# bytezealot | Cryptography | Section 2

**By:**bytezealot |

**Related Course:**Cryptography |

**Published:**February 16, 2017 |

**Modified:**February 21, 2017

## Cryptography - Summary

**>Cryptography in History:**

*Caesar Cipher

– Caesar’s Era…

– Shift characters 3 spaces.

Scytale

– Spartans’ Era…

– Wrapping tape (cipher) around a rod: the rod diameter is the pre-agreed key (upon secret)

Vignere

– First “poly-alphabetic cipher”

– Again, key (word) was exchanged ahead of time

*Vernam

– One-Time Pad (Key)

– The only mathematically unbreakable form of cryptography

– Key must be used only once

– Pad must be at least as long as the message

– Key Pad is statistically unpredictable

– Key Pad must be delivered and stored securely

*Enigma Machine and Purple Machine

– they were rotary based (3 to 4 rotors)…

– Used by the German and the Japanese in WWII

– The Polish broke it down pretty quick

– The breaking is credited with shaving months off the war

**>Services that Cryptography can provide:**

Privacy (Confidentiality) – Prevent unauthorized disclosure

– Social Engineering

– Media Reuse (Zeroing or destroying media…)

– Eavesdropping

Authenticity – We get a little authenticity from:

– MAC

– Digital Signature

Integrity

– Accidental Modification

– Hash/Message Digest

– Intentional Modification

– MAC (Message Authentication Code)

– Digital Signature (requires an infrastructure (PKI))

Non-Repudiation (the assurance that someone cannot deny something)

– Digital Signature

Mnemonic: PAIN

– (P)rivacy

– (A)uthenticity

– (I)ntegrity

– (N)on Repudiation

**>Confidentiality (Privacy)**

Plaintext + Initialization Vector (optional) + Algorithm + Key = Ciphertext

– Initialization Vector uses pseudo-random (computers don’t do random…)

**>Symmetric Cryptography (= same):**

– Private Key

– Secret Key

– Shared Key

– Session Key (for ex.: disposable after some time)

– Block

– ex.: AES, 3DES

(- PGP: idea)

– Stream – bit by bit (very efficient, fast, but not as secure)

– ex.: RC-4

(- XOR…)

**Nonces:** Attach information to each packet without it being sequential…**Key Generation:** Again, uses pseudo-randomness.

Block Cipher is slower but more secure.

Confusion (substitution)

– Good Strong Math

Diffusion

– Permutation (rounds)

**KEY:**

1 – We want a long key, but math involved matters too;

2 – We also want our key to use as much randomness as possible;

3 – Of course, we want the key to be kept a secret!

*** If all things are equal, the longer the key, the better;

*** All keys in the symmetric world are private.

Stream Cipher is a bit by bit encryption type.

XOR, transposition, substitution

– RC-4: WEP, WPA

but, btw, WPA2 uses AES…

**Pros and Cons of Symmetric Cryptography:**

Con:

– Out of band key distribution (hard to exchange a key)

– Not Scalable (too many keys…) => #Keys = (N*(N-1))/2

– 1: No authenticity

– 2: No integrity

– 1+2=THEN: No non-repudiation

Pro:

– FAST, FAST, FAST!

**>Asymmetric Cryptography – Public Key Cryptography (= different):**

– 2 KEYS, ie. a key pair (1 Public & 1 Private)

– Anything encrypted with one key (ex.: public) can only be decrypted with the other key (ex.: private)…

– Uses:

– Discrete Logarithms

– ex.: Diffie-Hellman, ECC, El Gamal

– Factorization

– ex.: RSA

Asymmetric Cryptography (Gives P.A.I.N.):

– Privacy (only the receiver has the private key)

– Authenticity (successful decryption implies the sender owns the private key…)

– Integrity (with hash)

– Non-Repudiation (Privacy + Authenticity + Integrity = Non-Repudiation)

– A mechanism called a “digital signature” (hash with private key…)

**>Hybrid Cryptography (SSL/TLS):**

– Asymmetric Key Exchange, but Symmetric Data Exchange!

– 1: The client requests the server a public key (or a certificate containing the public key);

– 2: The Server gives its public key to the Client;

– 3: The Client generates a symmetric session key with the public key;

– 4: Now all data exchanged is encrypted with the symmetric session key.

– It creates some sort of secure channel…

– Problem: Authenticity of server in step 1…

– Solution: Trusted CA (Certificate Authority, ex.: Verisign CA)

– PKI (Public Key Infrastructure (not cheap…))

– CRL (Certificate Revocation List)

– OCSP (Online Certificate Status Protocol)

– To make is easier for the client to check if a certificate has been revoked.

————————————————–

– Key (Crypto-Variable): Instructions on how we’re going to use the algorithm…

**>Hashing and Hashing Collisions**

– We only get Integrity, so no Authenticity, etc.

Add a Digital Signature and you get true Integrity, Authenticity, and Non-Repudiation.

But, a Digital Signature requires a PKI (Public Key Infrastructure)

MAC = Message Authentication Code = Message + “Symmetric Key” + Hashing Algorithm

But, true Non-Repudiation comes through asymmetric encryption.

Hash Collision: 2 different documents giving the same hash.

(possible, because of maths involved…)

————————————————–

**>Digital Signatures**

– Hash + Asymmetric Algorithm (RSA is the standard)

————————————————–

**>Full Disk Encryption:** TPM (Trusted Platform Module (TPM chip on the motherboard…))

– BitLocker

– PGP

————————————————–

**>Tools to explore cryptography:** CRYPTOOL, Advanced Encryption Package, and HashMyFiles.

## Cryptography Part 2: an In-Depth Review

**Cryptography Part 2: An In-Depth Review**

**PKI (Public Key Infrastructure):**

**– CA (Certificate Authority)**

The CA stores issues, and signs the digital certificates.

**– RA (Registration Authority)**

Verifies the identity of entities requesting their digital certificates to be stored at the CA.

**– X.509 (PKIX)**

X.509 is an important standard for a public key infrastructure to manage digital certificates[1] and public-key encryption[2] and a key part of the Transport Layer Security protocol used to secure web and email communication (Secret-Bases).

**– IKE (Internet Key Exchange)**

IKE and SSL together are used during the initial set-up of a secure channel. Initial set-up uses Asymmetric Cryptography and then Symmetric Cryptography is used to exchange data, creating some sort of a secure tunnel or channel.

**– ISAKMP (Internet Security Association and Key Management Protocol)**

ISAKMP provides a framework for authentication and key exchange and is designed to be key exchange independent. It creates a channel for the key exchange between the IPsec peers.

**– CRL (Certificate Revocation List)**

The Certificate Revocation List is a list of certificates that have been revoked, and therefore should no longer be trusted.

**Symmetric Cryptography:**

* Symmetric means that there is only one “secret” key.

**– AES**

“Advanced Encryption Standard” is a symmetric-key block cipher that was developed by two Belgian cryptographer, Joan Daemen, and Vincent Rijmen. AES is a subset of the Rijndael cipher. More info can be found at http://aesencryption.net

**– DES**

“Data Encryption Standard” is a symmetric-key block cipher developed in the early 1970s at IBM and based on an earlier design by the Horst Feistel cipher. It was published by the National Institute of Standards and Technology (NIST). It uses 16 round Feistel structure. The block size is 64-bit.

**– 3DES**

“Triple Data Encryption Standard” is a symmetric-key block cipher that applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. The key size is increased in Triple DES to ensure additional security through encryption capabilities.

**– IDEA**

“International Data Encryption Algorithm”, originally called Improved Proposed Encryption Standard (IPES), is a symmetric-key block cipher designed by James Massey of ETH Zurich and Xuejia Lai and was first described in 1991. It is a minor revision of the Proposed Encryption Standard (PES). IDEA operates on 64-bit blocks using a 128-bit key, and consists of a series of eight identical transformations called a round (Wikipedia, IDEA).

**– CAST**

CAST is a general procedure for constructing a family of symmetric-key block ciphers; individual ciphers have names like CAST-128 (CAST5) and CAST-256 (CAST6). CAST-128 appears to be the default cipher in some versions of GPG and PGP. CAST ciphers are Feistel ciphers using large S-boxes, 8*32 rather than the 6*4 of DES.

**– 2FISH**

Twofish is a symmetric-key block cipher with a block size of 128 bits and key sizes up to 256 bits. Its distinctive features are the use of pre-computed key-dependent S-boxes, and a relatively complex key schedule. One-half of an n-bit key is used as the actual encryption key and the other half of the n-bit key is used to modify the encryption algorithm (key-dependent S-boxes).

**– Blowfish**

Blowfish is a symmetric-key block cipher designed in 1993 by Bruce Schneier and included in a large number of cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date. It was a predecessor to 2FISH.

**– Serpent**

Serpent is a symmetric-key block cipher that has a block size of 128 bits and supports a key size of 128, 192 or 256 bits. The cipher is a 32-round substitution-permutation network operating on a block of four 32-bit words. Each round applies one of eight 4-bit to 4-bit S-boxes 32 times in parallel. It was designed by Ross Anderson, Eli Biham, and Lars Knudsen.

**– Rijndael**

Rijndael (pronounced rain-dahl) is actually the algorithm that has been selected by the U.S. National Institute of Standards and Technology (NIST) as the candidate for the Advanced Encryption Standard (AES).

* You can notice that all of these symmetric encryption algorithms are using block ciphers…

**Asymmetric Cryptography:**

* Note: Public-Key cryptography was first invented in the 1970s by Whitfield Diffie, Martin Hellman, and Ralph Merkle. Asymmetric means that there are two different keys.

**– DH (Diffie-Hellman)**

Diffie-Hellman is an algorithm used to establish a shared secret between two parties. It is primarily used as a method of exchanging cryptography keys for use in symmetric encryption algorithms like AES. The Diffie–Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. More info about the maths involved can be found at http://mathworld.wolfram.com/Diffie-HellmanProtocol.html.

**– ElGamal**

The ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie–Hellman key exchange. It was described by Taher Elgamal in 1985. ElGamal encryption is used in the free GNU Privacy Guard software, recent versions of PGP, and other cryptosystems (redhat.com). ElGamal encryption can be defined over any cyclic group G. Its security depends upon the difficulty of a certain problem in G related to computing discrete logarithms.

**– DSA (Digital Signature Algorithm)**

DSA is a bit faster than RSA when creating a signature (an encrypted token to be used by one or both sides), but slower than RSA when analyzing/validating that signature (token). Similarly, DSA is faster to decrypt, but slow(er) to encrypt; RSA is opposite. The patent for DSA was first filed July 26, 1991 and attributed to David W. Kravitz, a former NSA employee, and is a variant of the ElGamal Signature Scheme.

**– RSA (stands for Ron Rivest, Adi **Shamir** and Leonard Adleman)**

RSA is the algorithm used by modern computers to encrypt and decrypt messages. It provides establishment of an SSL/TLS session. This is also called public key cryptography, because one of them can be given to everyone. The other key must be kept private. It is based on the fact that finding the factors of an integer is hard (the factoring problem). RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman, who first publicly described it in 1978.

**– ECC (Elliptic Curve Cryptography)**

ECC is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC requires smaller keys compared to non-ECC cryptography (based on plain Galois fields) to provide equivalent security. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S. Miller in 1985. Elliptic curve cryptography algorithms entered wide use in 2004 to 2005.

**– Knapsack**

The Merkle–Hellman knapsack cryptosystem was one of the earliest public key cryptosystems invented by Ralph Merkle and Martin Hellman in 1978. The ideas behind it are simpler than those involving RSA. Knapsack has since been broken, as it is based on the subset sum problem (a special case of the knapsack problem). The problem is as follows: given a set of numbers A and a number b, find a subset of A which sums to b. In general, this problem is known to be NP-complete. However, if the set of numbers (called the knapsack) is superincreasing, meaning that each element of the set is greater than the sum of all the numbers in the set lesser than it, the problem is “easy” and solvable in polynomial time with a simple greedy algorithm.

Sources: Mostly Google and Wikipedia…

Secret-Bases: http://www.secret-bases.co.uk/wiki/X.509_certificate

Wikipedia, IDEA: https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm

Redhat.com: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/apas02s06.html