Basics of cryptography
Marek Zachara
http://marek.zachara.name
1/25
Code vs Encryption

Coding is based on “codebooks”, usually on a semantic level
 Encryption is performed for each bit/byte
 Encryption translates a message into a ciphertext.
 Example of a very simple encryption: Caesar's cipher (a simple substitution cipher)
Basics
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
Key determinants of the confidentiality
 Secret algorithm
 Secret key
2/25
Weakness of the simple ciphers: Letter frequency in a particular language
 Statistical analysis allows for reconstruction of the key
 It can be based on letters or letter compounds

Basics
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
a b c d e f g h i
j k l m n o p q r s t u v w x y z
3/25
Symmetric­key encryption
Basics
Common key
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Public channel
Hello,
Bob
Encryption
4XJ2OK
3PWKQA
Summary
Decryption
Hello, Bob
Algorytmy tego typu nazywane są

Secret­key, single­key, private shared key
4/25
Quality of encryption
The key is created using a random number generator. Its quality impacts the key security
 A good algorithm shall require (potentially) all the keys to be tried.

Stream cipher

Basics
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
Encrypts data byte after byte (bit after bit).
Block cipher
The message is split into fixed­size blocks, usually 64, 128 or 256 bits.
 Different algorithms may be used to construct subsequent cipher blocks

5/25
Examples of block ciphers
Plaintext
Plaintext
Plaintext
Plaintext
Plaintext
Plaintext
Initialization Vector (IV)
block cipher
encryption
Key
block cipher
encryption
Key
block cipher
encryption
Key
block cipher
encryption
Key
Ciphertext
Ciphertext
Ciphertext
Key
Ciphertext
Electronic Codebook (ECB) mode encryption
block cipher
encryption
Key
Ciphertext
block cipher
encryption
Ciphertext
Cipher Block Chaining (CBC) mode encryption
Initialization Vector (IV)
Plaintext
Plaintext
Plaintext
Basics
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
Initialization Vector (IV)
block cipher
encryption
Key
block cipher
encryption
Key
Plaintext
block cipher
encryption
Key
Plaintext
Ciphertext
Ciphertext
Ciphertext
Key
Counter
00000000
block cipher
encryption
Plaintext
Nonce
c59bcf35…
Key
Counter
00000001
block cipher
encryption
Plaintext
Ciphertext
Nonce
c59bcf35…
Key
Counter (CTR) mode encryption
block cipher
encryption
Key
Ciphertext
block cipher
encryption
Ciphertext
Propagating Cipher Block Chaining (PCBC) mode encryption
Counter
00000002
block cipher
encryption
Initialization Vector (IV)
Key
block cipher
encryption
Plaintext
Plaintext
Ciphertext
Key
Ciphertext
Cipher Feedback (CFB) mode encryption
Nonce
c59bcf35…
block cipher
encryption
Key
Plaintext
Ciphertext
Key
block cipher
encryption
Plaintext
Ciphertext
Key
block cipher
encryption
Plaintext
Ciphertext
Ciphertext
Output Feedback (OFB) mode encryption
Source: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
6/25
Selected encryption algorithms
DES:56 bit key, 64 bit block

Historical, not safe anymore
3DES: 3 x DES, 112­168 bit, 64bit block

Computationally ineffective, 'drop­in' replacement for DES
Basics
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
AES: 128­256 bit key, 128bit data block

Current industrial standard
Twofish, Serpent

Similar to AES
7/25
Introduction to practical cryptography
Basics
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
Source: https://xkcd.com/
8/25
Hash functions, message digest
They create a constant­length string of characters based on the input string
 The result is irreversible

Basics
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
football
37b4e2d8290...
flower
608f0b988db...
flowers
7d37c580f9c...
9/25
Applications of hash functions
Password storage
 Message signatures
 Identification of integrity breach in data stream

Popular hash functions
CRC32 – fast, but not suitable for data protection
 MD5 – 128bit, very commonly used, but considered “cryptographically broken”
 MD6 – proposed successor of MD5
 SHA1 – 160 bit, susceptible to collision­based attacks, deprecated
 SHA2 – successor of SHA1, current standard

Basics
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
10/25
Cracking hashes with Rainbow tables

The use a pair of functions: hash & reduction
Hash chains are created (once)
 Analyzed hash is “reduced” and hashed many times until it matches one of the terminators.


The original key is reconstructed by starting from the beginning of the identified chain wikipedia
ao4kd
secret
9kpmw
jimbo
v0d$x
rootroot
abcdefgh
1vn6s
bernie
kolscx
zurich
8ntpy
myname
culture
re3xes
crypto
1tik0
linux23
passwd
dlcm4
Basics
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
11/25
Asymmetric encryption
Basics
Symmetric encryption
Public
chanel
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
How are
you?
Encryption
7JEYU5
HALE8X
Decryption
How are
you?
This algorithm is also known as 
Public key ­ based
12/25
Keys' properties
A key pair: public and private key
 Complementary application
 The pair must be generated at once
 Because one can't be built from another

Basics
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
Liczba losowa
Generator kluczy
Klucz prywatny
Klucz publiczny
13/25
Asymmetric encryption algorithms


RSA – invented in 1977r, still in use
DSA – invented in 1991, patented, but free use is granted

ElGammal / Diffie­Hellman (1985)

ECC (Elliptic Curve Cryptography) – provides similar security level to RSA with a shorter key
Basics
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
14/25
Message signing
Basics
Hash:
294B5DA10...
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
Message
Encrypted hash
Encrypted hash
Certificate
294B5DA10...
?
294B5DA10...
15/25
Message Authentication Code (MAC/HMAC)

Used to confirm the integrity and authenticity
of a message
SENDER
RECEIVER
MESSAGE
MESSAGE
Basics
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
Key (K)
MAC
Algorithm
MAC
MAC:
Message Authentication Code

MESSAGE
MAC
MAC
Algorithm
Key (K)
MAC
=?
MAC
If the same MAC is found: then
the message is authentic and
integrity checked
Else: something is not right.
Usually with a mixed­in secret key
16/25
Hybrid encryption
Basics
Symmetric encryption
Exchange of public keys
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
Sending a symmetric key
encrypted with public key
Further encryption utilizes the symmetric­key
17/25
Public Key Infrastructure (PKI)
Basics
TTP
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
18/25
X.509


The standard describing the PKI
Defines “Trusted Third Parties” – TTP
 But it is the user who decides whom to trust

Utilized to confirm the authenticity of servers and provided services

Used in w SMTP, POP3, IMAP, VPN, HTTPS

Also provides “chained certification” (certificate chains)
Basics
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
19/25
Parts of a certificate
Serial number
 Subject
 Signature alg.
 Issuer
 Validity
 Uses
 Public key
 Hash function
 Fingerprint
 CA signature

Certificate:
Data:
Version: 1 (0x0)
Serial Number: 7829 (0x1e95)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte
OU=Certification Services Division,
CN=Thawte Server CA/emailAddress=-certs@thawte.com
Validity
Not Before: Jul 9 16:04:02 1998 GMT
Not After : Jul 9 16:04:02 1999 GMT
Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala,
OU=FreeSoft, CN=www.freesoft.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb:
33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1:
66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66:
70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17:
16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b:
c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77:
8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3:
d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8:
e8:35:1c:9e:27:52:7e:41:8f
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d:
92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92:
ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67:
d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72:
0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1:
5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7:
8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22:
68:9f
Basics
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
20/25
PKI concerns
SSL does not enforce server authentication (but HTTPS does)
 There are known incidents of break­ins into TTPs stealing of private keys, which led to generation of counterfeit certificates e.g. Comodo in 2011

Basics
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
21/25
Certificate classes (according to Verisign)
Class 1: Personal (e­mail)
 Class 2: Organizations
 Class 3: Basic server certificate
 Class 4: B2B e­commerce
 Class 5: Government

Basics
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
In reality this is only marketing
Certificates are identical from the technical point of view, may have different fields
Basic domain­validated certificate
 Extended Validation (EV) – including Org. name

22/25
Rules of a secure communication
Confidentiality:
The data is encrypted, only a person who has a key can read it
 Summetrical or asymmetrical encryption, depending on the needs and available options

Basics
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
Authenticity
Digital signature identifies the author
 An author can publish his/her public key and encrypt/decrypt message with the private key.

23/25
Rules of a secure communication cont.
Integrity
Digital signature confirms the message integrity
 The message hash is encrypted with the private key
 After decryption it can be compared to the calculated hash

Basics
Symmetric encryption
Hash functions
Asymmetric encryption
Public key infrastructure
Summary
Undeniability

Digital signature cannot be faked (we assume) so it confirms it was done by the private key owner.
24/25
Thank you for your attention.
Any questions?
Dokument udostępniany na licencji
Creative Commons
Included content from:
●
Clipart – openclipart.org
●
Substitution encryption, block ciphers, rainbow tables and MAC – Wikimedia Commons
Licensed (royalty­free) content, cannot be distributed separately:
●
Tło prezentacji, awatary postaci
więcej informacji: http://marek.zachara.name
Attribution
Share­Alike
25/25