CIS0
Cryptography – “Scrambling Information”
Background
Summary: The objective of cryptography is to scramble a message
(also called plaintext) so that only the intended recipient is able to
recover the original plaintext. As illustrated in Figure 1, Bob (the
sender) wishes to send a secret message to Alice (the recipient). He
encrypts the plaintext using an encryption algorithm. The encryption
process scrambles the plaintext to produce what is known as
ciphertext. Alice recovers the plaintext using the process of
decryption. The encryption/decryption algorithm is usually not secret.
What makes the ciphertext difficult to decipher is the use of one or more keys
in the encryption/decryption process. In private key (or symmetric)
encryption, one key is used and is known only to Bob and Alice. In public
key (or asymmetric) encryption both Bob and Alice own a pair of unique
keys. The pair consists of a private key and a public key. The public key is
known by the public, but only Bob and Alice know their respective private
keys. Figure 1 shows public key encryption.
Figure 1
Description: The word cryptography is derived from the Greek words, krypto, meaning hidden,
and graphein, meaning to write. Thus, cryptography is the process of making and using codes
(or ciphertext) to secure transmission of information. The codes are obtained by converting
plaintext (words, or phrases) into encrypted data.
Risk: When private information is sent over a network (like the Internet) in plaintext, the
message can be intercepted and stolen. When you store unencrypted information on a hard
drive, or on removable media; others are able to read that information should they get access to
it through theft or other means. The consequences for these unfortunate mishaps could range
from identity theft to loss of money and other assets.
Example of Occurrence. The following excerpt is from the New York times, dated August 17, 2009:
The man who prosecutors said had masterminded some of the most brazen thefts of credit and debit
card numbers in history was charged on Monday with an even larger set of digital break-ins.
In an indictment, the Justice Department said that Albert Gonzalez, 28, of Miami and two unnamed
Russian conspirators made off with more than 130 million credit and debit card numbers from late 2006 to
early 2008.
Prosecutors called it the largest case of computer crime and identity theft ever prosecuted. According
to the government, the culprits infiltrated the computer networks of Heartland Payment Systems, a
payment processor in Princeton, N.J.; 7-Eleven Inc.; Hannaford Brothers, a regional supermarket chain;
and two unnamed national retailers.
An unspecified portion of the stolen credit and debit card numbers were then sold online, and some
were used to make unauthorized purchases and withdrawals from banks, according to the indictment,
which was filed in United States District Court in Newark…
Richard Wang, manager of SophosLabs, a security company, said the case provided more evidence
that retailers and banks needed to strengthen industry standards and encrypt credit card numbers when
they are transmitted between computers. Currently, major banks agree to encrypt such data only when it
is stored.http://www.nytimes.com/2009/08/18/technology/18card.html?_r=2&ref=business
1
CIS0
How to Protect Yourself with Cryptography
Figure 2: Encryption with Word
1. Encrypt your personal files: Encrypt important files on your
hard drive and removable media.
2. Encrypt wireless network data: To protect the data that
travels through your wireless network against eavesdropping,
you should encrypt it. The available encryption choices in
increasing order of security are: none (no data encryption is
performed), Wired Equivalent Privacy (WEP), Temporal Key
Integrity Protocol (TKIP) and Advanced Encryption Standard
(AES).
3. Encrypt sensitive email: If the software which you use to
send e-mail allows it, you should encrypt sensitive e-mail so
that only the recipient of the e-mail is able to read it.
4. Check that businesses encrypt your personal data: You
should ensure that companies and other organization with whom you do business encrypt
your personal data, such as credit card numbers and social security numbers, before they
are stored or transmitted over a network.
5. Use secure transaction over the Internet: Ensure that personal transaction over the
Internet are secure.
Example 1: You can encrypt a file in MS Word 2007 using the steps shown in the Figure 2.
Example 2: Encrypting with Encrypted File System (EFS) on Windows Vista
 How to use it: To encrypt a file using EFS, right click on the file or folder, select properties
and follow the direction in Figure 3.
 Encryption: EFS automatically creates a public key pair. (This is done only once. It is not
repeated for encryption of future files.) However, a unique key called the file encryption key
(FEK) is automatically generated every time the user needs to encrypt a file. After encrypting
a file, EFS uses the user’s public key to encrypt the FEK. It also encrypts the FEK using the
recovery agent’s public key.
 Decryption: When you log into your account and try to open an encrypted file, Windows
retrieves your private key, decrypts the FEK, and uses it to decrypt the contents of the file as
it is read from the hard disk.
 EFS is a feature of the NTFS file
system. Files encrypted with EFS
remain encrypted only while they
reside on the NTFS volume. Vista
Home Basic, Home Premium (and
Starter Edition) do not support it.
 Only the original owner and the
computer’s designated recovery
agent can access encrypted files.
Figure 3: Encryption with EFS
2
CIS0
Laboratory/Homework Assignment
Checklist: Complete the following checklist:
Security checklist
Vulnerability
Course
Unprotected Sensitive Data
Check: If you answer no to any of the following,
then your data is not protected.
Yes/No - describe
CIS0
N/A
1. Are your personal files encrypted?
2. Is your wireless data encrypted?
3. Are your sensitive e-mail messages
encrypted?
4. Do the companies and other organization
you do business with encrypt sensitive data
about you that they store on their systems
or communicate over networks?
5. Are the e-transactions you conduct over the
Internet secure?
If you answered no to any of the above questions, then your data is vulnerable to theft and
misuse.
Discussion:
1. What is the difference between private key encryption and public key encryption?
2. How many public/private key pairs does the EFS system automatically generate if a user
encrypts 10 files—one at a time? How many file encryption keys (FEKs) are generated in
this case? Explain.
3. Discuss how you would use public key encryption to encrypt a symmetric private key which
you used to encrypt a message to be sent to Alice. Describe how Alice would recover the
message? (Note: The encrypted symmetric key accompanies the message to Alice.)
4. Which key does EFS use to encrypt the FEK?
5. If a file encrypted with EFS is e-mailed to another user, does that file remain encrypted?
Explain?
6. If a file encrypted with EFS on your hard disk is copied to a removable drive, does it remain
encrypted?
3
CIS0
Exercises:
Figure 4
1. Encrypt a document using Microsoft Word 2007.
2. Encrypt a file and a folder using EFS.
Extra Credit Exercises:
1. Under Windows, the command, cipher /e folder_name, can be used to
encrypt all the files in the folder, folder_name. Encrypt one of your
folders using the cipher command. (Hint: The command must be typed
at the Command Prompt. Figure 4 shows how to bring up the Command
Prompt under Windows 7.)
2. Find out more about the command cipher by typing, cipher /?. Then,
decrypt the file you encrypted in the previous exercise using cipher with
the appropriate option.
3. Type the command cipher /? To learn more about cipher, decrypt After the folder has been
encrypted, use the cipher command with an appropriate option to decrypt it. Show all your
work. (Hint: The command must be typed in the command prompt. To learn more about
cipher type Use the command /?
4. (Caesar’s Cipher). Caesar’s cipher is one of the oldest and easiest encryption algorithms.
According to legend, it was first use by Julius Caesar to deliver secret messages to his
troops in the field. It encrypts a message by replacing each letter in the plaintext with the
letter three places to its right. The following mapping illustrates this:
Plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z
Ciphertext: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
For example, encryption of the plaintext, “meet me in washington dc” would be done as
follows:
Plaintext:
meet me in washington
dc
Ciphertext: PHHW PH LQ ZDVKLQJWRQ GF
It is mathematically more convenient if we map the 26 letters of the alphabet to numbers as
follows:
a
0
b
1
c
2
d
3
e
4
f
5
g
6
h
7
i
8
j
9
k
10
l
11
m
12
n
13
o
14
p
15
q
16
r
17
s
18
t
19
u
20
v
21
w
22
x
23
y
24
z
25
If we let P be the numerical equivalent of the plaintext and C the numerical equivalent of the
ciphertext, then the encryption process can be written as C = (P+3) mod 26. The mod 26 means
that to get C, you must divide P+3 by 26 and take the resulting remainder. The decryption
process is given by P = (C-3) mod 26. For example, the letter, m, is equivalent to 12. Thus, its
4
CIS0
encryption is C=(12+3) mod 26 = 15 mod 26 = 15. The resulting ciphertext is then p. Similar, w
is equivalent to 22. It gives us C=(22+3) mod 26=25. The corresponding ciphertext is then Z.
Caesar’s cipher is not used in practice because it is too easy to crack. Instead, more
sophisticated algorithms, such as the Data Encryption Standard (DES) and Advanced
Encryption Standard (AES) have been used. (Note: In recent years, the DES has being
gradually phased out in favor of the AES.)
A. Encrypt the plaintext “the” using Caesar’s cipher.
B. Encrypt the plaintext “zebra” using Caesar’s cipher.
C. Decrypt the result obtained in B.
5