1 The Elements of Cryptography Chapter 7 Copyright 2003 Prentice-Hall

2 Figure 7-1: Cryptographic System Confidentiality Authentication Message Integrity Anti-Replay Protection Client PC with Cryptographic System Software Server with Cryptographic System Software Secure Communication Provided Automatically

3 Figure 7-2: Plaintext, Encryption, Ciphertext, and Decryption Network Plaintext “Hello” Encryption Method & Key Ciphertext “ ” Encryption Key Ciphertext “ ” Plaintext “Hello” Decryption Method & Key Decryption Key Interceptor Party A Party B Note: Interceptor Cannot Read Ciphertext Without the Decryption Key

4 Figure 7-3: Key Length and Number of Possible Keys 1 Key Length in Bits , Number of Possible Keys 401,099,511,627, ,057,594,037,927, ,192,296,858,534,830,000,000,000,000,000,000

5 Figure 7-3: Key Length and Number of Possible Keys Key Length in Bits E E E E+33 Number of Possible Keys

6 Figure 7-3: Key Length and Number of Possible Keys Notes: Shaded keys, with lengths of more than 100 bits, are considered strong symmetric keys today. Unshaded keys, with lengths of less than 100 bits, are considered weak symmetric keys today. Public key/private key pairs must be much longer to be strong because of the disastrous consequences of learning someone’s private key and because private keys cannot be changed rapidly.

7 Figure 7-4: Symmetric Key Encryption for Confidentiality Network Plaintext “Hello” Encryption Method & Key Ciphertext “ ” Symmetric Key Ciphertext “ ” Plaintext “Hello” Decryption Method & Key Same Symmetric Key Interceptor Party A Party B Note: A single key is used to encrypt and decrypt in both directions.

8 Figure 7-5: Data Encryption Standard (DES) DES Encryption Process 64-Bit Ciphertext Block 64-Bit DES Symmetric Key (56 bits + 8 redundant bits) 64-Bit Plaintext Block

9 Figure 7-6: DES-CBC (DES-Cipher Block Chaining) First 64-Bit Plaintext Block DES Encryption Process Second 64-Bit Plaintext Block First 64-Bit Ciphertext Block Initialization Vector (IV) DES Encryption Process Second 64-Bit Ciphertext Block DES Key

10 Figure 7-7: Triple DES (3DES) SenderReceiver Encrypts plaintext with the 1 st key Decrypts ciphertext with the 3d key Decrypts output of first step with the 2 nd key Encrypts output of the first step with the 2 nd key Encrypts output of second step with the 3d key; gives the ciphertext to be sent Decrypts output of second step with the 1 st key; gives the original plaintext 168-Bit Encryption with Three 56-Bit Keys

11 Figure 7-7: Triple DES (3DES) SenderReceiver Encrypts plaintext with the 1 st key Decrypts ciphertext with the 1 st key Decrypts output with the 2 nd key Encrypts output with the 2 nd key Encrypts output with the 1 st key Decrypts output with the 1 st key 112-Bit Encryption With Two 56-Bit Keys

12 Figure 7-7: Triple DES (3DES) SenderReceiver Encrypts plaintext with the key Decrypts ciphertext with the key Encrypts output with the key (undoes first step) Encrypts output with the key 56-Bit Encryption With One 56-Bit Key (For Compatibility With Receivers Who Can Handle Only Normal DES)

13 Figure 7-8: DES, 3DES, and AES DES 56 Weak Moderate 3DES 112 or 168 Strong High AES 128, 192, 256 Strong Modest Key Length (bits) Strength Processing Requirements RAM Requirements

14 Figure 7-9: Public Key Encryption for Confidentiality Party A Party B Decrypt with Party A’s Private Key Encrypt with Party A’s Public Key Encrypt with Party B’s Public Key Decrypt with Party B’s Private Key Encrypted Message Encrypted Message

15 Figure 7-10: Strong Keys for Symmetric and Public Key Encryption Strong Symmetric KeysStrong Public and Private Keys Limited damage if cracked, so can be shorter Changed frequently, so can be shorter Serious damage if cracked, so must be longer Rarely changed, so must be longer

16 Figure 7-10: Strong Keys for Symmetric and Public Key Encryption Strong Symmetric KeysStrong Public and Private Keys 100 bits or more today Longer for high-value transactions Longer tomorrow as cracking power increases DES: 56-bits (weak), but 3DES gives 112-bit or 168-bit security AES: Key lengths of 128, 192, or 256; yet places a light load on processor and RAM so can be used by mobile devices IDEA: 128 bits 1,024 or 2,048 bits for RSA encryption today 512 bits for ECC encryption today Longer tomorrow as cracking power increases

17 Figure 7-11: MS-CHAP Challenge- Response Authentication Protocol 2. Verifier sends Challenge Message Challenge Applicant (Client) Verifier (Server) 1. Verifier creates Challenge Message Note: Both the client and the server know the client’s password.

18 Figure 7-11: MS-CHAP Challenge- Response Authentication Protocol 3. Applicant (Supplicant) creates a Response Message: (a)Adds password to Challenge Message (b) Hashes the resultant bit string (does not encrypt) (c) The hash is the Response Message ChallengePassword Response Hashing (Not Encryption)

19 Figure 7-11: MS-CHAP Challenge- Response Authentication Protocol 4. Applicant sends Response Message without encryption Transmitted Response

20 Figure 7-11: MS-CHAP Challenge- Response Authentication Protocol ChallengePassword Expected Response Hashing 5. Verifier adds password to the Challenge Message it sent. Hashes the combination. This is the expected Response Message.

21 Figure 7-11: MS-CHAP Challenge- Response Authentication Protocol Expected ResponseTransmitted Response =? 6. If the two Response Messages are equal, the applicant knows the password and is authenticated. Sever logs Client in. 7. Note that only hashing is involved. There is no encryption.

22 Figure 7-12: Encryption Versus Hashing Encryption Uses a key as an input to an encryption method Output is similar in length to input Reversible; ciphertext can be decrypted back to plaintext Use of Key Length of Result Reversibility Hashing Key is usually added to text; the two are combined, and the combination is hashed Output is of a fixed short length, regardless of input One-way function; hash cannot be “de-hashed” back to the original string

23 Figure 7-13: Digital Signature for Message-by-Message Authentication To Create the Digital Signature: 1. Hash the plaintext to create a brief message digest; this is NOT the Digital Signature. 2. Sign (encrypt) the message digest with the sender’s private key to create the digital signature. 3. Transmit the plaintext + digital signature, encrypted with symmetric key encryption. Plaintext MD DS Plaintext Hash Sign (Encrypt) with Sender’s Private Key

24 Figure 7-13: Digital Signature for Message-by-Message Authentication 4. Encrypted with Session Key DSPlaintext Sender Receiver

25 Figure 7-13: Digital Signature for Message-by-Message Authentication To Test the Digital Signature 5. Hash the received plaintext with the same hashing algorithm the sender used. This gives the message digest. 6. Decrypt the digital signature with the sender’s public key. This also should give the message digest. 7. If the two match, the message is authenticated. Received Plaintext MD DS MD 5.6. Hash Decrypt with True Party’s Public Key 7. Are they equal?

26 Figure 7-14: Public Key Deception Impostor “I am the True Person.” “Here is TP’s public key.” (Sends Impostor’s public key) “Here is authentication based on TP’s private key.” (Really Impostor’s private key) Decryption of message from Verifier encrypted with Imposter’s public key, so Impostor can decrypt it Verifier Must authenticate True Person. Believes now has TP’s public key Believes True Person is authenticated based on Impostor’s public key “True Person, here is a message encrypted with your public key.” Critical Deception

27 Figure 7-15: Important X.509 Digital Certificate Fields FieldDescription Version Number Version number of the X.509. Most certificates follow Version 3. Different versions have different fields. This figure reflects the Version 3 standard. IssuerName of the Certificate Authority (CA). Serial Number Unique serial number for the certificate, set by the CA.

28 Figure 7-15: Important X.509 Digital Certificate Fields FieldDescription SubjectThe name of the person, organization, computer, or program to which the certificate has been issued. This is the true party. Public Key The public key of the subject—the public key of the true party. Public Key Algorithm The algorithm the subject uses to sign messages with digital signatures.

29 Figure 7-15: Important X.509 Digital Certificate Fields FieldDescription Valid Period The period before which and after which the certificate should not be used. Note: Certificate may be revoked before the end of this period. Digital Signature The digital signature of the certificate, signed by the CA with the CA’s own private key. Provides authentication and certificate integrity. User must know the CA’s public key independently.

30 Figure 7-15: Important X.509 Digital Certificate Fields FieldDescription Signature Algorithm Identifier The digital signature algorithm the CA uses to sign its certificates.

31 Figure 7-16: Digital Signature and Digital Certificate in Authentication Digital CertificateDigital Signature Authentication Public Key of True Party Signature to Be Tested with Public Key of True Party

32 Figure 7-17: Public Key Infrastructure (PKI) with a Certificate Authority Create & Distribute (1)Private Key and (2) Digital Certificate 4. Certificate for Lee 3. Request Certificate for Lee 5. Certificate for Lee 6. Request Certificate Revocation List (CRL) 7. Copy of CRL Verifier (Brown) Applicant (Lee) Verifier (Cheng) Certificate Authority PKI Server

33 Figure 7-18: Public Key Distribution for Symmetric Session Keys Party A Party B 1. Create Symmetric Session Key

34 Figure 7-18: Public Key Distribution for Symmetric Session Keys Party A Party B 2. Encrypt Session Key with Party B’s Public Key 4. Decrypt Session Key with Party B’s Private Key 3. Send the Symmetric Session Key Encrypted for Confidentiality 5. Subsequent Encryption with Symmetric Session Key

35 Figure 7-19: Diffie-Hellman Key Agreement Party X Party Y 1. Agree on Diffie-Hellman Group p (prime) and g (generator) 2. Generates Random Number x 2. Generates Random Number y

36 Figure 7-19: Diffie-Hellman Key Agreement Party X Party Y 3. Computes x’=g^x mod p 3. Computes y’=g^y mod p 4. Exchange x’ and y’ Without Security

37 Figure 7-19: Diffie-Hellman Key Agreement Party X Party Y 5. Compute Key= y’^x mod p =g^(xy) mod p 5. Compute Key= x’^y mod p =g^(xy) mod p 6. Subsequent Encryption with Symmetric Session Key

38 Figure 7-20: Replay Attacks Replay Attacks  Retransmit an intercepted message  Message is encrypted so that replay attacker cannot read it Why Replay Attacks  Repetition might work—for instance, replaying an encrypted username and password might result in access to a poorly designed system

39 Figure 7-20: Replay Attacks Preventing Replay Attacks  Insert a time stamp in messages and accept messages only if they are very recent  Insert a sequence number in each message  Insert a nonce (random number selected for the occasion) in a request message; only accept a reply message with the same nonce. Other party does not accept a request message with a previous nonce

40 Figure 7-21: Quantum Computing and Steganography Quantum Computing  Quantum Bits (Q-Bits) In ordinary computers, each bit is either a zero or a one at any time In quantum computers, each quantum bit (q-bit) can be both a zero and a one at any moment When decohered, the q-bit becomes a classic one or zero randomly

41 Figure 7-21: Quantum Computing and Steganography Quantum Computing  Quantum Key Distributions (QKD) Two particles representing q-bits can be entangled so that both will be up or down when read The two entangled particles are sent to the two communicating parties Both will always read the bit the same way—as a one or a zero

42 Figure 7-21: Quantum Computing and Steganography Quantum Computing  Quantum Key Distributions (QKD) They will both read the stream of decohered q- bits as a key Interception of q-bits en route by an eavesdropper is detected easily QKD is becoming commercially viable

43 Figure 7-21: Quantum Computing and Steganography Quantum Computing  Quantum Key Cracking For determining private keys from public keys An array of N q-bits can represent all possible keys of length N Operations can be performed on all possible keys simultaneously Results are put in a results register Decoherence gives one result randomly from all possible results

44 Figure 7-21: Quantum Computing and Steganography Quantum Computing  Quantum Key Cracking This single result can be used to compute the private key Not instantaneous, but much faster than exhaustive search

45 Figure 7-21: Quantum Computing and Steganography Quantum Computing  Quantum Key Cracking Not practical today  We can only build quantum computers with a few q-bits  Quantum computers with 1000 or more q-bits are some time off

46 Figure 7-21: Quantum Computing and Steganography Steganography  Steganography means hidden writing  Hiding a message in an image Every image is made of pixels There often is about one byte per pixel for each color: red, green, and blue One bit in each byte is the least significant— changing it will alter the color by only 1/256 The process steals the least significant bit from each byte

47 Figure 7-21: Quantum Computing and Steganography Steganography  Hiding a message in an image The message is written into these bits The message may be encrypted before writing it into the bits The picture will look unchanged

48 Figure 7-21: Quantum Computing and Steganography Steganography  Digital Watermarking  Using steganography to hide identifying information in a document  To prove copyright ownership  To identify different copies of a document

49 Figure 7-22: Cryptographic Goals and Methods ConfidentialityAuthentication Applicable. Sender encrypts with key shared with the receiver. Not applicable.Symmetric Key Encryption Applicable. Sender encrypts with receiver’s public key. Applicable. Sender encrypts with own private key. Public Key Encryption Not applicable. Applicable. Used in MS-CHAP and HMACs discussed in the next chapter. Hashing