. Final Thought
“Only amateurs attack machines,
professionals attack humans”
- Bruce Schneier