SECURITY CRYPTOGRAPHY

Prepared by Katur Bharat Kumar

1

PART - 1

2

Basic ConceptsEncryption TechniqueDecryption TechniqueIntroduction to CryptosystemsSymmetric CryptosystemsAsymmetric CryptosystemsSymmetric vs. Asymmetric

Topics discussed in this section:

BAISC CONCEPTS

Cryptography – hidden writing

Encryption – encode or encipherDecryption – decode or decipher

Cryptosystem – a system for encryption and decryption

Cryptographer – anyone who invents encryption algorithmsCryptanalyst – anyone who attempts to break encryption algorithms

Cryptology – research of encryption and decryption, including both cryptography and cryptanalysis

3

ENCRYPTION TECHNIQUE

• Encryption – Input: plaintext and

key – Output: cipher text Encryption

Function

Plaintext

Cipher text4

DECRYPTION TECHNIQUE

• Decryption– Input: cipher text

and a key – Output: original

plaintextDecryption

Function

Plaintext

Cipher text

5

CRYPTOSYSTEMS

• Algorithms with a parameter – key K

Encryption Algorithm E

Decryption Algorithm D

Plaintext Ciphertext PlaintextP PC

6

SYMMETRIC CRYTOSYSTEM

• C=E(P,K)

• P=D(C,K)

Encryption Algorithm E

Decryption Algorithm D

Plaintext Ciphertext PlaintextP PC

K KSecret channel

7

Asymmetric key cryptography uses two separate keys: one private and one public.

Locking and unlocking in asymmetric-key cryptosystem

ASYMMETRIC CRYPTOSYSTEM

8

General idea of asymmetric-key cryptosystem

C = f (Kpublic , P) P = g(Kprivate , C) General formulae of asymmetric-key cryptosystem

9

ASYMMETRIC CRYPTOSYSTEM (Contd.)

10

SYMMETRIC vs ASYMMETRIC

Symmetric algorithm 100 to 1000 times faster than asymmetric one.

Symmetric key 10 times shorter than asymmetric key.

In Asymmetric algorithm Public Key must be authenticated by CA.

Asymmetric Key Generator robustness.

Asymmetric algorithm is mainly used for exchange and storage of the secret (symmetric) keys.

END OF PART - 1

11

PART - 2

12

Topics discussed in this section:Certificates and X.509 structureGenerating Self-Signed CertificateCertificate ComponentsWhy Certificates needs to be signed by CARSA CryptosystemOperation Modes for Symmetric CryptosystemsAES CryptosystemHybrid CryptosystemOpenSSL X509 FunctionsOpenSSL EVP FunctionsOpenSSL RSA Functions

13

CERTIFICATES and X.509 STRUCTUREWhat is Certificate? A digitally signed statement from the issuer saying that the public key of the subject has some specific values.

Basic ConceptsSigned Statement :- The certificate must be signed by the issuer with a digital signature.

Issuer :- The person or organization who is issuing this certificate. Public key :- The public key of a key pair selected by the subject.

Subject :- The person or organization who owns the public key.

14

CERTIFICATES and X.509 – Contd.What is X.509 Certificate?

Certificate written in X.509 standard format is called as X.509 Certificate and X.509 standard was introduction in 1988. It requires a certificate to have the following information:

Version :- X.509 standard version number.

Serial Number :- A sequence number given to each certificate.

Signature Algorithm Identifier :- Name of the algorithm used to sign this certificate by the issuer

15

Issuer Name :- Name of the issuer.

Validity Period :- Period during which this certificate is valid.

Subject Name :- Name of the owner of the public key.

Subject Public Key Information :- The public key and its related information.

CERTIFICATES and X.509 – Contd.

16

Introduction

GENERATING SELF-SIGNED CERTIFICATES

A self-signed certificate is a certificate that the "issuer" is the "subject" himself. In other word, a seft-signed certificate is a certificate where the "issuer" signs his own public key with his private key.

ProcedureStep-1 :- Enter your own name as the "subject".

Step-2 :- Provide your public key.

Step-3 :- Sign it with your private key.

Step-4 :- Put everything in the X.509 format.

17

CERTIFICATES COMPONENTSopenssl x509 –in MCC.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=MCCValidity Not Before: Aug 15 02:19:47 2011 GMT Not After : Sep 14 02:19:47 2011 GMT Subject: C=USA,CN=---,OU=MCCSubject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:a9:e6:19:c6:ee:88:01:86:d9:72:9e:93:92:db: 57:01:7b:02:84:fc:1e:e3:57:5e:2a:7b:2b:25:9e: bd:ba:c5:95:2c:49:59:28:df:a6:67:86:26:8e:ff: 36:cc:3a:84:5c:28:af:6f:11:c8:0c:b5:c2:c5:b9: 04:d6:0e:5d:d1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 55:C8:EF:49:2B:5D:E4:03:C5:98:1B:68:24:28:47:88:D4:0E:77:04 X509v3 Authority Key Identifier: keyid:55:C8:EF:49:2B:5D:E4:03:C5:98:1B:68:24:28:47:88:D4:0E:77:04 DirName:/C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=MCC serial:00 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: md5WithRSAEncryption 3f:ba:0c:c1:ae:38:ca:f6:37:16:9c:35:5f:18:79:64:de:27: 0d:46:ad:28:57:b4:62:df:6c:ff:f8:74:17:eb:b6:91:7e:06: 6e:ec:a5:9d:23:e2:6e:5a:6e:c3:09:fa:cf:34:65:70:15:65: 10:3a:6b:0f:b9:ef:6b:64:18:0e

18

VIEWING COMPONENTS OF CERTIFICATES (Contd)

This certificate tells us that:

The subject is "C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=MCC"

The subject's public key is included in it.

The issuer is "C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=MCC". The issuer is identical to the subject, because this is a self-signed certificate.

The certificate is valid for one month.

The certificate is signed by the issuer with the signature at the end.

19

WHY CERTIFICATES NEED TO BE SIGNED BY CA? Definition of the Certificate Authority (CA)

A Certificate Authority (CA) issues digital certificates that contain a public key and the identity of the owner. The matching private key is not made available publicly, but kept secret by the end user who generated the key pair. The certificate is also a confirmation or validation by the CA that the public key contained in the certificate belongs to the person, organization, server or other entity noted in the certificate. A CA's obligation in such schemes is to verify an applicant's credentials, so that users and relying parties can trust the information in the CA's certificates. CAs use a variety of standards and tests to do so. In essence, the Certificate Authority is responsible for saying "yes, this person is who they say they are, and we, the CA, verify that".

If the user trusts the CA and can verify the CA's signature, then he can also verify that a certain public key does indeed belong to whoever is identified in the certificate.

20

Certificate Authority (CA) comes into picture when your communication partner does not trust digital signature generated in your certificate.

For Certificates to be signed by CA following is the Procedure

Step - 1 :- Owner puts its public key into a certificate signing request (CSR) and mails it to the Certificate Authority (CA).

Step - 2 :- The Certificate Authority (CA) will verify the request and put owner’s public key in a certificate and sign it with CA's private key.

Step - 3 :- Certificate Authority (CA) will share the certificate been signed by the CA back to the owner.

When your communication partner receives your public key signed by a CA, communication partner can validate the signature with the Certificate Authority CA's public key. If the validation is ok, communication partner can then trust sender public key.

WHY CERTIFICATES NEED TO BE SIGNED BY CA? (Contd).

21

RSA CRYPTOSYSTEM

The most common public-key algorithm is the RSA cryptosystem, named for its inventors (Rivest, Shamir, and Adleman).

22

RSA CRYPTOSYSTEM – KEY GENERATION ALGORITHM

23

RSA CRYPTOSYSTEM - EXAMPLE

Bob chooses 7 and 11 as p and q and calculates n = 77. The value of f(n) = (7 − 1)(11 − 1) or 60. Now he chooses two exponents, e and d, from Z60 . If he chooses ∗ e to be 13, then d is 37. Note that e × d mod 60 = 1 (they are inverses of each Now imagine that Alice wants to send the plaintext 5 to Bob. She uses the public exponent 13 to encrypt 5.

Bob receives the ciphertext 26 and uses the private key 37 to decipher the ciphertext:

24

ECB Mode

CBC Mode

Other Modes are OFB, CFB, CTR Modes

OPERTION MODES FOR SYMMETRIC CRYPTOSYSTEM

25

ECB: Electronic CodebookEncryption Using ECB Mode

Decryption Using ECB Mode

26

CBC: Cipher Block ChainingEncryption Using CBC Mode

Decryption Using CBC Mode

27

AES CRYPTOSYSTEM

AES stands for Advanced Encryption Standard performs encryption and decryption based on the Block Cipher technique. Block Ciphers could be CBC, EBC etc.

Encryption of the Plan Text Decryption of the Plan Text

28

AES CRYPTOSYSTEM Need for a more efficient and secured algorithm

AES is Rindjael (Rijmen & Daemen) with 128-bit data block only

Key Size: 128, 192, and 256 bits.

Approved as a Federal Standard (FIPS 197).

Five Standard Modes of Operation specified in the NIST Special Publication 800-38A.

29

Need for a more efficient and secured algorithm

AES is Rindjael (Rijmen & Daemen) with 128-bit data block only.

Key Size: 128, 192, and 256 bits.

Approved as a Federal Standard (FIPS 197).

Five Standard Modes of Operation specified in the NIST Special Publication 800-38A.

AES CRYPTOSYSTEM - FEATURES

30

HYBRID CRYPTOSYSTEM

EncryptedMessage

Message

Ksecret

Symmetric Encryption

SymmetricDecryption

AsymmetricEncryption+ Signature

SignedEncrypted KeyKsecret

KpubB KprivA KpubA KprivB

AsymmetricDecryption+ Signature

Ksecret

User A

User B

31

OPENSSL X509 FUNCTIONSX509_set_serialNumber :- Set Serial Number for the X.509 Certificate.

X509_get_serialNumber :- Get Serial Number from the given X.509 Certificate.

X509_cmp_current_time :- Validates the certificate expiry time.

X509_set_pubkey :- Appends the certificate with public key.

X509_get_pubkey :- Extracts the public key from the given public certificate.

X509_to_X509_REQ :- Converts the given public certificate from X509 format to Certificate Request (PKCS10 ).

X509_REQ_sign :- Sign the given Certificate Request (PKCS10 ).

PEM_write_X509_REQ :- Write the given Certificate Request (PKCS10 ) to the PEM file.

PEM_read_X509:- Reads the given Certificate Request (PKCS10 ) from the PEM file.

32

OPENSSL EVP FUNCTIONSEVP_CIPHER_CTX_init :- initializes cipher context.

EVP_EncryptInit_ex :- sets up cipher context for encryption with cipher type from ENGINE.

EVP_EncryptUpdate :- encrypts the given data and store it in the out variable . This function could be called multiple times to encrypt the successive blocks of data.

EVP_EncryptFinal :- This function is called only when padding is set. The main purpose of this function is encrypts the "final" data, that is any data that remains in a partial block. It uses standard block padding|/NOTES (aka PKCS padding).

EVP_MD_CTX_init :- initializes signing context.

EVP_SignInit_ex :- sets up signing context with digest type from ENGINE.

EVP_SignUpdate :- hashes the given data into the signature context. This function can becalled several times on the same context to include additional data .

EVP_SignFinal :- signs the data available in the context using the Private/ Shared secret key.

33

OPENSSL EVP FUNCTIONS (Contd.)EVP_MD_CTX_init :- initializes verify context.

EVP_VerifyInit_ex :- sets up verification context with digest type from ENGINE.

EVP_VerifyUpdate :- hashes the given data into the verification context. This function can becalled several times on the same context to include additional data .

EVP_VerifyFinal :- verify the data available in the context using Public / Share Secret key against the given signature.

EVP_CIPHER_CTX_init :- initializes cipher context.

EVP_DecryptInit_ex :- sets up cipher context for decryption with cipher type from ENGINE.

EVP_DecryptUpdate :- decrypts the given data and store it in the out variable . This function could be called multiple times to decrypt the successive blocks of data.

EVP_DecryptFinal :- The main purpose of this function is decrypt the "final" data, that is any data that remains in a partial block.

34

OPENSSL RSA FUNCTIONSRSA_generate_key_ex :- This function is used to generate RSA key pair. Key size could be 512, 1024, 2048, 4096.

RSA_public_encrypt :- This function is used to encrypt a given data, RSA encrypts the given data using Public key.

RSA_sign :- This function is used to encrypt a given data using message digest algorithm and generates the signature on the encrypted data (generated by the message digest algorithm).

RSA_verify :- This function is used to encrypt a given data using message digest algorithm, generates the signature on the encrypted data (generated by the message digest algorithm) and compares the generated signature with the given signature.

RSA_private_decrypt :- This function is used to decrypt a given encrypted data, RSA decrypts the given encrypted data using Private key.

PEM_read_RSAPrivateKey :- This function is used to read the Private key from the PEM file.PEM_write_RSAPrivateKey :- This function is used to write the Private key to the PEM file.PEM_read_RSAPublicKey :- This function is used to read the Public key from the PEM file.PEM_write_RSAPublicKey :- This function is used to write the Public key to the PEM file.

35

END OF PART - 2