Introduction to Cryptography
-
Upload
katurbharat -
Category
Documents
-
view
756 -
download
3
description
Transcript of Introduction to Cryptography
SECURITY CRYPTOGRAPHY
Prepared by Katur Bharat Kumar
1
PART - 1
2
Basic ConceptsEncryption TechniqueDecryption TechniqueIntroduction to CryptosystemsSymmetric CryptosystemsAsymmetric CryptosystemsSymmetric vs. Asymmetric
Topics discussed in this section:
BAISC CONCEPTS
Cryptography – hidden writing
Encryption – encode or encipherDecryption – decode or decipher
Cryptosystem – a system for encryption and decryption
Cryptographer – anyone who invents encryption algorithmsCryptanalyst – anyone who attempts to break encryption algorithms
Cryptology – research of encryption and decryption, including both cryptography and cryptanalysis
3
ENCRYPTION TECHNIQUE
• Encryption – Input: plaintext and
key – Output: cipher text Encryption
Function
Plaintext
Cipher text4
DECRYPTION TECHNIQUE
• Decryption– Input: cipher text
and a key – Output: original
plaintextDecryption
Function
Plaintext
Cipher text
5
CRYPTOSYSTEMS
• Algorithms with a parameter – key K
Encryption Algorithm E
Decryption Algorithm D
Plaintext Ciphertext PlaintextP PC
6
SYMMETRIC CRYTOSYSTEM
• C=E(P,K)
• P=D(C,K)
Encryption Algorithm E
Decryption Algorithm D
Plaintext Ciphertext PlaintextP PC
K KSecret channel
7
Asymmetric key cryptography uses two separate keys: one private and one public.
Locking and unlocking in asymmetric-key cryptosystem
ASYMMETRIC CRYPTOSYSTEM
8
General idea of asymmetric-key cryptosystem
C = f (Kpublic , P) P = g(Kprivate , C) General formulae of asymmetric-key cryptosystem
9
ASYMMETRIC CRYPTOSYSTEM (Contd.)
10
SYMMETRIC vs ASYMMETRIC
Symmetric algorithm 100 to 1000 times faster than asymmetric one.
Symmetric key 10 times shorter than asymmetric key.
In Asymmetric algorithm Public Key must be authenticated by CA.
Asymmetric Key Generator robustness.
Asymmetric algorithm is mainly used for exchange and storage of the secret (symmetric) keys.
END OF PART - 1
11
PART - 2
12
Topics discussed in this section:Certificates and X.509 structureGenerating Self-Signed CertificateCertificate ComponentsWhy Certificates needs to be signed by CARSA CryptosystemOperation Modes for Symmetric CryptosystemsAES CryptosystemHybrid CryptosystemOpenSSL X509 FunctionsOpenSSL EVP FunctionsOpenSSL RSA Functions
13
CERTIFICATES and X.509 STRUCTUREWhat is Certificate? A digitally signed statement from the issuer saying that the public key of the subject has some specific values.
Basic ConceptsSigned Statement :- The certificate must be signed by the issuer with a digital signature.
Issuer :- The person or organization who is issuing this certificate. Public key :- The public key of a key pair selected by the subject.
Subject :- The person or organization who owns the public key.
14
CERTIFICATES and X.509 – Contd.What is X.509 Certificate?
Certificate written in X.509 standard format is called as X.509 Certificate and X.509 standard was introduction in 1988. It requires a certificate to have the following information:
Version :- X.509 standard version number.
Serial Number :- A sequence number given to each certificate.
Signature Algorithm Identifier :- Name of the algorithm used to sign this certificate by the issuer
15
Issuer Name :- Name of the issuer.
Validity Period :- Period during which this certificate is valid.
Subject Name :- Name of the owner of the public key.
Subject Public Key Information :- The public key and its related information.
CERTIFICATES and X.509 – Contd.
16
Introduction
GENERATING SELF-SIGNED CERTIFICATES
A self-signed certificate is a certificate that the "issuer" is the "subject" himself. In other word, a seft-signed certificate is a certificate where the "issuer" signs his own public key with his private key.
ProcedureStep-1 :- Enter your own name as the "subject".
Step-2 :- Provide your public key.
Step-3 :- Sign it with your private key.
Step-4 :- Put everything in the X.509 format.
17
CERTIFICATES COMPONENTSopenssl x509 –in MCC.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=MCCValidity Not Before: Aug 15 02:19:47 2011 GMT Not After : Sep 14 02:19:47 2011 GMT Subject: C=USA,CN=---,OU=MCCSubject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:a9:e6:19:c6:ee:88:01:86:d9:72:9e:93:92:db: 57:01:7b:02:84:fc:1e:e3:57:5e:2a:7b:2b:25:9e: bd:ba:c5:95:2c:49:59:28:df:a6:67:86:26:8e:ff: 36:cc:3a:84:5c:28:af:6f:11:c8:0c:b5:c2:c5:b9: 04:d6:0e:5d:d1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 55:C8:EF:49:2B:5D:E4:03:C5:98:1B:68:24:28:47:88:D4:0E:77:04 X509v3 Authority Key Identifier: keyid:55:C8:EF:49:2B:5D:E4:03:C5:98:1B:68:24:28:47:88:D4:0E:77:04 DirName:/C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=MCC serial:00 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: md5WithRSAEncryption 3f:ba:0c:c1:ae:38:ca:f6:37:16:9c:35:5f:18:79:64:de:27: 0d:46:ad:28:57:b4:62:df:6c:ff:f8:74:17:eb:b6:91:7e:06: 6e:ec:a5:9d:23:e2:6e:5a:6e:c3:09:fa:cf:34:65:70:15:65: 10:3a:6b:0f:b9:ef:6b:64:18:0e
18
VIEWING COMPONENTS OF CERTIFICATES (Contd)
This certificate tells us that:
The subject is "C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=MCC"
The subject's public key is included in it.
The issuer is "C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=MCC". The issuer is identical to the subject, because this is a self-signed certificate.
The certificate is valid for one month.
The certificate is signed by the issuer with the signature at the end.
19
WHY CERTIFICATES NEED TO BE SIGNED BY CA? Definition of the Certificate Authority (CA)
A Certificate Authority (CA) issues digital certificates that contain a public key and the identity of the owner. The matching private key is not made available publicly, but kept secret by the end user who generated the key pair. The certificate is also a confirmation or validation by the CA that the public key contained in the certificate belongs to the person, organization, server or other entity noted in the certificate. A CA's obligation in such schemes is to verify an applicant's credentials, so that users and relying parties can trust the information in the CA's certificates. CAs use a variety of standards and tests to do so. In essence, the Certificate Authority is responsible for saying "yes, this person is who they say they are, and we, the CA, verify that".
If the user trusts the CA and can verify the CA's signature, then he can also verify that a certain public key does indeed belong to whoever is identified in the certificate.
20
Certificate Authority (CA) comes into picture when your communication partner does not trust digital signature generated in your certificate.
For Certificates to be signed by CA following is the Procedure
Step - 1 :- Owner puts its public key into a certificate signing request (CSR) and mails it to the Certificate Authority (CA).
Step - 2 :- The Certificate Authority (CA) will verify the request and put owner’s public key in a certificate and sign it with CA's private key.
Step - 3 :- Certificate Authority (CA) will share the certificate been signed by the CA back to the owner.
When your communication partner receives your public key signed by a CA, communication partner can validate the signature with the Certificate Authority CA's public key. If the validation is ok, communication partner can then trust sender public key.
WHY CERTIFICATES NEED TO BE SIGNED BY CA? (Contd).
21
RSA CRYPTOSYSTEM
The most common public-key algorithm is the RSA cryptosystem, named for its inventors (Rivest, Shamir, and Adleman).
22
RSA CRYPTOSYSTEM – KEY GENERATION ALGORITHM
23
RSA CRYPTOSYSTEM - EXAMPLE
Bob chooses 7 and 11 as p and q and calculates n = 77. The value of f(n) = (7 − 1)(11 − 1) or 60. Now he chooses two exponents, e and d, from Z60 . If he chooses ∗ e to be 13, then d is 37. Note that e × d mod 60 = 1 (they are inverses of each Now imagine that Alice wants to send the plaintext 5 to Bob. She uses the public exponent 13 to encrypt 5.
Bob receives the ciphertext 26 and uses the private key 37 to decipher the ciphertext:
24
ECB Mode
CBC Mode
Other Modes are OFB, CFB, CTR Modes
OPERTION MODES FOR SYMMETRIC CRYPTOSYSTEM
25
ECB: Electronic CodebookEncryption Using ECB Mode
Decryption Using ECB Mode
26
CBC: Cipher Block ChainingEncryption Using CBC Mode
Decryption Using CBC Mode
27
AES CRYPTOSYSTEM
AES stands for Advanced Encryption Standard performs encryption and decryption based on the Block Cipher technique. Block Ciphers could be CBC, EBC etc.
Encryption of the Plan Text Decryption of the Plan Text
28
AES CRYPTOSYSTEM Need for a more efficient and secured algorithm
AES is Rindjael (Rijmen & Daemen) with 128-bit data block only
Key Size: 128, 192, and 256 bits.
Approved as a Federal Standard (FIPS 197).
Five Standard Modes of Operation specified in the NIST Special Publication 800-38A.
29
Need for a more efficient and secured algorithm
AES is Rindjael (Rijmen & Daemen) with 128-bit data block only.
Key Size: 128, 192, and 256 bits.
Approved as a Federal Standard (FIPS 197).
Five Standard Modes of Operation specified in the NIST Special Publication 800-38A.
AES CRYPTOSYSTEM - FEATURES
30
HYBRID CRYPTOSYSTEM
EncryptedMessage
Message
Ksecret
Symmetric Encryption
SymmetricDecryption
AsymmetricEncryption+ Signature
SignedEncrypted KeyKsecret
KpubB KprivA KpubA KprivB
AsymmetricDecryption+ Signature
Ksecret
User A
User B
31
OPENSSL X509 FUNCTIONSX509_set_serialNumber :- Set Serial Number for the X.509 Certificate.
X509_get_serialNumber :- Get Serial Number from the given X.509 Certificate.
X509_cmp_current_time :- Validates the certificate expiry time.
X509_set_pubkey :- Appends the certificate with public key.
X509_get_pubkey :- Extracts the public key from the given public certificate.
X509_to_X509_REQ :- Converts the given public certificate from X509 format to Certificate Request (PKCS10 ).
X509_REQ_sign :- Sign the given Certificate Request (PKCS10 ).
PEM_write_X509_REQ :- Write the given Certificate Request (PKCS10 ) to the PEM file.
PEM_read_X509:- Reads the given Certificate Request (PKCS10 ) from the PEM file.
32
OPENSSL EVP FUNCTIONSEVP_CIPHER_CTX_init :- initializes cipher context.
EVP_EncryptInit_ex :- sets up cipher context for encryption with cipher type from ENGINE.
EVP_EncryptUpdate :- encrypts the given data and store it in the out variable . This function could be called multiple times to encrypt the successive blocks of data.
EVP_EncryptFinal :- This function is called only when padding is set. The main purpose of this function is encrypts the "final" data, that is any data that remains in a partial block. It uses standard block padding|/NOTES (aka PKCS padding).
EVP_MD_CTX_init :- initializes signing context.
EVP_SignInit_ex :- sets up signing context with digest type from ENGINE.
EVP_SignUpdate :- hashes the given data into the signature context. This function can becalled several times on the same context to include additional data .
EVP_SignFinal :- signs the data available in the context using the Private/ Shared secret key.
33
OPENSSL EVP FUNCTIONS (Contd.)EVP_MD_CTX_init :- initializes verify context.
EVP_VerifyInit_ex :- sets up verification context with digest type from ENGINE.
EVP_VerifyUpdate :- hashes the given data into the verification context. This function can becalled several times on the same context to include additional data .
EVP_VerifyFinal :- verify the data available in the context using Public / Share Secret key against the given signature.
EVP_CIPHER_CTX_init :- initializes cipher context.
EVP_DecryptInit_ex :- sets up cipher context for decryption with cipher type from ENGINE.
EVP_DecryptUpdate :- decrypts the given data and store it in the out variable . This function could be called multiple times to decrypt the successive blocks of data.
EVP_DecryptFinal :- The main purpose of this function is decrypt the "final" data, that is any data that remains in a partial block.
34
OPENSSL RSA FUNCTIONSRSA_generate_key_ex :- This function is used to generate RSA key pair. Key size could be 512, 1024, 2048, 4096.
RSA_public_encrypt :- This function is used to encrypt a given data, RSA encrypts the given data using Public key.
RSA_sign :- This function is used to encrypt a given data using message digest algorithm and generates the signature on the encrypted data (generated by the message digest algorithm).
RSA_verify :- This function is used to encrypt a given data using message digest algorithm, generates the signature on the encrypted data (generated by the message digest algorithm) and compares the generated signature with the given signature.
RSA_private_decrypt :- This function is used to decrypt a given encrypted data, RSA decrypts the given encrypted data using Private key.
PEM_read_RSAPrivateKey :- This function is used to read the Private key from the PEM file.PEM_write_RSAPrivateKey :- This function is used to write the Private key to the PEM file.PEM_read_RSAPublicKey :- This function is used to read the Public key from the PEM file.PEM_write_RSAPublicKey :- This function is used to write the Public key to the PEM file.
35
END OF PART - 2