SlideShare a Scribd company logo

Encryption

Download as DOC, PDF
V
Vijay Kumar
Education
1 of 8
Chapter 1: Basic Terminology Encryption is the process of turning a clear-text message (Plaintext) into a data stream which looks like a meaningless and random sequence of bits (ciphertext). The process of turning ciphertext back into plaintext is called decryption. Cryptography deals with making communications secure. Cryptoanalysis deals with breaking ciphertext, that is, recovering plaintext without knowing the key. Cryptology is a branch of mathematics which deals with both cryptography and cryptoanalysis. A cryptographic algorithm, also known as a cipher, is a mathematical function which uses plaintext as the input and produces ciphertext as the output and vice versa. All modern ciphers use keys together with plaintext as the input to produce ciphertext. The same or a different key is supplied to the decryption function to recover plaintext from ciphertext. The details of a cryptographic algorithm are usually made public. It is the key that the security of a modern cipher lies in, not the details of the cipher. Symmetric algorithms use the same key for encryption and decryption. These algorithms require that both the sender and receiver agree on a key before they can exchange messages securely. Some symmetric algorithms operate on 1 bit (or sometimes 1 byte) of plaintext at a time. They are called stream ciphers. Other algorithms operate on blocks of bits at a time. They are called block ciphers. Most modern block ciphers use the block size of 64 bits. Public-key algorithms (also known as asymmetric algorithms) use two different keys (a key pair) for encryption and decryption. The keys in a key pair are mathematically related, but it is computationally infeasible to deduce one key from the other. These algorithms are called "public-key" because the encryption key can be made public. Anyone can use the public key to encrypt a message, but only the owner of the corresponding private key can decrypt it. Some public-key algorithms such as RSA allow the process to work in the opposite direction as well: a message can be encrypted with a private key and decrypted with the corresponding public key. If Alice (or anyone else) can decrypt a message with Bob's public key she knows that the message must have come from Bob because no one else has Bob's private key. Digital signatures work this way. Chapter 2: Symmetric Cryptography Symmetric encryption is the backbone of any secure communication system. Dozens of symmetric algorithms have been invented and impemented, both in hardware and software. This chapter briefly describes those relevant to the Microsoft impementation of cryptography. Block Ciphers Block ciphers are cryptographic algorithms which operate on 64-bit blocks of plaintext. The encryption procedure usually consists of multiple and complex rounds of bit shifts, XORs, permutations and substitutions of plaintext and key bits. Decryption is similar to encryption except that some operations may be performed in the reverse order. Some algorithms use fix-length keys, for others the key length may vary. DES Data Encryption Standard (DES) is a block cipher invented over 20 years ago by IBM in response to a public request from the National Bureau of Standards. It has been a worldwide cryptographic standard since 1976 [1]. DES is a fixed-key-length algorithm. It uses 56-bit keys. Any 56-bit number can be a key.
DES has been remarkably resistant to cryptanalysis, but its short key length makes it vulnerable to a brute-force attack where all possible keys are tried one by one until the correct key in found. Bruce Schneier writes: "A brute-force DES-cracking machine that can find a key in an average of 3.5 hours cost only $1 million in 1993. DES is so widespread that it is naive to pretend that NSA <National Security Agency> ... haven't built such a machine. ... DES will only become less secure as time goes on." [1]. DES is implemented by the Microsoft Enhanced Cryptographic Provider. RC2 RC2 was invented by Ron Rivest for RSA Data Security, Inc. Its details have not been published. RC2 is a variable-key-length cipher. However, when using the Microsoft Base Cryptographic Provider, the key length is hard-coded to 40 bits. When using the Microsoft Enhanced Cryptographic Provider, the key length is 128 bits by default and can be in the range of 40 to 128 bits in 8-bit increments. Triple DES The idea behind Triple DES is to improve the security of DES by applying DES encryption three times using three different keys. This way the effective key length becomes 56 x 3 = 168 bits which makes brute-force attacks virtually impossible. Triple DES is implemented by the Microsoft Enhanced Cryptographic Provider. Triple DES with 2 Keys In this variation, DES encryption is still applied three times but using only 2 keys: first key 1 is applied, then key 2 and then key 1 again. The effective key length is 56 x 2 = 112 bits. Triple DES with 2 keys is implemented by the Microsoft Enhanced Cryptographic Provider. Advanced Encryption Standard (AES) aka Rijndael Rijndael is a block cipher, designed by Joan Daemen and Vincent Rijmen as a candidate algorithm for the AES. Rijndael became the AES after the FIPS approval by the U.S. government in 2001. The cipher currently supports key lengths of 128, 192, and 256 bits. AES is implemented by the "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)" on Windows XP and "Microsoft Enhanced RSA and AES Cryptographic Provider" on Windows 2003. Windows NT and 2000 do not support this cipher. AspEncrypt offers support for AES starting with version 2.3. Stream Ciphers Stream ciphers encrypt plaintext one bit (or sometimes byte) at a time. The stream of plaintext bits are XORed with the output of a keystream generator which produces a stream of bits based on a seed value. This seed value is the key for a stream cipher. The decryption process is identical: the ciphertext bits are XORed with the same keystream (which is the function of the key). RC4
RC4 was developed by Ron Rivest in 1987. It is a variable-key-size stream cipher. The details of the algorithm have not been officially published. However, the algorithm's internals have been posted on the Internet, and the book Applied Cryptography contains its detailed description. The algorithm is extremely easy to describe and program. Just like RC2, 40-bit RC4 is supported by the Microsoft Base Cryptographic provider, and the Enhanced provider allows keys in the range of 40 to 128 bits in 8-bit increments. Chapter 3: One-way Hash Function A one-way hash function, also known as a message digest, fingerprint or compression function, is a mathematical function which takes a variable-length input string and converts it into a fixed-length binary sequence. Furthermore, a one-way hash function is designed in such a way that it is hard to reverse the process, that is, to find a string that hashes to a given value (hence the name one-way.) A good hash function also makes it hard to find two strings that would produce the same hash value. All modern hash algorithms produce hash values of 128 bits and higher. Even a slight change in an input string should cause the hash value to change drastically. Even if 1 bit is flipped in the input string, at least half of the bits in the hash value will flip as a result. This is called an avalanche effect. Since it is computationally infeasible to produce a document that would hash to a given value or find two documents that hash to the same value, a document's hash can serve as a cryptographic equivalent of the document. This makes a one-way hash function a central notion in public-key cryptography. When producing a digital signature for a document, we no longer need to encrypt the entire document with a sender's private key (which can be extremely slow). It is sufficient to encrypt the document's hash value instead. Although a one-way hash function is used mostly for generating digital signatures, it can have other practical applications as well, such as storing passwords in a user database securely or creating a file identification system. See the Tasks section for some examples. Hash Algorithms The Microsoft cryptographic providers support three hash algorithms: MD4, MD5 and SHA. MD4 & MD5 Both MD4 and MD5 were invented by Ron Rivest. MD stands for Message Digest. Both algorithms produce 128-bit hash values. MD5 is an improved version of MD4. SHA SHA stands for Secure Hash Algorithm. It was designed by NIST and NSA. SHA produces 160-bit hash values, longer than MD4 and MD5. SHA is generally considered more secure that other algorithms and is the recommended hash algorithm. Chapter 4: Public-Key Cryptography Unlike symmetric cryptography, public key cryptography uses two different keys - one public and one private. The keys are mathematically related, yet it is computationally infeasible to deduce one from the other. Anyone with the public key can encrypt a message but not decrypt it. Only the person with the private key can decrypt the message.
Bruce Schneier compares public-key cryptography with a mailbox. He writes: "Putting mail in the mailbox is analogous to encrypting with the public key; anyone can do it. Just open the slot and drop it in. Getting mail out of a mailbox is analogous to decrypting with the private key. Generally it's hard; you need welding torches. However, if you have the secret (the physical key to the mailbox), it's easy to get mail out of a mailbox." [1] Secure Communications using Public-Key Cryptography Using public-key cryptography, Alice and Bob can communicate securely using the following simple protocol: • Alice and Bob agree on a public key algorithm. • Bob sends Alice his public key. • Alice encrypts her message with Bob's public key and sends it to Bob. • Bob decrypts Alice's message with his private key. Notice that this protocol does not require any prior arrangements (such as agreeing on a key) for Alice and Bob to communicate securely. In real-world implementations, public keys are rarely used to encrypt actual messages as public-key cryptography is very slow, about 1000 times slower that conventional cryptography [1]. Instead, public-key cryptography is used to distribute symmetric keys which are then used to encrypt and decrypt actual messages, as follows: • Bob sends Alice his public key. • Alice generates a random symmetric key (usually called a session key), encrypts it with Bob's public key and sends it to Bob. • Bob decrypts the session key with his private key. • Alice and Bob exchange messages using the session key. Systems that use both symmetric and public-key cryptography in this manner are called hybrid. Digital Signatures Certain public-key algorithms such as RSA allow both the public and private key to be used for encryption. If a message is encrypted with someone's private key it can only be decrypted with the corresponding public key. This feature can be used to create digital signatures, as follows: • Alice encrypts the document with her private key. The encrypted document becomes her digital signature. • Alice sends the signature to Bob. • Bob decrypts the document with Alice's public key thereby verifying the signature. Once again, encrypting an actual message with a private key is very inefficient. Instead of signing the entire document, the document's hash can be signed, as follows: • Alice computes a one-way hash of a document. • Alice encrypts the hash with her private key. The encrypted hash becomes the document's signature. • Alice sends the document along with the signature to Bob. • Bob produces a one-way hash function of the document received from Alice, decrypts the signature with Alice's public key and compares the two values. If they match, Bob knows that: (1) the document really came from Alice and (2) the document was not tampered with during transmission.
RSA RSA is by far the most popular public-key cryptography algorithm. It supports both encryption and digital signatures. It is also the easiest one to describe and implement. RSA has withstood years of extensive cryptoanalysis and is a de facto standard in much of the World [1]. RSA is named after the three inventors - Ron Rivest, Adi Shamir and Leonard Adleman. In RSA, a public key is based on the product of two large prime numbers. These two numbers must be kept secret as they are used to compute the private key. The product of the two prime numbers is referred to as modulus. The security of RSA lies in the difficulty of factoring large numbers. The Microsoft Base Cryptographic Provider implements RSA with a 512-bit modulus. With the Microsoft Enhanced Provider, the default modulus is 1024 bits, and valid moduli can be in the range of 384 bits to 16,384 bits in 8 bit increments. Man-in-the Middle Attack The hybrid communication protocol described above is vulnerable to a man-in-the-middle attack. Let's assume that Mallory, an enemy hacker, not only can listen to the traffic between Alice and Bob, but also can modify, delete, and substitute Alice's and Bob's messages, as well as introduce new ones. Mallory can impersonate Alice when talking to Bob and impersonate Bob when talking to Alice. Here is how the attack goes: • Bob sends Alice his public key. Mallory intercepts the key and sends his own public key to Alice. • Alice generates a random session key, encrypts it with "Bob"'s public key (which is really Mallory's) and sends it to Bob. • Mallory intercepts the message. He decrypts the session key with his private key, encrypts it with Bob's public key and sends it to Bob. • Bob receives the message thinking it came from Alice. He decrypts it with his private key and obtains the session key. • Alice and Bob start exchanging messages using the session key. Mallory, who also has that key, can now read the entire conversation. A man-in-the-middle attack works because Alice and Bob have no way to verify they are talking to each other. An independent third party that everyone trusts is needed to foil the attack. This third party could bundle the name "Bob" with Bob's public key and sign the package with its own private key. When Alice receives the signed public key from Bob, she can verify the third party's signature. This way she knows that the public key really belongs to Bob, and not Mallory. A signed package containing a person's name (and possibly some other information such as an email address and company name) and his/her public key is called a digital certificate (or digital ID). An independent third party that everyone trusts whose responsibility is to issue certificates is called a Certification Authority (CA). Digital certificates are the topic of the next chapter. Chapter 5: Digital Certificates A certificate is a data package that completely identifies an entity, and is issued by a Certification Authority (CA) only after that authority has verified the entity's identity. The data package includes the public key that belongs to the entity. When the sender of a message signs the message with its private key, the recipient of the message can use the sender's public key (retrieved from the certificate either sent with the message or available elsewhere on the network) to verify that the sender is legitimate. X.509 Certificates The X.509 protocol defines the following structure for public-key certificates: Version
Serial Number Signature Algorithm Issuer Name Period of Validity • Not Before Date • Not After Date Subject Name Subject's Public Key • Algorithm • Public Key Extensions Signature The version field identifies the certificate format. The serial number is unique within the CA. The Signature Algorithm identifies the algorithm used to sign the certificate. Issuer is the name of the CA. The period of validity is a pair of dates; the certificate is valid during the time period between the two. Subject is the name of the user to whom the certificate is issued. The subject's public key field includes the algorithm name and the public key itself. The last field is the CA's signature. Certification Hierarchy In order for digital certificates to be effective, the users of the network must have a high level of trust in the certificate. But what happens if someone doesn't trust the CA - perhaps the person has never heard of the CA before. This problem is addressed in the certifying process by something called the hierarchy of trust. The concept of hierarchy of trust is simply that the process must begin with some certifying authority that everyone agrees is trustworthy. This ultimate authority is called the root authority. The root authority then can certify other CAs below it, who can then certify CAs below them, etc. This is illustrated on the following diagram:
When someone receives a certificate that has been issued by a first- or second-tier CA, he or she can verify that the CA that signed the certificate has been certified by a CA at the tier above it and that, in turn, that CA has been certified by the one above it, and so on until a chain of trust exists between the lower level CA (or a user certificate) and the root CA. For example, in the preceding diagram, it can be verified that CA #4 was certified by CA #1 and that CA #1 was certified by the root CA. This means that when a certificate from a lower-level CA is passed along with the encrypted message, all of the certificates in its chain of trust up to the root should be passed along with it. Certificate Requests A certificate request is a signed data package that contains a person's information such as name, email address, company name etc, and his/her public key. A certificate request is generated by a person wishing to obtain a certificate from the CA. Certificate requests are signed by the person's private key to prevent tampering with during transmission. When the CA receives a certificate request it extracts a person's name and public key information and performs a certain procedure aimed at verifying that the public key really belongs to the person whose name is included in the certificate request. If the verification process is successful, the CA issues the certificate and sends it to the requestor. Certificate Revocation Lists Certificates can also be revoked, either because the user's key has been compromised, the CA's key has been compromised, or because the CA no longer wants to certify the user. Each CA maintains a list of all revoked but not expired certificates. When Alice receives a new certificate she should check to see if it has been revoked. She can check a database of revoked keys on the network or locally cached list or revoked certificates. Chapter 6: Secure Mail and S/MIME Secure Multipurpose Internet Mail Extensions (S/MIME) is a de facto standard developed by RSA Data Security, Inc, for sending secure mail based on public-key cryptography. MIME is the industry standard format for electronic mail, which defines the structure of the message's body. S/MIME-supporting e-mail applications add digital signatures and encryption capabilities to that format to ensure message integrity, data origin authentication and confidentiality of electronic mail. Signed Mail When a signed message is sent, a detached signature in the PKCS #7 format is sent along with the message as an attachment. The signature attachment contains the hash of the original message signed with the sender's private key, as well as the signer certificate. Enveloped Mail Enveloped (encrypted) mail is generated using a recipient's public key. The message is actually encrypted using a random symmetric key, and it is that symmetric key that is encrypted using the
recipient's public key and sent along with the message. If a message is being sent to multiple recipients, the symmetric key is encrypted separately by every recipient's public key. The enveloped message and all encrypted symmetric keys are packaged together using the PKCS#7 format. Signed & Enveloped Mail S/MIME also supports messages that are first signed with the sender's private key and then enveloped using the recipients' public keys. S/MIME-Enabled Status of AspEmail The AspEmail component, when used in conjunction with AspEncrypt, is capable of sending S/MIME-compliant mail. The S/MIME Enabled logo indicates that the component has passed RSA's S/MIME Interoperability Test and is included into the S/MIME Interoperability Master Matrix. For more information on the S/MIME Enabled logo, visit RSA at http://www.rsasecurity.com/standards/smime/about.html. S/MIME Central at RSA For a complete set of S/MIME specifications, visit RSA's S/MIME Central at http://www.rsa.com/smime.

Recommended

Cryptography
CryptographyCryptography
Cryptography
amiable_indian
 
DOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYDOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITY
Tuhin_Das
 
fucking shit
fucking shitfucking shit
fucking shit
eyalrav
 
Implementation of-hybrid-cryptography-algorithm
Implementation of-hybrid-cryptography-algorithmImplementation of-hybrid-cryptography-algorithm
Implementation of-hybrid-cryptography-algorithm
Ijcem Journal
 
Hybrid encryption ppt
Hybrid encryption pptHybrid encryption ppt
Hybrid encryption ppt
prashantdahake
 
Encryption
EncryptionEncryption
Encryption
Naiyan Noor
 
IRJET- Comparative Analysis of Encryption Techniques
IRJET- Comparative Analysis of Encryption TechniquesIRJET- Comparative Analysis of Encryption Techniques
IRJET- Comparative Analysis of Encryption Techniques
IRJET Journal
 
White Paper on Cryptography
White Paper on Cryptography White Paper on Cryptography
White Paper on Cryptography
Durgesh Malviya
 

Recommended

Cryptography
CryptographyCryptography
Cryptography
amiable_indian
 
DOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYDOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITY
Tuhin_Das
 
fucking shit
fucking shitfucking shit
fucking shit
eyalrav
 
Implementation of-hybrid-cryptography-algorithm
Implementation of-hybrid-cryptography-algorithmImplementation of-hybrid-cryptography-algorithm
Implementation of-hybrid-cryptography-algorithm
Ijcem Journal
 
Hybrid encryption ppt
Hybrid encryption pptHybrid encryption ppt
Hybrid encryption ppt
prashantdahake
 
Encryption
EncryptionEncryption
Encryption
Naiyan Noor
 
IRJET- Comparative Analysis of Encryption Techniques
IRJET- Comparative Analysis of Encryption TechniquesIRJET- Comparative Analysis of Encryption Techniques
IRJET- Comparative Analysis of Encryption Techniques
IRJET Journal
 
White Paper on Cryptography
White Paper on Cryptography White Paper on Cryptography
White Paper on Cryptography
Durgesh Malviya
 
Cryptography Lecture by Sam Bowne
Cryptography Lecture by Sam BowneCryptography Lecture by Sam Bowne
Cryptography Lecture by Sam Bowne
SecurityTube.Net
 
Ch12 Cryptography it-slideshares.blogspot.com
Ch12 Cryptography it-slideshares.blogspot.comCh12 Cryptography it-slideshares.blogspot.com
Ch12 Cryptography it-slideshares.blogspot.com
phanleson
 
A New Design of Algorithm for Enhancing Security in Bluetooth Communication w...
A New Design of Algorithm for Enhancing Security in Bluetooth Communication w...A New Design of Algorithm for Enhancing Security in Bluetooth Communication w...
A New Design of Algorithm for Enhancing Security in Bluetooth Communication w...
International Journal of Science and Research (IJSR)
 
Encryption Techniques
Encryption TechniquesEncryption Techniques
Encryption Techniques
Del Elson
 
Hybrid Cryptography with examples in Ruby and Go
Hybrid Cryptography with examples in Ruby and GoHybrid Cryptography with examples in Ruby and Go
Hybrid Cryptography with examples in Ruby and Go
Eleanor McHugh
 
Encryption
EncryptionEncryption
Encryption
IGZ Software house
 
CGI White Paper - Key Incryption Mechanism
CGI White Paper - Key Incryption MechanismCGI White Paper - Key Incryption Mechanism
CGI White Paper - Key Incryption Mechanism
Amit Singh
 
Cryptography
CryptographyCryptography
Cryptography
Vishalya Dulam
 
Encryption techniques
Encryption techniques Encryption techniques
Encryption techniques
ShrikantSharma86
 
A study of cryptography for satellite applications
A study of cryptography for satellite applicationsA study of cryptography for satellite applications
A study of cryptography for satellite applications
Rajesh Ishida
 
researchpaperfinal1
researchpaperfinal1researchpaperfinal1
researchpaperfinal1
Sumit Bajaj
 
Data Encryption Standard
Data Encryption StandardData Encryption Standard
Data Encryption Standard
Amirul Wiramuda
 
Information and network security 31 public key cryptography
Information and network security 31 public key cryptographyInformation and network security 31 public key cryptography
Information and network security 31 public key cryptography
Vaibhav Khanna
 
82 86
82 8682 86
82 86
Editor IJARCET
 
Public key cryptography and RSA
Public key cryptography and RSAPublic key cryptography and RSA
Public key cryptography and RSA
Shafaan Khaliq Bhatti
 
6. cryptography
6. cryptography6. cryptography
6. cryptography
7wounders
 
Encryption
EncryptionEncryption
Encryption
keith dias
 
Hybrid encryption
Hybrid encryption Hybrid encryption
Hybrid encryption
ranjit banshpal
 
A Robust Cryptographic System using Neighborhood-Generated Keys
A Robust Cryptographic System using Neighborhood-Generated KeysA Robust Cryptographic System using Neighborhood-Generated Keys
A Robust Cryptographic System using Neighborhood-Generated Keys
IJORCS
 
Chapter 3: Block Ciphers and the Data Encryption Standard
Chapter 3: Block Ciphers and the Data Encryption StandardChapter 3: Block Ciphers and the Data Encryption Standard
Chapter 3: Block Ciphers and the Data Encryption Standard
Shafaan Khaliq Bhatti
 
Lilybeth Pineda - Portfolio
Lilybeth Pineda - PortfolioLilybeth Pineda - Portfolio
Lilybeth Pineda - Portfolio
LilybethPineda
 
2011 Topps Football Trading Cards
2011 Topps Football Trading Cards2011 Topps Football Trading Cards
2011 Topps Football Trading Cards
CollectandSave
 

More Related Content

What's hot

Cryptography Lecture by Sam Bowne
Cryptography Lecture by Sam BowneCryptography Lecture by Sam Bowne
Cryptography Lecture by Sam Bowne
SecurityTube.Net
 
A New Design of Algorithm for Enhancing Security in Bluetooth Communication w...
A New Design of Algorithm for Enhancing Security in Bluetooth Communication w...A New Design of Algorithm for Enhancing Security in Bluetooth Communication w...
A New Design of Algorithm for Enhancing Security in Bluetooth Communication w...
International Journal of Science and Research (IJSR)
 
CGI White Paper - Key Incryption Mechanism
CGI White Paper - Key Incryption MechanismCGI White Paper - Key Incryption Mechanism
CGI White Paper - Key Incryption Mechanism
Amit Singh
 
researchpaperfinal1
researchpaperfinal1researchpaperfinal1
researchpaperfinal1
Sumit Bajaj
 
6. cryptography
6. cryptography6. cryptography
6. cryptography
7wounders
 
A Robust Cryptographic System using Neighborhood-Generated Keys
A Robust Cryptographic System using Neighborhood-Generated KeysA Robust Cryptographic System using Neighborhood-Generated Keys
A Robust Cryptographic System using Neighborhood-Generated Keys
IJORCS
 

What's hot (20)

Cryptography Lecture by Sam Bowne
Cryptography Lecture by Sam BowneCryptography Lecture by Sam Bowne
Cryptography Lecture by Sam Bowne
 
Ch12 Cryptography it-slideshares.blogspot.com
Ch12 Cryptography it-slideshares.blogspot.comCh12 Cryptography it-slideshares.blogspot.com
Ch12 Cryptography it-slideshares.blogspot.com
 
A New Design of Algorithm for Enhancing Security in Bluetooth Communication w...
A New Design of Algorithm for Enhancing Security in Bluetooth Communication w...A New Design of Algorithm for Enhancing Security in Bluetooth Communication w...
A New Design of Algorithm for Enhancing Security in Bluetooth Communication w...
 
Encryption Techniques
Encryption TechniquesEncryption Techniques
Encryption Techniques
 
Hybrid Cryptography with examples in Ruby and Go
Hybrid Cryptography with examples in Ruby and GoHybrid Cryptography with examples in Ruby and Go
Hybrid Cryptography with examples in Ruby and Go
 
Encryption
EncryptionEncryption
Encryption
 
CGI White Paper - Key Incryption Mechanism
CGI White Paper - Key Incryption MechanismCGI White Paper - Key Incryption Mechanism
CGI White Paper - Key Incryption Mechanism
 
Cryptography
CryptographyCryptography
Cryptography
 
Encryption techniques
Encryption techniques Encryption techniques
Encryption techniques
 
A study of cryptography for satellite applications
A study of cryptography for satellite applicationsA study of cryptography for satellite applications
A study of cryptography for satellite applications
 
researchpaperfinal1
researchpaperfinal1researchpaperfinal1
researchpaperfinal1
 
Data Encryption Standard
Data Encryption StandardData Encryption Standard
Data Encryption Standard
 
Information and network security 31 public key cryptography
Information and network security 31 public key cryptographyInformation and network security 31 public key cryptography
Information and network security 31 public key cryptography
 
82 86
82 8682 86
82 86
 
Public key cryptography and RSA
Public key cryptography and RSAPublic key cryptography and RSA
Public key cryptography and RSA
 
6. cryptography
6. cryptography6. cryptography
6. cryptography
 
Encryption
EncryptionEncryption
Encryption
 
Hybrid encryption
Hybrid encryption Hybrid encryption
Hybrid encryption
 
A Robust Cryptographic System using Neighborhood-Generated Keys
A Robust Cryptographic System using Neighborhood-Generated KeysA Robust Cryptographic System using Neighborhood-Generated Keys
A Robust Cryptographic System using Neighborhood-Generated Keys
 
Chapter 3: Block Ciphers and the Data Encryption Standard
Chapter 3: Block Ciphers and the Data Encryption StandardChapter 3: Block Ciphers and the Data Encryption Standard
Chapter 3: Block Ciphers and the Data Encryption Standard
 

Viewers also liked

Lilybeth Pineda - Portfolio
Lilybeth Pineda - PortfolioLilybeth Pineda - Portfolio
Lilybeth Pineda - Portfolio
LilybethPineda
 
2011 Topps Football Trading Cards
2011 Topps Football Trading Cards2011 Topps Football Trading Cards
2011 Topps Football Trading Cards
CollectandSave
 
Professional Service Management
Professional Service ManagementProfessional Service Management
Professional Service Management
voolvoolak
 
Presentatie
PresentatiePresentatie
Presentatie
mickeyle
 

Viewers also liked (10)

Lilybeth Pineda - Portfolio
Lilybeth Pineda - PortfolioLilybeth Pineda - Portfolio
Lilybeth Pineda - Portfolio
 
2011 Topps Football Trading Cards
2011 Topps Football Trading Cards2011 Topps Football Trading Cards
2011 Topps Football Trading Cards
 
2011 Rookies and Stars Football
2011 Rookies and Stars Football2011 Rookies and Stars Football
2011 Rookies and Stars Football
 
2012 Upper Deck Goodwin Champions
2012 Upper Deck Goodwin Champions2012 Upper Deck Goodwin Champions
2012 Upper Deck Goodwin Champions
 
Professional Service Management
Professional Service ManagementProfessional Service Management
Professional Service Management
 
Motywacja bez efektu jo-jo
Motywacja bez efektu jo-joMotywacja bez efektu jo-jo
Motywacja bez efektu jo-jo
 
Presentatie
PresentatiePresentatie
Presentatie
 
Boaborea: Handreiking niemand buitenspel
Boaborea: Handreiking niemand buitenspel Boaborea: Handreiking niemand buitenspel
Boaborea: Handreiking niemand buitenspel
 
Managed operations: fare Service Support al tempo della crisi
Managed operations: fare Service Support al tempo della crisiManaged operations: fare Service Support al tempo della crisi
Managed operations: fare Service Support al tempo della crisi
 
Toda la presentacion
Toda la presentacionToda la presentacion
Toda la presentacion
 

Similar to Encryption

Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...
Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...
Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...
editor1knowledgecuddle
 
CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...
CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...
CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...
ams1ams11
 

Similar to Encryption (20)

無題 1
無題 1無題 1
無題 1
 
Seminar on Encryption and Authenticity
Seminar on Encryption and AuthenticitySeminar on Encryption and Authenticity
Seminar on Encryption and Authenticity
 
Data encryption
Data encryptionData encryption
Data encryption
 
Cryptography and security
Cryptography and securityCryptography and security
Cryptography and security
 
Basic Cryptography unit 4 CSS
Basic Cryptography unit 4 CSSBasic Cryptography unit 4 CSS
Basic Cryptography unit 4 CSS
 
Asif
AsifAsif
Asif
 
Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...
Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...
Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...
 
Data encryption algorithm(edit)
Data encryption algorithm(edit)Data encryption algorithm(edit)
Data encryption algorithm(edit)
 
82 86
82 8682 86
82 86
 
CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...
CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...
CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...
 
Cryptographic Algorithms For Secure Data Communication
Cryptographic Algorithms For Secure Data CommunicationCryptographic Algorithms For Secure Data Communication
Cryptographic Algorithms For Secure Data Communication
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defs
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
Secret-Key-Cryptography-ppt-by-alljobs.co_.in_.pptx
Secret-Key-Cryptography-ppt-by-alljobs.co_.in_.pptxSecret-Key-Cryptography-ppt-by-alljobs.co_.in_.pptx
Secret-Key-Cryptography-ppt-by-alljobs.co_.in_.pptx
 
Secret-Key-Cryptography-ppt-by-alljobs.co_.in_.pptx
Secret-Key-Cryptography-ppt-by-alljobs.co_.in_.pptxSecret-Key-Cryptography-ppt-by-alljobs.co_.in_.pptx
Secret-Key-Cryptography-ppt-by-alljobs.co_.in_.pptx
 
Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...
Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...
Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...
 
s117
s117s117
s117
 
Week 12 slide
Week 12 slideWeek 12 slide
Week 12 slide
 
Week 12 slide
Week 12 slideWeek 12 slide
Week 12 slide
 
A REVIEW STUDY OF CRYPTOGRAPHY TECHNIQUES
A REVIEW STUDY OF CRYPTOGRAPHY TECHNIQUESA REVIEW STUDY OF CRYPTOGRAPHY TECHNIQUES
A REVIEW STUDY OF CRYPTOGRAPHY TECHNIQUES
 

Recently uploaded

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
Chris Hunter
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 

Recently uploaded (20)

Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 

Encryption

  • 1. Chapter 1: Basic Terminology Encryption is the process of turning a clear-text message (Plaintext) into a data stream which looks like a meaningless and random sequence of bits (ciphertext). The process of turning ciphertext back into plaintext is called decryption. Cryptography deals with making communications secure. Cryptoanalysis deals with breaking ciphertext, that is, recovering plaintext without knowing the key. Cryptology is a branch of mathematics which deals with both cryptography and cryptoanalysis. A cryptographic algorithm, also known as a cipher, is a mathematical function which uses plaintext as the input and produces ciphertext as the output and vice versa. All modern ciphers use keys together with plaintext as the input to produce ciphertext. The same or a different key is supplied to the decryption function to recover plaintext from ciphertext. The details of a cryptographic algorithm are usually made public. It is the key that the security of a modern cipher lies in, not the details of the cipher. Symmetric algorithms use the same key for encryption and decryption. These algorithms require that both the sender and receiver agree on a key before they can exchange messages securely. Some symmetric algorithms operate on 1 bit (or sometimes 1 byte) of plaintext at a time. They are called stream ciphers. Other algorithms operate on blocks of bits at a time. They are called block ciphers. Most modern block ciphers use the block size of 64 bits. Public-key algorithms (also known as asymmetric algorithms) use two different keys (a key pair) for encryption and decryption. The keys in a key pair are mathematically related, but it is computationally infeasible to deduce one key from the other. These algorithms are called "public-key" because the encryption key can be made public. Anyone can use the public key to encrypt a message, but only the owner of the corresponding private key can decrypt it. Some public-key algorithms such as RSA allow the process to work in the opposite direction as well: a message can be encrypted with a private key and decrypted with the corresponding public key. If Alice (or anyone else) can decrypt a message with Bob's public key she knows that the message must have come from Bob because no one else has Bob's private key. Digital signatures work this way. Chapter 2: Symmetric Cryptography Symmetric encryption is the backbone of any secure communication system. Dozens of symmetric algorithms have been invented and impemented, both in hardware and software. This chapter briefly describes those relevant to the Microsoft impementation of cryptography. Block Ciphers Block ciphers are cryptographic algorithms which operate on 64-bit blocks of plaintext. The encryption procedure usually consists of multiple and complex rounds of bit shifts, XORs, permutations and substitutions of plaintext and key bits. Decryption is similar to encryption except that some operations may be performed in the reverse order. Some algorithms use fix-length keys, for others the key length may vary. DES Data Encryption Standard (DES) is a block cipher invented over 20 years ago by IBM in response to a public request from the National Bureau of Standards. It has been a worldwide cryptographic standard since 1976 [1]. DES is a fixed-key-length algorithm. It uses 56-bit keys. Any 56-bit number can be a key.
  • 2. DES has been remarkably resistant to cryptanalysis, but its short key length makes it vulnerable to a brute-force attack where all possible keys are tried one by one until the correct key in found. Bruce Schneier writes: "A brute-force DES-cracking machine that can find a key in an average of 3.5 hours cost only $1 million in 1993. DES is so widespread that it is naive to pretend that NSA <National Security Agency> ... haven't built such a machine. ... DES will only become less secure as time goes on." [1]. DES is implemented by the Microsoft Enhanced Cryptographic Provider. RC2 RC2 was invented by Ron Rivest for RSA Data Security, Inc. Its details have not been published. RC2 is a variable-key-length cipher. However, when using the Microsoft Base Cryptographic Provider, the key length is hard-coded to 40 bits. When using the Microsoft Enhanced Cryptographic Provider, the key length is 128 bits by default and can be in the range of 40 to 128 bits in 8-bit increments. Triple DES The idea behind Triple DES is to improve the security of DES by applying DES encryption three times using three different keys. This way the effective key length becomes 56 x 3 = 168 bits which makes brute-force attacks virtually impossible. Triple DES is implemented by the Microsoft Enhanced Cryptographic Provider. Triple DES with 2 Keys In this variation, DES encryption is still applied three times but using only 2 keys: first key 1 is applied, then key 2 and then key 1 again. The effective key length is 56 x 2 = 112 bits. Triple DES with 2 keys is implemented by the Microsoft Enhanced Cryptographic Provider. Advanced Encryption Standard (AES) aka Rijndael Rijndael is a block cipher, designed by Joan Daemen and Vincent Rijmen as a candidate algorithm for the AES. Rijndael became the AES after the FIPS approval by the U.S. government in 2001. The cipher currently supports key lengths of 128, 192, and 256 bits. AES is implemented by the "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)" on Windows XP and "Microsoft Enhanced RSA and AES Cryptographic Provider" on Windows 2003. Windows NT and 2000 do not support this cipher. AspEncrypt offers support for AES starting with version 2.3. Stream Ciphers Stream ciphers encrypt plaintext one bit (or sometimes byte) at a time. The stream of plaintext bits are XORed with the output of a keystream generator which produces a stream of bits based on a seed value. This seed value is the key for a stream cipher. The decryption process is identical: the ciphertext bits are XORed with the same keystream (which is the function of the key). RC4
  • 3. RC4 was developed by Ron Rivest in 1987. It is a variable-key-size stream cipher. The details of the algorithm have not been officially published. However, the algorithm's internals have been posted on the Internet, and the book Applied Cryptography contains its detailed description. The algorithm is extremely easy to describe and program. Just like RC2, 40-bit RC4 is supported by the Microsoft Base Cryptographic provider, and the Enhanced provider allows keys in the range of 40 to 128 bits in 8-bit increments. Chapter 3: One-way Hash Function A one-way hash function, also known as a message digest, fingerprint or compression function, is a mathematical function which takes a variable-length input string and converts it into a fixed-length binary sequence. Furthermore, a one-way hash function is designed in such a way that it is hard to reverse the process, that is, to find a string that hashes to a given value (hence the name one-way.) A good hash function also makes it hard to find two strings that would produce the same hash value. All modern hash algorithms produce hash values of 128 bits and higher. Even a slight change in an input string should cause the hash value to change drastically. Even if 1 bit is flipped in the input string, at least half of the bits in the hash value will flip as a result. This is called an avalanche effect. Since it is computationally infeasible to produce a document that would hash to a given value or find two documents that hash to the same value, a document's hash can serve as a cryptographic equivalent of the document. This makes a one-way hash function a central notion in public-key cryptography. When producing a digital signature for a document, we no longer need to encrypt the entire document with a sender's private key (which can be extremely slow). It is sufficient to encrypt the document's hash value instead. Although a one-way hash function is used mostly for generating digital signatures, it can have other practical applications as well, such as storing passwords in a user database securely or creating a file identification system. See the Tasks section for some examples. Hash Algorithms The Microsoft cryptographic providers support three hash algorithms: MD4, MD5 and SHA. MD4 & MD5 Both MD4 and MD5 were invented by Ron Rivest. MD stands for Message Digest. Both algorithms produce 128-bit hash values. MD5 is an improved version of MD4. SHA SHA stands for Secure Hash Algorithm. It was designed by NIST and NSA. SHA produces 160-bit hash values, longer than MD4 and MD5. SHA is generally considered more secure that other algorithms and is the recommended hash algorithm. Chapter 4: Public-Key Cryptography Unlike symmetric cryptography, public key cryptography uses two different keys - one public and one private. The keys are mathematically related, yet it is computationally infeasible to deduce one from the other. Anyone with the public key can encrypt a message but not decrypt it. Only the person with the private key can decrypt the message.
  • 4. Bruce Schneier compares public-key cryptography with a mailbox. He writes: "Putting mail in the mailbox is analogous to encrypting with the public key; anyone can do it. Just open the slot and drop it in. Getting mail out of a mailbox is analogous to decrypting with the private key. Generally it's hard; you need welding torches. However, if you have the secret (the physical key to the mailbox), it's easy to get mail out of a mailbox." [1] Secure Communications using Public-Key Cryptography Using public-key cryptography, Alice and Bob can communicate securely using the following simple protocol: • Alice and Bob agree on a public key algorithm. • Bob sends Alice his public key. • Alice encrypts her message with Bob's public key and sends it to Bob. • Bob decrypts Alice's message with his private key. Notice that this protocol does not require any prior arrangements (such as agreeing on a key) for Alice and Bob to communicate securely. In real-world implementations, public keys are rarely used to encrypt actual messages as public-key cryptography is very slow, about 1000 times slower that conventional cryptography [1]. Instead, public-key cryptography is used to distribute symmetric keys which are then used to encrypt and decrypt actual messages, as follows: • Bob sends Alice his public key. • Alice generates a random symmetric key (usually called a session key), encrypts it with Bob's public key and sends it to Bob. • Bob decrypts the session key with his private key. • Alice and Bob exchange messages using the session key. Systems that use both symmetric and public-key cryptography in this manner are called hybrid. Digital Signatures Certain public-key algorithms such as RSA allow both the public and private key to be used for encryption. If a message is encrypted with someone's private key it can only be decrypted with the corresponding public key. This feature can be used to create digital signatures, as follows: • Alice encrypts the document with her private key. The encrypted document becomes her digital signature. • Alice sends the signature to Bob. • Bob decrypts the document with Alice's public key thereby verifying the signature. Once again, encrypting an actual message with a private key is very inefficient. Instead of signing the entire document, the document's hash can be signed, as follows: • Alice computes a one-way hash of a document. • Alice encrypts the hash with her private key. The encrypted hash becomes the document's signature. • Alice sends the document along with the signature to Bob. • Bob produces a one-way hash function of the document received from Alice, decrypts the signature with Alice's public key and compares the two values. If they match, Bob knows that: (1) the document really came from Alice and (2) the document was not tampered with during transmission.
  • 5. RSA RSA is by far the most popular public-key cryptography algorithm. It supports both encryption and digital signatures. It is also the easiest one to describe and implement. RSA has withstood years of extensive cryptoanalysis and is a de facto standard in much of the World [1]. RSA is named after the three inventors - Ron Rivest, Adi Shamir and Leonard Adleman. In RSA, a public key is based on the product of two large prime numbers. These two numbers must be kept secret as they are used to compute the private key. The product of the two prime numbers is referred to as modulus. The security of RSA lies in the difficulty of factoring large numbers. The Microsoft Base Cryptographic Provider implements RSA with a 512-bit modulus. With the Microsoft Enhanced Provider, the default modulus is 1024 bits, and valid moduli can be in the range of 384 bits to 16,384 bits in 8 bit increments. Man-in-the Middle Attack The hybrid communication protocol described above is vulnerable to a man-in-the-middle attack. Let's assume that Mallory, an enemy hacker, not only can listen to the traffic between Alice and Bob, but also can modify, delete, and substitute Alice's and Bob's messages, as well as introduce new ones. Mallory can impersonate Alice when talking to Bob and impersonate Bob when talking to Alice. Here is how the attack goes: • Bob sends Alice his public key. Mallory intercepts the key and sends his own public key to Alice. • Alice generates a random session key, encrypts it with "Bob"'s public key (which is really Mallory's) and sends it to Bob. • Mallory intercepts the message. He decrypts the session key with his private key, encrypts it with Bob's public key and sends it to Bob. • Bob receives the message thinking it came from Alice. He decrypts it with his private key and obtains the session key. • Alice and Bob start exchanging messages using the session key. Mallory, who also has that key, can now read the entire conversation. A man-in-the-middle attack works because Alice and Bob have no way to verify they are talking to each other. An independent third party that everyone trusts is needed to foil the attack. This third party could bundle the name "Bob" with Bob's public key and sign the package with its own private key. When Alice receives the signed public key from Bob, she can verify the third party's signature. This way she knows that the public key really belongs to Bob, and not Mallory. A signed package containing a person's name (and possibly some other information such as an email address and company name) and his/her public key is called a digital certificate (or digital ID). An independent third party that everyone trusts whose responsibility is to issue certificates is called a Certification Authority (CA). Digital certificates are the topic of the next chapter. Chapter 5: Digital Certificates A certificate is a data package that completely identifies an entity, and is issued by a Certification Authority (CA) only after that authority has verified the entity's identity. The data package includes the public key that belongs to the entity. When the sender of a message signs the message with its private key, the recipient of the message can use the sender's public key (retrieved from the certificate either sent with the message or available elsewhere on the network) to verify that the sender is legitimate. X.509 Certificates The X.509 protocol defines the following structure for public-key certificates: Version
  • 6. Serial Number Signature Algorithm Issuer Name Period of Validity • Not Before Date • Not After Date Subject Name Subject's Public Key • Algorithm • Public Key Extensions Signature The version field identifies the certificate format. The serial number is unique within the CA. The Signature Algorithm identifies the algorithm used to sign the certificate. Issuer is the name of the CA. The period of validity is a pair of dates; the certificate is valid during the time period between the two. Subject is the name of the user to whom the certificate is issued. The subject's public key field includes the algorithm name and the public key itself. The last field is the CA's signature. Certification Hierarchy In order for digital certificates to be effective, the users of the network must have a high level of trust in the certificate. But what happens if someone doesn't trust the CA - perhaps the person has never heard of the CA before. This problem is addressed in the certifying process by something called the hierarchy of trust. The concept of hierarchy of trust is simply that the process must begin with some certifying authority that everyone agrees is trustworthy. This ultimate authority is called the root authority. The root authority then can certify other CAs below it, who can then certify CAs below them, etc. This is illustrated on the following diagram:
  • 7. When someone receives a certificate that has been issued by a first- or second-tier CA, he or she can verify that the CA that signed the certificate has been certified by a CA at the tier above it and that, in turn, that CA has been certified by the one above it, and so on until a chain of trust exists between the lower level CA (or a user certificate) and the root CA. For example, in the preceding diagram, it can be verified that CA #4 was certified by CA #1 and that CA #1 was certified by the root CA. This means that when a certificate from a lower-level CA is passed along with the encrypted message, all of the certificates in its chain of trust up to the root should be passed along with it. Certificate Requests A certificate request is a signed data package that contains a person's information such as name, email address, company name etc, and his/her public key. A certificate request is generated by a person wishing to obtain a certificate from the CA. Certificate requests are signed by the person's private key to prevent tampering with during transmission. When the CA receives a certificate request it extracts a person's name and public key information and performs a certain procedure aimed at verifying that the public key really belongs to the person whose name is included in the certificate request. If the verification process is successful, the CA issues the certificate and sends it to the requestor. Certificate Revocation Lists Certificates can also be revoked, either because the user's key has been compromised, the CA's key has been compromised, or because the CA no longer wants to certify the user. Each CA maintains a list of all revoked but not expired certificates. When Alice receives a new certificate she should check to see if it has been revoked. She can check a database of revoked keys on the network or locally cached list or revoked certificates. Chapter 6: Secure Mail and S/MIME Secure Multipurpose Internet Mail Extensions (S/MIME) is a de facto standard developed by RSA Data Security, Inc, for sending secure mail based on public-key cryptography. MIME is the industry standard format for electronic mail, which defines the structure of the message's body. S/MIME-supporting e-mail applications add digital signatures and encryption capabilities to that format to ensure message integrity, data origin authentication and confidentiality of electronic mail. Signed Mail When a signed message is sent, a detached signature in the PKCS #7 format is sent along with the message as an attachment. The signature attachment contains the hash of the original message signed with the sender's private key, as well as the signer certificate. Enveloped Mail Enveloped (encrypted) mail is generated using a recipient's public key. The message is actually encrypted using a random symmetric key, and it is that symmetric key that is encrypted using the
  • 8. recipient's public key and sent along with the message. If a message is being sent to multiple recipients, the symmetric key is encrypted separately by every recipient's public key. The enveloped message and all encrypted symmetric keys are packaged together using the PKCS#7 format. Signed & Enveloped Mail S/MIME also supports messages that are first signed with the sender's private key and then enveloped using the recipients' public keys. S/MIME-Enabled Status of AspEmail The AspEmail component, when used in conjunction with AspEncrypt, is capable of sending S/MIME-compliant mail. The S/MIME Enabled logo indicates that the component has passed RSA's S/MIME Interoperability Test and is included into the S/MIME Interoperability Master Matrix. For more information on the S/MIME Enabled logo, visit RSA at http://www.rsasecurity.com/standards/smime/about.html. S/MIME Central at RSA For a complete set of S/MIME specifications, visit RSA's S/MIME Central at http://www.rsa.com/smime.