4/8/99 C. Edward Chow Page 1 Cryptography Basic goal: –design procedures to transform messages...
-
date post
20-Dec-2015 -
Category
Documents
-
view
216 -
download
1
Transcript of 4/8/99 C. Edward Chow Page 1 Cryptography Basic goal: –design procedures to transform messages...
4/8/99 C. Edward Chow Page 1
Cryptography
• Basic goal:– design procedures to transform messages
(plaintext) into cryptograms (ciphertext). – withstand intense cryptoanalysis for recovering the
original plaintext.
• Basic approach:– code system: text content depending on the size
of code book.– cipher system: require two basic elements
• cryptographic algorithm • a set of variable cryptographic keys.
4/8/99 C. Edward Chow Page 2
Cipher Systems
Two useful cipher system types: block ciphers and stream ciphers
• Block ciphers– Data are encrypted/decrypted in blocks. – Block length is predetermined by the algorithm
designer.
• Stream ciphers– Users of algorithms decide the lengths to be
encrypted or decrypted. – Require additional parameter defined as initializing
vector (seed value)
4/8/99 C. Edward Chow Page 3
Cryptographic Algorithms
Two basic types:• Symmetric key algorithms: same key are
used to encrypt and decrypt. In SSL, the symmetric key are encrypted by the public key and sent over at the
• Public key algorithms: permit many users to encrypt using the same public key, but only the specific user possessing the secret key to decipher or unlock the data.
4/8/99 C. Edward Chow Page 4
RSA: a Public Key Algorithm
• Paper appeared on "A Method for obtaining Digital Signatures and Public-Key Cryptosystems," published in CACM vol. 21, No. 2, 120-126 (1978) by MIT Professors, Ronald Rivest, Adi Shamir, and Leonard Adleman.
• Based on extension of Euler's theorem a(r) - 1 is divisible by r where a and r are relatively prime, i.e., gcd(a, r) = 1, and
• (r)=r(1-1/p1)(1-1/p2)...(1-1/pn), where p1, p2, ...,pn are the prime factors of r.
4/8/99 C. Edward Chow Page 5
Choosing Private Key in RSA Algorithm
p and q are primes (chosen, secret) p=47, q=61 r=p.q (publish, public) r=47*61=2867 (r)=(p-1)(q-1) (derived, secret) (r)=46*60=2760 SK = private key (chosen, secret) SK=167 Here SK is a chosen prime and it must be a relative prime of (r). 2760=167*16+88 --> 88 = 2760 - 167*16 167=88*1+79 --> 79 = 167 - 88*1 88=79*1+9 --> 9 = 88 - 79*1 79=9*8+7 --> 7 = 79 - 9*8 9=7*1+2 --> 2 = 9 - 7*1 7=2*3+1 --> 1 = 7 - 2*3 2=1*2
4/8/99 C. Edward Chow Page 6
Choosing Public Key in RSA
PK = public key (derived, public) PK=1223
It is derived by reversing the above computation on private key and substituting eq.
1=7-2*3
1=7-(9-7*1)*3=7*4-9*3
1=(79-9*8)*4-9*3=79*4-9*32-9*3=79*4-9*35
1=79*4-(88-79)*35=79*39-88*35
1=(167-88)*39-88*35=167*39-88*74
1=167*39-(2760-167*16)*74=167*1223-2760*74
4/8/99 C. Edward Chow Page 7
Encryption/Decryption using Private/Public keys
A message can be encrypted is first divided into blocks, the value of block is less than r-1=2867-1=2866. In real system, r is much bigger.
To apply RSA algorithm, we substitute each letter with two digits, e.g., blank = 00, A=01, B=02, ..., Z=26.
The plaintext , "RSA ALGORITHM," is encrypted in 7 blocks: 1819 0100 0112 0715 1809 2008 1300 1819, the first block of the plaintext, is encrypted by raising it to the power of
PK=1223, dividing by r = 2867, then taking the remainder, 2756 becomes the ciphertext.
Note that 18191223 mod 2867 = 2756 but 18191223 is a big number. It can be computed by 18191024*1819128*181964*18194*18192*18191 since
1223=1024+128+64+4+2+1 DecryptionLikewise, 2756SK mod 2867=1819 The ciphertext is 2756 2001 0542 0669 2347 0408 1815
4/8/99 C. Edward Chow Page 8
Message Digest (one-way hash function)• The message digest functions take a file as input, produce a single large number called digest
(128-256 bits in length). • They are difficult to invert, mostly unique, widely distributed. • MD5 developed by Ronald Rivest. Here is an example of MD5 results: • [root@viva guest]# cat t1 • There is $1500 in the blue box. • [root@viva guest]# ssleay • SSLeay>md5 t1 • MD5(t1)= 05f8cfc03f4e58cbee731aa4a14b3f03 • SSLeay>[root@viva guest]# • MD5(There is $1500 in the blue box!)=4b36807076169572b804907735accd42 • Just one character differs. The digest values are dramatically different. • Can be attached in email for message authentication. • Instead of signing the whole document, most digital signature standards simply sign a message
digest of the document. • Programs such as PGP use message digests to transform a passphrase into an• symmetric encryption key.
4/8/99 C. Edward Chow Page 9
Certificate
• Signed documents, which match public keys to information, such as a name, organization, and e-mail address.
• They are signed by CA authority, organization that accept certificate requests and return the certificate.
4/8/99 C. Edward Chow Page 10
Client Certificate
• Use for Secure Web Access and Secure Email.• 60 days digital ID free trial from Verisign
for Outlook Express • After type in name, email address, pobox, birthday
info.• It asks for challenging phrase.• After click to accept the Verisign CPS statement, IE
ask for confirm email address.• Then IE indicates it is generate RSA exchnage keys
4/8/99 C. Edward Chow Page 11
Private Key Container
• Select the High Security Level which will ask for password each time private key is accessed.
4/8/99 C. Edward Chow Page 12
Select the Password
4/8/99 C. Edward Chow Page 13
Certificate Request Sent• After the password is confirmed, a certificated will be sent to Verisign.• They will send an email to the address you specified in the request with
instruction on how to install the digital ID. Hit the continue button.
4/8/99 C. Edward Chow Page 14
Pickup Digital ID
• You can also go to https://digitalid.verisign.com/client/outlook/outlookpickup.htm
• And enter the PIN included in the email to pickup the digital ID.
4/8/99 C. Edward Chow Page 15
Setup Digital ID for Secure Email
Associate a Digital ID With Your E-mail Account Microsoft Outlook Express:
1. Select Accounts from the Tools menu, then the Mail tab. 2. Select your Mail account, click the Properties button,
select the Security tab. 3. Check the box "Use a digital ID when sending secure
messages from", then click the Digital ID button. 4. Select the certificate you want to use to digitally sign your
e-mail. Outlook 98:
1. In the Tools menu select Options, then the Security tab 2. Click "Add digital signature to outgoing messages", click
the "Change Settings" button 3. On the next screen click the "Choose..." button. Select the
Digital ID you want to use for signing e-mail in Outlook.
4/8/99 C. Edward Chow Page 16
Find Other’s Digital ID• https://digitalid.verisign.com/services/client/index.html
4/8/99 C. Edward Chow Page 17
Digital ID Search Result
4/8/99 C. Edward Chow Page 18
Digital ID Search Result
4/8/99 C. Edward Chow Page 19
Receive Signed Email
Indicate a signed email
4/8/99 C. Edward Chow Page 20
Examine the Signature
• Click on the signature symbol.
4/8/99 C. Edward Chow Page 21
View the Certificate
4/8/99 C. Edward Chow Page 22
Certificate Detail
4/8/99 C. Edward Chow Page 23
Setup Option for Signed Encrypted Email
• Go to outlook (not the email window), tools | options select security tab.
4/8/99 C. Edward Chow Page 24
Receive Signed and Encrypted Email
4/8/99 C. Edward Chow Page 25
On Windows 2000
4/8/99 C. Edward Chow Page 26
4/8/99 C. Edward Chow Page 27
4/8/99 C. Edward Chow Page 28
4/8/99 C. Edward Chow Page 29
4/8/99 C. Edward Chow Page 30
4/8/99 C. Edward Chow Page 31
4/8/99 C. Edward Chow Page 32
4/8/99 C. Edward Chow Page 33
Import Certificate to Outlook 2000
4/8/99 C. Edward Chow Page 34
Specify path and password for the certificate
4/8/99 C. Edward Chow Page 35
Change the Hash Algorithm or Encryption Algorithm
4/8/99 C. Edward Chow Page 36
Make sure your email account has the same emailAddress as that in the certificate!!
4/8/99 C. Edward Chow Page 37
Reply Secure Email on Outlook2000
• To send an encrypted e-mail message to someone, you must have a copy of that person's digital ID in your contact list. Just have the person send you a digitally signed message. When you receive the message, you copy the person's address in the From field of the message into your contacts.
• If you had old entry in contacts without certificate, you need to click on the From field to update entry with the certificate.
4/8/99 C. Edward Chow Page 38
Netscape Communicator 4.51
• Go to home.netscape.com and select download netcape communicator 4.51.
• After download, click on cc32e451.exe to install.• Accept default settings, except that do choose
the netscape communicator as default browser, netcenter as default web page on frodo.uccs.edu.
• After restart, click on the netscape messager.• It will go through a series of dialog to help set up
your incoming and outgoing mail server on cs.uccs.edu.
4/8/99 C. Edward Chow Page 39
Setup Netscape Messenger• Create a New Profile.
4/8/99 C. Edward Chow Page 40
Enter Name and Email Address
4/8/99 C. Edward Chow Page 41
Choose Name and Directory for the Profile
• This name will show up on main messenger mail window
4/8/99 C. Edward Chow Page 42
Setup Outgoing Mail Server
• Use cs.uccs.edu
4/8/99 C. Edward Chow Page 43
Setup Incoming Mail Server
• Enter your loginname
• Select cs.uccs.edu as incoming mail server (make sure you forward your email to cs.uccs.edu.)
• Choose IMAP instead of POP.
– IMAP leaves mails in the mail server.Down load the header first.
– POP download the mails and remove mails on mail servers as default.
4/8/99 C. Edward Chow Page 44
Setup News Group Server• Enter harpo.uccs.edu as news server.
4/8/99 C. Edward Chow Page 45
Setup Different User Profile
• After netscape communicator is stalled, the next login user will find the netscape messenger using the profile of the user who installs the software.
• Actually, even if you can read some of the headers of the email (a bad design), you can not download the content since you will be prompt for the password.
• Each time you have the encrypted email, you will be prompted for the password of the certificate in order to obtain private key to decrypt the email.
• The following describes how you set up your own netscape profile (especially for email).
4/8/99 C. Edward Chow Page 46
Netscape User Profile Manager• Select start | programs| netscape|utilities|user profile
manager. Click new and enter your loginname
4/8/99 C. Edward Chow Page 47
Setup Different User Profile(2)
• The rest of the steps follows that of page 18 of this handout.
4/8/99 C. Edward Chow Page 48
Using Communicator with Different User Profiles
• After the profile is set up, when you invoke communicator, you
will be asked to select the specific profile.
4/8/99 C. Edward Chow Page 49
Download Other’s Certificate From Verisign
• On navigator, select security | people
• Select search directory
4/8/99 C. Edward Chow Page 50
Search Verisign Directory• Select verisign directory in pull down menu• Enter the email address of the person you would like to request
the certificate. Then click search button.
4/8/99 C. Edward Chow Page 51
Send Signed Encrypted Msg
• Click the 3rd tab in the sending section
• Check the encrypted and signed boxes.
4/8/99 C. Edward Chow Page 52
Comparison of Secure Email Support
• Netscape messenger allows individual email to be signed or encrypted.
• Netscape messenger shares the security files with the navigator browser and therefore did not have to export and then import to a different application.
• For Microsoft mail programs, the certificate needs to be export out from IE browser as a file, then imported in.