The Secrets of Keeping Secrets Gary J Porter Senior Network Analyst MindWorks, Inc. of Kentucky

Crypto—ASCII style ASCII represents 27 bits (128) which can represent all of the English alphabet plus punctuation  A =  a = Because ASCII uses bits to represent letters, it’s a kind of cypher

Transposition Cipher One of the simplest transposition ciphers substitutes the first and second digits and the third and forth digits Megan  ASCII—  Cypher— ) 1 % “

Key-Based Algorithm The security of key-based algorithms is based on the secrecy of the algorithm, the key(s), or both

Private Key Cryptosystem (Symmetric) Dear Cindy, You are so beautiful! ANQR1DBw 4DokTETykx LwQB/9JZe 7eCzXW 9iYVNOT HWjioKOI Dear Cindy, You are so beautiful! ANQR1DBw 4DokTETykx LwQB/9JZe 7eCzXW 9iYVNOT HWjioKOI Clear Text Cypher Text Same Encryption Key

Modified Substitution Cipher Message = COOL In ASCII Key = MEGAN Ciphertext Key longer than message is okay

Modified Substitution Cipher Can be broken with simple techniques Not secure SECURE

Whitfield Diffie Interested (obsessed!) with the key distribution problem Imagined two strangers meeting on the net— wondered how they would send secret messages

Was reluctant to even talk to Diffie Eventually became Diffie’s crypto- partner Solved the key exchange problem Martin Hellman

Cryptography: Algorithms and Keys A method of encryption and decryption is called a cipher Generally there are two related functions  Encryption  Decryption All modern algorithms use a key to control encryption and decryption Encryption key may be different from decryption key

From the Minds of Diffie/Hellman The postal problem... Demonstration

Postman To: Wilt Diffie Wow! I can see inside. I think I’ll take a look! Got here safely.

Postman I’ll lock it this time

Postman Hummm! I can’t see either—I’ll lock it too!

Postman

Alice’s key  abcdefghijklmnopqrstuvwxyz  EDIRCTOYNUWAPFLMBGJZHKQXVS Bob’s key  Abcdefghijklmnopqrstuvwxyz  ZNAMSREVILYUCKOGJTBWDXQHPF Message lostmyhotel key Encrypted with Alice’s key ALJZPVYLZCA WCV Encrypted with Bob’s key UOBWCPVOWSU YSP Decrypted with Alice’s key HLDQIMKLQJH VJM Decrypted with Bob’s key VUMJICYUJLV XLC Why the Postal Example Won’t Work

One-Way Functions Diffie and Hellman were not interested in two- way functions, only solving the problem with one-way functions Because they could imagine the postal example, there MUST be a solution

senderreceiver BobAlice

Enc k Types of Algorithms Symmetric (Encryption) M ciphertextciphertext M encryptiondecryption Dec k kk senderreceiver BobAlice

One-Way Function Demonstration

(mod 12) = (mod 12) = 3

Diffie/Hellman Key Exchange Technique Demonstration

mod (98219) = mod (98219) = mod (98219) mod (98219) N mod (98219) N mod (98219) 67665

A Mathematical Genius?! Whitfield Diffie is best known for his 1975 discovery of the concept of Public Key Cryptography

Rivest Shamir Adleman

Types of Algorithms Public Key (Asymmetric Encryption) encryption decryption M ciphertextciphertext M Enc pubkey Dec privkey senderreceiver privkey pubkey

encryption decryption M ciphertextciphertext Enc pubkey Dec privkey pubkey pubkey Types of Algorithms Public Key (Asymmetric Encryption) senderreceiver pubkey

encryption decryption M ciphertext ciphertext T RASH! Enc pubkey Dec pubkey pubkey Types of Algorithms Public Key (Asymmetric Encryption) senderreceiver pubkey privkey pubkey

Encryption and Decryption The following identity must hold true D(C) = M, where C = E(M) M is the message, E is encryption, C is Ciphertext, D is decryption Jna fq h5tun b89d` 58jdf[ 835gj E D M C M

Secret Key Cryptography K is the secret key shared by both the sender (S) and receiver (R) SR Jna fq h5tun b89d` 58jdf[ 835gj E D M C M KK Symmetric Encryption

Public Key Cryptography K R(pub) is Receiver’s public key and K R(pri) is Receiver’s private key SR Jna fq h5tun b89d` 58jdf[ 835gj E D M C M K R(pub) K R(pri) Asymmetric Encryption

RSA works by using a mathematical function that is (comparatively) easy to compute while encrypting, but very difficult to reverse without knowing the private key RSA works by selecting two large prime numbers

RSA Key Generation Pick large random primes p,q Let p*q = n and  =(p-1)(q-1) Choose a random number e such that: 1<e<  and gcd(e,  )=1 (relative primes) Calculate the unique number d such that 1<d<  and d*e  1 (mod  ) (d is inverse of e) The public key is {e,n} and the private key is {d,n} The factors p and q may be kept private or destroyed

Pierre de Fermat Discovered that—if you use a prime number for the modulus, then raising a number to the power (prime-1) is always 1  m (p-1) mod p = 1  According to Fermat, this works with any prime number p and any positive m that’s less than p, therefore 1 < m < p What is 7 10 mod 11

Leonhard Euler (pronounced “Oiler”) Discovered Fermat’s relationship held true when using the product of two primes as the modulus  n = pq  m (p-1)(q-1) mod n = 1  Works so long as p and q are relative prime to one another If p = 11 and q=5, what is [m (p-1)(q-1) mod 55] ?

So... Fermat: m (p-1) mod p = 1 m (p-1)(q-1) mod n = 1 Euler:

So... Fermat: m (p-1) mod p = 1 Euler: m (p-1)(q-1) mod n = 1 m (p-1) mod p m (p-1)(q-1) mod n =

RSA Key Generation Pick large random primes p,q  p = 5, q = 11 Let p*q = n and  =(p-1)(q-1)  The encrypting modulus n = pq = 55   = (p-1)(q-1) = (4)(10) = 40  + 1 = e * d (we’re looking for both e and d)  41 = e * d (but no two number multiplied together equal 41)  41 is prime but, using modular math — 41 becomes 1 mod 40  e * d = 1 mod 40

RSA Key Generation We’ll use 3 for e 3 * d = 1 mod 40  Using Extended Euclidian algorithm, d = 27

Encrypting Using RSA (Review) Step 1: generate two prime numbers, p and q Step 2: Combine the primes n=pq Step 3: Combine the primes another way,  =(p-1)(q-1) Step 4: Using , generate a key pair, e and d Step 5: Using e, d, and n, encrypt and decrypt

RSA Mechanical Overview Basically  Alice: m e mod n → c  Bob: c d mod n → m

Lets encrypt the letter “G” (for Gary)  For simplicity sake, we’ll represent “g” as 7, the 7 th letter of the alphabet So, 7 public key * encrypting modulus  7 3 * mod 55 = 13 To decrypt, 13 private key * encrypting modulus  * mod 55 = 7 Encrypting/Decrypting, Step—by—Step

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP Personal Security mQGiBDtsK/URBAD+OujjPRvMu22fq9T78fRA2ijOzzKH9HeXHZ81x8C3D/wJF7ea 1ToD42sk6kV6+fcI2JGV4YrApXkzu7TfmU8T5eUxPsk4YY7q4ZP7JCmTVwPWeROJ ZH6QHjyBQUm792trCFbmuOl+t5PjY8TZwBBo4Hrm/kvgex+OfqzZEi4hlwCg/2YV HCcvjAKa/tfDgaq9ei9NZW8D/0WiVnOqZUSqlBfG69oi0PGWtRXiJqIKsZj6Ljtw qtxk3W5G+BqWOcI+Az3m2pGoaXzlz7z9n1iDx0ZufNzLu38/wh9FZe86817V9Y8X jvSTf0UY/T7+BbMNF1OquUz9BaSis+a6tvsoF1Ya/657IkLhCO4CEHOc+eggFtkV r+0eBACfHMZ4x5dxj+YtOV5eN5gxQcyjAB2NFBj+GFnBV2wezX3D6TaHpx3VwEZh AHDeSLySoRs6bmhmd16mVdsgE/u5Em49Sc1Y59WzJGwfKAis6hHhDt4Htyhum281 impMbkEZAxIgbQplWoUivxk8LwuLjMfrfdq0+WWeLF4fJUGWBLQkR2FyeSBKIFBv cnRlciA8cG9ydGVyQGRpZ2l0YWxtZS5jb20+iQBYBBARAgAYBQI7bCv1CAsDCQgH AgEKAhkBBRsDAAAAAAoJENkIAq1B47uW7F8AoNfRgtp+9IYs/gpcLxT8XVlul54f AKDH6bA2D4CR2l1sxW71RFIWEMX+CrkCDQQ7bCv1EAgA9kJXtwh/CBdyorrWqULz Bej5UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHT UPj1WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq 01uejaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O 9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcK ctaGxAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TIL OwACAggA7WTvMQ0WgywmeT2+ZdQTio1UvBtkLZTV5PBTWLnMXhSAL+JIY2D4xnP4 Coh+Mf2PuZ6c4IxpFVF/ywnekW2wX53qqWV0tjbTcbQ7lwkg276hQPUOfWU7UaZn cyxFznRPc2OiO6SpzIpcVHY1nJ8uLOvhSTU67vTOonNri5zlR/ev91SPK1azTjtQ W7jqb+v2z72Lxh/BgtDiFld8cXMmbHYdjZ9cPpW0JsKZ+tBwl2SsJXtopst4PYmw 2hoLYA0DS+Q0X8OIxROLxQXqinEaKhjP+s6XU+q9x85McR9mT8HaCdliE1W0yToL 2dLHnwEKBBDN5vLi8+SnHjTRNU/b7IkATAQYEQIADAUCO2wr9QUbDAAAAAAKCRDZ CAKtQeO7luHBAJ45z2IW9D0g/2pZVSHFwzTsDOob3QCg+6rozdE+M57CTDNQE5Ay uoxxTWE= =DeGR -----END PGP PUBLIC KEY BLOCK----- Gary J Porter’s PGP Public Key

An eDirectory Public Key

An eDirectory Private Key

Novell International Cryptographic Infrastructure (NICI) NICI is a layered, hierarchical infrastructure which divides cryptographic functionality among three distinct layers NICI is a modular architecture that allows new cryptographic algorithms to be added without bringing the server down NICI modules are cryptographically signed for protection and for module authentication When government regulations concerning the use and exportation of cryptography change, only NICI needs to change to support the new regulations NICI provides an API set that offers a consistent interface for application developers to use and deploy cryptography within their applications

NICI Architecture XIM XENG NICI—Novell International Cryptographic Infrastructure XSUP – Cryptography Library XENG – Cryptography Manager XMGR – Cryptography Engine XLIB - Cryptography Engine Support XIM - Cryptography Interface Manager XSUPXMGRXLIB CCS API