Cryptographic Elements and Systems

Objectives:
Basic cryptography concepts, including the importance of key length Encryption for confidentiality, including symmetric key encryption and public key encryption

Concepts
Many times two parties simply wish to communicate securely. The figure below shows that secure communication often takes place under the protection of a cryptographic system, in which software processes used by two communicating parties implement security automatically without the awareness of the communicating party. Cryptographic systems provide four types of protection to a conversations messages Confidentiality: Protection against eavesdroppers understanding intercepted messages Authentication: Assurance that senders are who they claim to be Message Integrity: Assurance that the messages has not been changed en route Anti-replay protection: Assurance that if an attacker captures a message and transmit it again later, the receiver will not accept the message.
Secure Communication

Confidentiality Authentication Message Integrity Anti-Replay Protection

Client PC with Cryptographic System Software

Provided Automatically

Server with Cryptographic System Software

Encryption for Confidentiality

The term cryptography literally means secret writing. It originally was created as a way to prevent unauthorized people from reading messages. In other words, it was created for confidentiality. Encryption can be used for other forms of protection, including authentication and message integrity. Plaintext, Encryption, Decryption and Ciphertext Plaintext

As seen in the second figure, the original message to be sent is called the plaintext. This name may seem to imply that only text message can be protected but a plaintext message can be graphics, voice or anything else. The text in its name exists for historical reasons early cryptography actually was limited to text message. Encryption and Ciphertext Also in the diagram shows applying encryption to the plaintext creates something else called ciphertext. Encryption is a mathematical process and there are a lot of popular encryption algorithms available. The ciphertext that encryption produce looks like a random stream of ones and zeros to anyone intercepting the message. Decryption When the ciphertext message reaches the authorized receiver, the receiver is able to decrypt the message that is, apply a mathematical process that regenerates the original plaintext. Although unauthorized parties cannot read the ciphertext message en route, the authorized receiver can read the deciphered plaintext Keys Encryption Methods and Keys The figure shows that encryption processes have two parts. One is a mathematical algorithm (the encryption method), which is used in the same way on all messages. The other key is a key, which is a string of bits. Different keys produce different ciphertexts from the same plaintext even when the same method is used. Only few encryption methods have been developed, so it is impossible in practice to keep the encryption method secret. Consequently, communicating partners must keep their encryption keys secret.

Encryption Key

Plaintext Hello

Encryption Method And Key

Ciphertext 11011101

Interceptor

Network
Decryption Key Note: Interceptor cannot read ciphertext without the decryption key Decryption Method And Key

Ciphertext 11011101

Plaintext Hello

Encryption for confidentiality with Symmetric Key Encryption In general, two types of encryption methods exists: symmetric key encryption methods and public key encryption methods Symmetric Key Encryption: A Single Key The figure shows both sides use the same key. A method that uses a single key for both encryption and decryption in both directions is a symmetric key encryption method. Each side encrypts with this single key when it sends a message and each side decrypts with this single key when it receives a message. In other words, the encryption key is the same as the decryption key in both directions. Methods Data Encryption Standard (DES) In 1977, the U.S. National Bureau of Standards which is now the National Institute of Standards and Technology (NIST), created the Data Encryption Standard (DES). DES quickly became the most widely used symmetric key encryption method a position it is slowly beginning to lose to newer methods.

Symmetric Key

Plaintext Hello

Encryption Method And Key

Ciphertext 11011101

Interceptor

Network
Same Symmetric Key Decryption Method And Key

Note: A single key is used to encrypt and decrypt in both directions

Ciphertext 11011101

Plaintext Hello

DES-CBC (DES-Cipher Block Chaining) One problem with simple DES is that the same input plaintext always gives the same output ciphertext. This provides opportunities for skilled cryptanalysis to break the DES key

Triple DES (3DES) Where stronger security than DES is needed, many firms turn to triple DES which extends the effective key size of DES. Advanced Encryption Standard (AES) In response to the obsolescence of DES and the processing burdens of 3DES, NIST has released a new Advanced Encryption Standard (AES) which is efficient enough in terms of processing power and RAM requirements to use on a wide variety of devices.

Encryption For Confidentiality With Public Key Encryption

Another class of encryption methods is public key encryption. Here, each party has a private key, which keeps secret from the world. In addition, each party has a public key as its name suggests, does not need to be kept secret.

The Basic Process Sending Whenever one party sends, it encrypts the plaintext with the public key of the receiver. When A sends to B, A encrypts with Bs public key. When B sends to A, B encrypts with As public key. Receiving Each receiver decrypts with its own private key. When A sends to B, B decrypts with Bs private key. In turn, when B sends to A, A decrypts with As private key. Once a message is encrypted with the receivers public key, nobody can decrypt it except the receiver. Even the sender cannot decrypt the message after encrypting it.

Encrypt with Party Bs Public Key Party A

Encrypted Message

Decrypt with Party Bs Private Key

Party B

Decrypt with Party As Private Key

Encrypt with Party As Public Key

Encrypted Message

Disadvantage and Advantage Complexity, Processing Intensiveness and Short Messages Public key encryption probably strikes you as complex. In fact, it is. It requires many computer processing cycles to do public key encryption and decryption about 100 times as many cycles to do public key encryption requires. The efficiency of this processing burden is so large that public key encryption can be used to encrypt small messages. The Simplicity of Exchange Keys A major benefit of public key encryption is that public keys are not secret, so there is no need to exchange them securely. Many people post their public key online for everyone to read. In contrast with symmetric key encryption, each pair of communication partners needs to have a symmetric key that must be exchanged securely.

Major Public Key Encryption Methods

RSA The most widely used public key encryption method is RSA which is named for its creators, Rivest, Shamir and Adleman. RSA was patented but its patent expired in 2000. Now that RSA is in the public domain, its domination if public key encryption may grow. Unfortunately, most commercial implementation use a key of only 512 bits. This is now considered too small for safety. Companies are now advised to use 1024 bit keys for normal encryption and 2048 bit keys for highly sensitive applications. Elliptic Curve Cryptosystem (ECC) A newer form of public key encryption, the elliptic curve cryptosystem (ECC) promises to provide equal protection with smaller keys and therefore less processing burden.

Using GPG for Public Key Encryption

The usual tool for encrypting email is the GNU Privacy Guard (GPG or GNU PG) package. This package is the open source re-implementation of the proprietary Pretty Good Privacy. In addition to encrypting entire messages, GPG enables you to digitally sign messages. Used in this way, messages can be read by recipients who lack the GPG software or appropriate keys; but those who have these tools can verify that the contents havent been tampered with. Generating and Importing Keys You need a private key and a public key. You can sign your messages with your private key and readers can verify it with your public key; or you can encrypt a message with another users pubic key and it can be decrypted only with that users private key. gpg - -gen-key The program will ask you series of questions . In most cases, answering with the defaults should work well, although you may have to type in your full name and email address. The keys are stored in the ~./gnupg directory. Once youve generated your keys, you can export your public key: gpg - -export name > gpg.pub This command saves the public key associated with the name in the file gpg.pub. You can use your email address as name.

You can then make your key available to other so that they may encrypt e-mail messages sent to you or verify your signed messages. Adding - -armor option produces ASCII output, which may be preferable if you intend to email the public key. You can make the file accessible on your website , transfer it as an email attachment or distribute it in other ways. To encrypt email you send to others, you must obtain their public keys. Ask your correspondents how to obtain them. Once youve done so, you can add their keys to your keyring (set of keys GPG maintains). gpg - -import filename This command adds filename to your set of public keys belonging to other people. Once youve created your own key and perhaps imported keys from others, you can see what keys are available by using the --list-keys option to gpg. gpg --list-keys /home/gel/.gnupg/pubring.gpg ------------------------------------------pub 1024/190EDB2E 2012-03-12 uid Ana Banana <ana@localhost.com> sub 2048g/0D657AC8 2012-03-12 pub 1024/A8B2061A uid sub 2048g/4F33EF6B 2012-03-12 Apple Mansanas <apol@localhost.com > 2012-03-12

The uid lines contains identifiers youll use when encrypting or decrypting data, so you should pay particular attention to that information. Encrypting and Decrypting Data To encrypt data, you use gpg with its --out and --encrypt options and optionally, --recipient and --armor: gpg --out encrypted-file --recipient uid --armor --encrypt original-file You can use the UID from a gpg list-keys output or just email address portion as the uid in this command. If you havent signed the recipients key, youll have to verify that you want to use that key. The result is the new file, encrypted-file which holds an encrypted version of original-file. If you omit the --armor option, the resulting file is a binary file, if you send it as email, youll need to send it as an attachment or otherwise encode it for transmission over the text-based email system. If you include the --armor option, the output is ASCII, so you can cut and paste the encrypted message into an email or send it as an attachment. If you receive a message or file that was created with your public key, you can reverse the encryption by using --decrypt option.

gpg --out decrypted-file --decrypt encrypted-file Youll be asked to enter your passphrase. The result should be the decrypted version of the original file. Signing Messages and Verifying Signatures As noted earlier, GPG can be used to sign messages so that recipients know they can from you. To do so, use the --sign or --clearsign option to gpg. gpg --clearsign original-file The --sign option creates a new file with the same name as the original but with .gpg appended to the filename. This file is encrypted using your private key, so that it may only be decrypted with your public key. This means that anybody with your public key may read the message, but anybody who can read it knows its from you. The --clearsign option works similarly but it leaves the message text unencrypted and only adds an encrypted signature that can only be verified using your public key. The --clearsign option creates a file with a name that ends in .asc If you received a signed message, you can verify the signature using the verify option to gpg gpg --verify received-file If any of the keys in your key ring can decode the message or verify the signature, gpg displays a Good signature message. To read a message that was encrypted with the --sign option, you must decrypt the message via the decrypt option.